Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] mysterious start-up and slowness


  • This topic is locked This topic is locked
20 replies to this topic

#1 DennisT

DennisT

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 04 November 2009 - 08:47 PM

When I log in as me--user name Dennis, which is the current user for the included log, something opens c:\windows\system32 when I log in. I tried logging in using another account and is does not happen.

I also notice slowness with a lot of disk activity. I know what most of the entries in my start-up sequence are, but not all of them. I thought maybe my virus scanner had been infected, but I removed it and had the same behavior. (I re-installed it prior to running hijackthis. I have more RAM than my 32 bit flavor of XP can use, and a Phenom quad core @ 2.5 GHz.

Any ideas?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:56 PM, on 11/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Array Networks\Common\8,4,0,68\arr_isrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
C:\Program Files\Array Networks\Array SSL VPN\8,4,0,68\arr_srvs.exe
C:\Program Files\Common Files\AVerMedia\Service\AVerRemote.exe
C:\Program Files\Common Files\AVerMedia\Service\AVerScheduleService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\AMD\RAIDXpert\_jvm\bin\java.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tenable\Nessus\nessusd.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Dennis\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe
C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
C:\Program Files\pwsafe\pwsafe.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dennis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R200 Series] /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Password Safe.lnk = C:\Program Files\pwsafe\pwsafe.exe
O4 - Global Startup: AVer HID Receiver.lnk = C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe
O4 - Global Startup: AVerQuick.lnk = C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.aka...vex-2.2.5.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1234797562472
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1234799011030
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://tpasslvpnv1....lhost/arr_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B30B7B2F-E2EA-429E-9224-7192E171D8F6}: NameServer = 10.64.128.59,10.64.88.38
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AMD RAIDXpert (AMDRAIDXpert) - Unknown owner - C:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
O23 - Service: Array SSL VPN Service 8,4,0,68 (ArraySSL_VPN_Service8.4.0.68) - Array Networks, Inc. - C:\Program Files\Array Networks\Array SSL VPN\8,4,0,68\arr_srvs.exe
O23 - Service: Array Utility Service 8,4,0,68 (Array_Utility_Service8.4.0.68) - Array Networks, Inc. - C:\Program Files\Array Networks\Common\8,4,0,68\arr_isrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVerRemote - AVerMedia - C:\Program Files\Common Files\AVerMedia\Service\AVerRemote.exe
O23 - Service: AVerScheduleService - Unknown owner - C:\Program Files\Common Files\AVerMedia\Service\AVerScheduleService.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Tenable Nessus - Tenable Network Security - C:\Program Files\Tenable\Nessus\nessusd.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 10399 bytes

    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 07 November 2009 - 05:27 AM

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 DennisT

DennisT

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 11 November 2009 - 08:55 PM

I have been unsuccessful with running GMER. My PC always locks up before it finishes. I've tried uninstalling several things hoping it could make it through if there was less to scan, but after several days now I thought I would send what I have. It's beginning to look a lot like re-install time again. Here is DDS DDS (Ver_09-10-26.01) - NTFSx86 Run by Dennis at 16:45:41.21 on Sun 11/08/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2470 [GMT -5:00] AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} ============== Running Processes =============== C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\Ati2evxx.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\Program Files\Array Networks\Common\8,4,0,68\arr_isrv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe C:\Program Files\Array Networks\Array SSL VPN\8,4,0,68\arr_srvs.exe C:\Program Files\AMD\RAIDXpert\_jvm\bin\java.exe C:\Program Files\Common Files\AVerMedia\Service\AVerRemote.exe C:\Program Files\Common Files\AVerMedia\Service\AVerScheduleService.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe C:\WINDOWS\system32\E_S00RP1.EXE C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Documents and Settings\Dennis\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe C:\Program Files\pwsafe\pwsafe.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\WINDOWS\system32\freecell.exe C:\Documents and Settings\Dennis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Dennis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Dennis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Dennis\My Documents\Downloads\dds.pif ============== Pseudo HJT Report =============== uStart Page = uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [Google Update] "c:\documents and settings\dennis\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [EPSON Stylus Photo R200 Series] /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU" uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe" mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe" mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\dennis\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\dennis\startm~1\programs\startup\passwo~1.lnk - c:\program files\pwsafe\pwsafe.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\averhi~1.lnk - c:\program files\common files\avermedia\averquick\AVerHIDReceiver.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\averqu~1.lnk - c:\program files\common files\avermedia\averquick\AVerQuick.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll LSP: c:\windows\system32\VetRedir.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234797562472 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234799011030 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - hxxps://tpasslvpnv1.verifone.com/prx/000/http/localhost/arr_x.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab TCP: {B30B7B2F-E2EA-429E-9224-7192E171D8F6} = 10.64.128.59,10.64.88.38 Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Authentication Packages = msv1_0 relog_ap ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\dennis\applic~1\mozilla\firefox\profiles\fsxp6xfa.default\ FF - prefs.js: browser.startup.homepage - hxxps://tpasslvpnv1.verifone.com/prx/000/http/localhost/login FF - component: c:\documents and settings\dennis\application data\mozilla\firefox\profiles\fsxp6xfa.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll FF - plugin: c:\documents and settings\dennis\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2009-2-16 172040] R2 AMDRAIDXpert;AMD RAIDXpert;c:\program files\amd\raidxpert\jetty\extra\win32\Wrapper.exe [2003-9-29 110592] R2 Array_Utility_Service8.4.0.68;Array Utility Service 8,4,0,68;c:\program files\array networks\common\8,4,0,68\arr_isrv.exe [2009-6-29 376905] R2 ArraySSL_VPN_Service8.4.0.68;Array SSL VPN Service 8,4,0,68;c:\program files\array networks\array ssl vpn\8,4,0,68\arr_srvs.exe [2009-6-29 217161] R2 AVerRemote;AVerRemote;c:\program files\common files\avermedia\service\AVerRemote.exe [2009-2-16 352256] R2 AVerScheduleService;AVerScheduleService;c:\program files\common files\avermedia\service\AVerScheduleService.exe [2009-2-16 409600] R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992] R3 AVerFx2hbtv;AVerMedia H826 USB Hybrid Tuner;c:\windows\system32\drivers\AVerFx2hbtv.sys [2009-2-16 272640] R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-8-16 189704] S2 Tenable Nessus;Tenable Nessus;c:\program files\tenable\nessus\nessusd.exe [2008-7-31 13312] S3 ATP;ArrayNetworks SSL VPN Miniport Driver;c:\windows\system32\drivers\atpdrvr.sys [2009-2-20 16896] S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe [2009-2-28 68096] S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-3-3 36928] =============== Created Last 30 ================ 2009-11-05 02:55:35 0 d-----w- c:\docume~1\dennis\applic~1\Malwarebytes 2009-11-05 02:55:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-05 02:55:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-05 02:55:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-05 02:55:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-11-05 01:59:24 739752 ----a-w- c:\windows\system32\drivers\vetefile.sys 2009-11-05 01:59:24 133576 ----a-w- c:\windows\system32\drivers\veteboot.sys 2009-11-05 01:57:30 99592 ----a-w- c:\windows\system32\isafeif.dll 2009-11-05 01:57:30 79424 ----a-w- c:\windows\system32\vetredir.dll 2009-11-05 01:57:30 75016 ----a-w- c:\windows\system32\isafprod.dll 2009-11-05 01:57:30 32264 ----a-w- c:\windows\system32\drivers\vetmonnt.sys 2009-11-05 01:57:30 26376 ----a-w- c:\windows\system32\drivers\vet-filt.sys 2009-11-05 01:57:30 21512 ----a-w- c:\windows\system32\drivers\vetfddnt.sys 2009-11-05 01:57:30 21128 ----a-w- c:\windows\system32\drivers\vet-rec.sys 2009-11-05 01:57:18 0 d-----w- c:\program files\common files\Scanner 2009-11-05 01:57:07 0 d-----w- c:\docume~1\alluse~1\applic~1\CA 2009-11-05 01:57:05 0 d-----w- c:\program files\CA 2009-11-03 00:14:42 0 d-----w- c:\windows\pss 2009-11-01 21:32:39 0 d-----w- c:\program files\Enigma Software Group 2009-11-01 18:20:30 0 d-----w- c:\program files\Spybot - Search & Destroy 2009-11-01 18:20:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-10-27 03:19:05 0 d-----w- c:\windows\Performance 2009-10-27 03:18:28 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor 2009-10-18 01:16:33 65536 ----a-w- c:\windows\system32\E_S00RP1.EXE 2009-10-18 01:15:50 0 d-----w- C:\spoolerlogs 2009-10-10 21:18:58 1905 ----a-w- c:\windows\diagwrn.xml 2009-10-10 21:18:58 1905 ----a-w- c:\windows\diagerr.xml ==================== Find3M ==================== 2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-01 02:25:11 50601805 ----a-w- C:\qvwin.zip 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-20 19:09:06 1193832 ----a-w- c:\windows\system32\FM20.DLL ============= FINISH: 16:46:42.53 =============== And Attach.txt UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-10-26.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 2/16/2009 9:59:31 AM System Uptime: 11/8/2009 9:04:06 AM (7 hours ago) Motherboard: ASRock | | A780GXE/128M Processor: AMD Phenom™ 9850 Quad-Core Processor | CPUSocket | 2494/200mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 167 GiB total, 101.118 GiB free. D: is FIXED (NTFS) - 233 GiB total, 193.75 GiB free. E: is CDROM () F: is CDROM () G: is FIXED (NTFS) - 65 GiB total, 54.543 GiB free. H: is CDROM () R: is FIXED (NTFS) - 233 GiB total, 93.691 GiB free. ==== Disabled Device Manager Items ============= Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Array Networks VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Array Networks Name: Array Networks VPN Adapter #2 PNP Device ID: ROOT\NET\0000 Service: ATP ==== System Restore Points =================== RP144: 8/9/2009 10:08:10 PM - System Checkpoint RP145: 8/11/2009 12:43:43 AM - System Checkpoint RP146: 8/11/2009 10:34:07 PM - Software Distribution Service 3.0 RP147: 8/13/2009 8:31:58 AM - System Checkpoint RP148: 8/14/2009 12:00:45 PM - System Checkpoint RP149: 8/16/2009 1:57:32 AM - System Checkpoint RP150: 8/16/2009 9:02:28 PM - Software Distribution Service 3.0 RP151: 8/17/2009 10:21:25 PM - System Checkpoint RP152: 8/20/2009 11:22:29 AM - System Checkpoint RP153: 8/22/2009 11:02:23 AM - System Checkpoint RP154: 8/23/2009 5:33:04 PM - System Checkpoint RP155: 8/24/2009 10:04:23 PM - System Checkpoint RP156: 8/26/2009 4:40:40 PM - Software Distribution Service 3.0 RP157: 8/26/2009 11:14:30 PM - Installed Java™ 6 Update 15 RP158: 8/29/2009 12:04:25 PM - System Checkpoint RP159: 8/30/2009 12:12:03 PM - System Checkpoint RP160: 8/30/2009 10:40:12 PM - Software Distribution Service 3.0 RP161: 9/1/2009 6:26:58 PM - System Checkpoint RP162: 9/3/2009 6:40:36 PM - System Checkpoint RP163: 9/4/2009 9:51:09 PM - System Checkpoint RP164: 9/6/2009 12:48:08 AM - System Checkpoint RP165: 9/6/2009 1:15:44 PM - Software Distribution Service 3.0 RP166: 9/7/2009 2:03:21 PM - System Checkpoint RP167: 9/8/2009 11:16:38 PM - System Checkpoint RP168: 9/9/2009 3:00:15 AM - Software Distribution Service 3.0 RP169: 9/12/2009 12:29:29 AM - System Checkpoint RP170: 9/15/2009 9:18:21 PM - System Checkpoint RP171: 9/16/2009 10:45:28 PM - System Checkpoint RP172: 9/17/2009 11:16:46 PM - System Checkpoint RP173: 9/20/2009 4:07:20 PM - System Checkpoint RP174: 9/21/2009 10:52:42 PM - System Checkpoint RP175: 9/24/2009 6:39:51 AM - System Checkpoint RP176: 9/25/2009 10:20:47 AM - System Checkpoint RP177: 9/26/2009 10:21:55 AM - System Checkpoint RP178: 9/27/2009 2:34:04 PM - System Checkpoint RP179: 9/30/2009 8:52:23 PM - System Checkpoint RP180: 9/30/2009 9:28:41 PM - Software Distribution Service 3.0 RP181: 10/4/2009 12:53:03 AM - System Checkpoint RP182: 10/5/2009 9:51:42 PM - System Checkpoint RP183: 10/6/2009 10:17:22 PM - System Checkpoint RP184: 10/7/2009 10:29:49 PM - System Checkpoint RP185: 10/9/2009 12:49:29 AM - System Checkpoint RP186: 10/10/2009 6:14:26 PM - System Checkpoint RP187: 10/12/2009 6:44:08 PM - System Checkpoint RP188: 10/14/2009 9:47:58 PM - Software Distribution Service 3.0 RP189: 10/15/2009 10:18:04 PM - System Checkpoint RP190: 10/17/2009 11:44:29 AM - System Checkpoint RP191: 10/18/2009 4:26:00 PM - System Checkpoint RP192: 10/20/2009 1:10:40 AM - System Checkpoint RP193: 10/21/2009 3:33:57 AM - System Checkpoint RP194: 10/22/2009 11:50:25 PM - System Checkpoint RP195: 10/24/2009 12:24:35 AM - System Checkpoint RP196: 10/25/2009 3:49:09 AM - System Checkpoint RP197: 10/26/2009 7:25:10 AM - System Checkpoint RP198: 10/26/2009 11:18:27 PM - Installed Windows 7 Upgrade Advisor RP199: 10/30/2009 9:06:21 AM - System Checkpoint RP200: 11/1/2009 5:18:21 AM - System Checkpoint RP201: 11/2/2009 6:17:59 PM - System Checkpoint RP202: 11/4/2009 1:15:24 AM - System Checkpoint RP203: 11/4/2009 7:02:01 PM - Software Distribution Service 3.0 RP204: 11/4/2009 10:12:27 PM - Installed Java™ 6 Update 17 RP205: 11/6/2009 12:04:31 AM - System Checkpoint RP206: 11/7/2009 12:31:50 AM - System Checkpoint ==== Installed Programs ====================== Acrobat.com Acronis True Image Home Adobe AIR Adobe Common File Installer Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Help Center 2.1 Adobe Premiere Elements 3.0 Adobe Premiere Elements 3.0 Templates Adobe Reader 9.2 Adobe Shockwave Player 11 Apple Software Update Array Networks SSL VPN Client 8,4,0,68 (Array Networks) ASIO4ALL ATI - Software Uninstall Utility ATI Display Driver AVer Media Center AVerMedia H826 series driver 1.0.0.88 AVerMedia MCE Encoder x86 3.0.1.2 CA Anti-Spam CA Anti-Spyware CA Anti-Virus CA Internet Security Suite Canon Camera Access Library Canon Camera Support Core Library Canon Digital Camera Solution Disk 34 Software Starter Guide Canon Direct Print User Guide Canon G.726 WMP-Decoder Canon MovieEdit Task for ZoomBrowser EX Canon PowerShot A470 Camera User Guide Canon RAW Image Task for ZoomBrowser EX Canon Utilities CameraWindow Canon Utilities CameraWindow DC Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX Canon Utilities EOS Utility Canon Utilities MyCamera Canon Utilities MyCamera DC Canon Utilities PhotoStitch Canon Utilities RemoteCapture Task for ZoomBrowser EX Canon Utilities ZoomBrowser EX Canon ZoomBrowser EX Memory Card Utility Collab Cool Edit 2000 Critical Update for Windows Media Player 11 (KB959772) DAEMON Tools Toolbar EPSON Print CD EPSON Printer Software FL Studio 8 Garmin City Navigator North America NT 2010.20 Garmin Communicator Plugin Garmin USB Drivers Google Chrome High Definition Audio Driver Package - KB888111 HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) IL Download Manager ISO Recorder Java DB 10.4.1.3 Java™ 6 Update 17 Java™ SE Development Kit 6 Update 11 Lexibase Standard Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB953297) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft FrontPage Client - English Microsoft Internationalized Domain Names Mitigation APIs Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 Microsoft National Language Support Downlevel APIs Microsoft Office Live Add-in 1.3 Microsoft Office XP Media Content Microsoft Office XP Professional with FrontPage Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual J# .NET Redistributable Package 1.1 Microsoft Visual Studio .NET 2003 Hotfix (KB958393) Microsoft Visual Studio .NET Professional 2003 - English Mozilla Firefox (3.5.3) MSDN Library for Visual Studio .NET 2003 MSXML 4.0 SP2 (KB954430) Nero OEM NetBeans IDE 6.5 OGA Notifier 2.0.0048.0 PoiZone QuickTime RAIDXpert REALTEK GbE & FE Ethernet PCI-E NIC Driver Realtek High Definition Audio Driver Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Spybot - Search & Destroy Talk to Me TaxCut Basic + Efile 2008 TEG-PCITXR 32bit Gigabit PCI Adatper TeLL me More Tenable Nessus Toxic Biohazard Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB969497) Update for Windows Internet Explorer 8 (KB971930) Update for Windows Internet Explorer 8 (KB976749) Update for Windows XP (KB943729) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) Visual Studio .NET Professional 2003 - English Visual Studio.NET Baseline - English WebFldrs XP Windows 7 Upgrade Advisor Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0) Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Live Sign-in Assistant Windows Media Format 11 runtime Windows Media Player 11 Windows PowerShell™ 1.0 Windows PowerShell™ 1.0 MUI pack Windows XP Service Pack 3 ==== Event Viewer Messages From Past Week ======== 11/8/2009 4:29:59 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 11/6/2009 8:02:49 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PPCtlPriv service to connect. 11/6/2009 8:02:49 AM, error: Service Control Manager [7000] - The PPCtlPriv service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 11/6/2009 8:02:49 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service PPCtlPriv with arguments "" in order to run the server: {F974178A-A284-440A-BEFC-5B0D11BCDB68} 11/6/2009 11:52:06 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect. 11/6/2009 11:52:06 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 11/6/2009 11:50:37 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Tenable Nessus service to connect. 11/6/2009 11:50:37 PM, error: Service Control Manager [7000] - The Tenable Nessus service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 11/4/2009 7:43:11 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. . 11/4/2009 7:43:11 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL. Reference error message: The operation completed successfully. . 11/4/2009 7:43:11 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system. 11/4/2009 7:14:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the CA Pest Patrol Realtime Protection Service service to connect. 11/4/2009 7:14:42 PM, error: Service Control Manager [7000] - The CA Pest Patrol Realtime Protection Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 11/3/2009 8:26:11 PM, error: TermDD [50] - The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. 11/3/2009 7:45:44 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the CaCCProvSP service to connect. 11/3/2009 7:45:44 AM, error: Service Control Manager [7000] - The CaCCProvSP service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 11/3/2009 7:45:44 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF} 11/2/2009 5:49:21 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the CAISafe service to connect. 11/2/2009 5:49:21 PM, error: Service Control Manager [7001] - The VET Message Service service depends on the CAISafe service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion. 11/2/2009 5:49:21 PM, error: Service Control Manager [7000] - The CAISafe service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 11/1/2009 6:24:52 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Image Acquisition (WIA) service to connect. 11/1/2009 6:24:52 PM, error: Service Control Manager [7001] - The Canon Camera Access Library 8 service depends on the Windows Image Acquisition (WIA) service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion. 11/1/2009 6:24:52 PM, error: Service Control Manager [7000] - The Windows Image Acquisition (WIA) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. ==== End Of File ===========================

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 11 November 2009 - 09:04 PM

Hi,

Please do the following:

Download Combofix from either of the links below. You must rename it to combo.com before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------

  • Double click on the renamed ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#5 DennisT

DennisT

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 12 November 2009 - 09:54 PM

OK, now that I figured out how to attach files, that should make this easier. I found that logging in as another user with admin priviledges I was able to do what you had asked before. GMER worked, and I also ran the ComboFix. Both logs are attached. I am a bit of a novice at interpreting these log, so it was not clear if they found anything important. At this point, I suspect corruption in my profile, which I can correct it that is all it is. If there is malware there, I obviousl wnat to remove it. I dod notice some comments about my MBR. It may look a bit corrupt because it is put there by GRUB to dual boot Linux with Windows XP. Some of this later data are not consistent with the earlier reorts because I have uninstalled several unnecessary programs in an effort to make it easier to recognize what does not belong. One day I will get smart enough to produce a signarture of all start-up programs that I can update when new things are to be installed. :-(

Attached Files



#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 November 2009 - 06:21 AM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#7 DennisT

DennisT

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 14 November 2009 - 07:03 AM

The stuff Kaspersky found on the R drive is probably affecting my son's computer. This is just a backup of his. I will take care of that. Is there any way to find out more details about the bad stuf that Kaspersky identified? Malware bytes did not find anything. Malwarebytes' Anti-Malware 1.41 Database version: 3166 Windows 5.1.2600 Service Pack 3 11/13/2009 6:43:28 PM mbam-log-2009-11-13 (18-43-28).txt Scan type: Quick Scan Objects scanned: 108630 Time elapsed: 2 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Attached Files



#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 14 November 2009 - 07:47 AM

Hi,

Please do the following:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\Documents and Settings\Dennis\My Documents\Downloads\freeripmp3.exe"



The other items found are in your outlook express email accounts. Unfortunately there is no way of identifying which emails are infected. You need to use your best judgement. If nothing is that important, then delete them all and empty the trash bin. Or delete anything from anyone you don't know or that have attachments:

Please post a fresh DDS and Attach.txt and advise how your computer is running now and if there are any outstanding issues.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#9 DennisT

DennisT

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 14 November 2009 - 01:51 PM

Requested reports are attached. I still have something opening up my windows folder onto the desktop when I log in as me, but not when I log in as an alternate user. I am beginning to think there is just some kind of corruption in my profile. The windows file system scanned OK, and I believe I defragmented not too long ago. The other user seems to run somewhat normally. I was already wanting to upgrade to a 64 bit OS anyway, so maybe I'll do that. I can handle the infected email OK. I have my suspicions, and need to purge old email. Since it is in an old copy of my inbox, I can tell that it is over a year old. The EXE that was there might not have ever been installed. I think I downloaded it, and then figured out I did not want to install it. Thanks for all your support. I usually do all my own work for things like this and for friends as well, but this one stumped me. I need to research some of the tools you directed me to so I have more tactics. I've used House Call, Malware Bytes, Spybot, and a few others, but was unaware that Kaspersky was available as an on-line tool. I may end up using their installed product instead of the CA provided by my ISP.

Attached Files



#10 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 14 November 2009 - 03:06 PM

Hi,

lets see if we can find what is causing the issue.

Log onto your profile and please do the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s
    
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove


#11 DennisT

DennisT

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 14 November 2009 - 04:26 PM

The only key below that I am not able to identify is this: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" ------------------ SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 17:20 on 14/11/2009 by Dennis (Administrator - Elevation successful) ========== reg ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe ARM"=""C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"" "Adobe Reader Speed Launcher"=""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"" "CAVRID"=""C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"" "cctray"=""C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"" "EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"" "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" "RTHDCPL"="RTHDCPL.EXE" "SunJavaUpdateSched"=""C:\Program Files\Java\jre6\bin\jusched.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" @="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" "EPSON Stylus Photo R200 Series"=" /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"" "Google Update"=""C:\Documents and Settings\Dennis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c" "MSMSGS"=""C:\Program Files\Messenger\msmsgs.exe" /background" -=End Of File=-

#12 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 14 November 2009 - 04:35 PM

Hi,

That ctfmon file is fine, related to MSOffice

There's nothing that could be causing the issue there, so I will need to research it a bit more...are you able to describe exactly what window opens? Is it a windows Explorer window or some other file?

Please do the following:

Go to Start > Control Panel > Add/Remove Programs

a list of installed programs will populate

please locate the following programs and select REMOVE


Java DB 10.4.1.3
Java™ SE Development Kit 6 Update 11


(make sure you leave Java version 6 update 17 in place as that is the latest version)

NEXT please advise what you have in your start up folders:

Please navigate to the following locations and let me know what's there:


C:\Documents and Settings\All Users\Start Menu\Programs\Startup

and Current User is located in

C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#13 DennisT

DennisT

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 15 November 2009 - 04:38 PM

Hi,

That ctfmon file is fine, related to MSOffice

There's nothing that could be causing the issue there, so I will need to research it a bit more...are you able to describe exactly what window opens? Is it a windows Explorer window or some other file?

Please do the following:

Go to Start > Control Panel > Add/Remove Programs

a list of installed programs will populate

please locate the following programs and select REMOVE


Java DB 10.4.1.3
Java™ SE Development Kit 6 Update 11


(make sure you leave Java version 6 update 17 in place as that is the latest version)

NEXT please advise what you have in your start up folders:

Please navigate to the following locations and let me know what's there:


C:\Documents and Settings\All Users\Start Menu\Programs\Startup

and Current User is located in

C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup


========== I had already remove my Netbeans that had installed the older version of the Java Development Kit. After I removed the remainder of the Java development Kit, I rebooted and attempted to log back in. Now, I can only get safe mode, otherwise my screen is stuck perpetually with the Windows logo--the one with the scrolling dots in a rotating progress bar of sorts. (Not really a progress bar, but I don't know what else to call it.) Below is the list of things in my start-up folders. I looked there long before I caved in and contacted you. Both items from my personal folder are well-known to me, and have been in use for a long time. Fortunately, I made a full system image of my boot drive before starting down this path, so I have not lost anything. I am presuming I will be able to copy backup my email before I reload. I've not made up my mind whether to just reformat now, or reload my backup and monitor what happens when I only use an alternative user. I may also install to a different disk first and restore the old one, and scan it while it has no files open. However, I really think it was just some kind of corruption rather than an active virus. Even the threads found were in old email and an installer file that I don't think ever got run. (I could be wrong about that, but if it was run, it was a couple of months before symptoms developed.)

Thanks for all your effort on this one, but unless you have a real good trick to pull now, I think I should stop taking your time. One thing you could do for me is point me at places I could study this stuff and learn more. I am a professional developer with 35 years of experience with both hardware and software, but my time has been spent writing friendly software, not malware, nor software to detect malware. Also, it has been mostly for embedded systems, and not on Windows.

The window that opened was in fact a Windows Exlorer window. Using regedit, I examined all the run keys I could find, and nothing that I could see should have been opening the folder for me. My irritation with Windows and its registry is that it is nearly impossible to know what really belongs there. I've seen some things I was certain had to be bad, only to find out they were legitimate. :-(

Here is the listing you requested.

C:\Documents and Settings\Dennis\Start Menu\Programs\Startup>dir /a
Volume in drive C is XPBoot
Volume Serial Number is F417-AFA0

Directory of C:\Documents and Settings\Dennis\Start Menu\Programs\Startup

04/20/2009 08:31 PM <DIR> .
04/20/2009 08:31 PM <DIR> ..
02/16/2009 06:58 PM 988 Adobe Gamma.lnk
02/16/2009 09:58 AM 84 desktop.ini
04/20/2009 08:31 PM 630 Password Safe.lnk
3 File(s) 1,702 bytes
2 Dir(s) 117,718,904,832 bytes free

C:\Documents and Settings\Dennis\Start Menu\Programs\Startup>type desktop.ini
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

--- Note, the contents of desktop .ini are identical here and in my alternative user account.

C:\Documents and Settings\Dennis\Start Menu\Programs\Startup>
C:\Documents and Settings\Dennis\Start Menu\Programs\Startup>
C:\Documents and Settings\Dennis\Start Menu\Programs\Startup>dir/a "\Documents a
nd Settings\All Users\Start Menu\Programs\Startup"
Volume in drive C is XPBoot
Volume Serial Number is F417-AFA0

Directory of C:\Documents and Settings\All Users\Start Menu\Programs\Startup

11/10/2009 10:05 PM <DIR> .
11/10/2009 10:05 PM <DIR> ..
02/16/2009 09:58 AM 84 desktop.ini
02/28/2009 08:06 PM 1,736 Microsoft Office.lnk
2 File(s) 1,820 bytes
2 Dir(s) 117,718,904,832 bytes free

C:\Documents and Settings\Dennis\Start Menu\Programs\Startup>

#14 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 15 November 2009 - 09:11 PM

Hi, When you tap into safe mode, arrow up to Last Known Good Configuration and choose it. Hopefully windows will load normally. If it doesn't load normally with Last know Good Configuration. Then log into the menu screen for safe mode again and choose to do a system restore to the most recent restore point available. This restore point will have been set by ComboFix.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#15 DennisT

DennisT

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 16 November 2009 - 11:10 AM

Will try the restore point after I get back home. I already know that the "last known" does not work. If that does not work, I will restore it to the point before I started trying to fix it. Then use my alternate administrative user to scan it. Maybe that will find something.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users