Found trojans; not sure if system is clean

Solved
By rda
Dec 5, 2011
Topic Status:
Not open for further replies.
  1. Hello. Thank you for considering my issue.

    I first noticed extra "flashing" of my desktop icons, and then I noticed Explorer (not IE) hanging and sometimes crashing. As I looked into that, I noted that Explorer.exe was trying to make network connections.

    I had used Prevx, but after some problems with it interacting badly with other legitimate software, I had removed it. After noting these problems, I tried to install AVG and Zonealarm. I had problems trying to install them, and then trying to remove them, but I think I got rid of them after some hours.

    I came across this site, and set out to do the 5 steps. I installed Avira. It came up with several alerts about trojans, which I asked it to fix (hoping that wasn't against the instructions), and then it said I needed to do a scan from the boot CD because of hidden object. I made an Avira boot CD on another computer, and used it to do a long scan. It reported 5 infections and renamed the files involved. One of them was afd.sys, which caused networking to break until I figured out what was going on and got a correct copy of that file.

    I notice that two of the files renamed by the boot cd were in a directory that I cannot see from Windows.

    While running MalwareBytes, Avira gave another alert and denied access to an .exe file named with two long numbers separated by a colon. I had noticed processes named like this showing up in the task list sometimes, running under SYSTEM.

    So, that's the background. Here are the log files. I hope you can help me determine if I still have an infection or not.

    Thank you!

    Step 2:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8316

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/5/2011 7:08:58 AM
    mbam-log-2011-12-05 (07-08-58).txt

    Scan type: Quick scan
    Objects scanned: 206825
    Time elapsed: 23 minute(s), 47 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent.Gen) -> Value: Shell -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    ==============================================

    Step 3:
    gmer.log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-12-05 07:22:17
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19 WDC_WD3000GLFS-01F8U0 rev.03.03V01
    Running: 3pgzbyrr.exe; Driver: C:\DOCUME~1\Rich\LOCALS~1\Temp\ugtdrpow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)

    ---- EOF - GMER 1.0.15 ----



    Step 4:
    ==============================================

    DDS.txt:
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Run by Rich at 7:29:00 on 2011-12-05
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2888 [GMT -8:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\DU Meter4\DUMeterSvc.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Macro Express3\MacExp.exe
    C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe
    C:\Program Files\WallpaperToy\Wallpapertoy.Exe
    C:\PROGRA~1\DU Meter4\DUMeter.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
    C:\Program Files\Macro Express3\macedit.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\eHome\ehmsas.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = https://www.google.com/calendar/render?sourceid=navclient&ie=UTF-8&gsessionid=OK
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [DU Meter] c:\program files\du meter4\DUMeter.exe
    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
    StartupFolder: c:\docume~1\rich\startm~1\programs\startup\karen'~1.lnk - c:\program files\karen's power tools\replicator\PTReplicator.exe
    StartupFolder: c:\docume~1\rich\startm~1\programs\startup\wallpa~1.lnk - c:\program files\wallpapertoy\Wallpapertoy.Exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\macroe~1.lnk - c:\program files\macro express3\MacExp.exe
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
    Trusted Zone: adobe.com
    Trusted Zone: dr-amy.com
    Trusted Zone: dyndns.org\wvfcpao
    Trusted Zone: eset.com
    Trusted Zone: intuit.com
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: safeway.com\shop
    Trusted Zone: turbotax.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
    DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://71.129.8.190:81/kxhcm10.ocx
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://63.197.105.163/activex/AxisCamControl.cab
    DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} - hxxp://76.193.221.170/program/SonySncRz25View.cab
    DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
    DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://66.242.36.104/app/view22RTE.cab
    DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.1/jinstall-1_4_1-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://upload.smugmug.com/photos/activex/XUpload.ocx
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{73E93CA6-409A-44A0-BB28-49FCDF7B909C} : DhcpNameServer = 192.168.1.1
    Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    AppInit_DLLs: acaptuser32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 192.168.1.104 HP0018715D273B
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\rich\application data\mozilla\firefox\profiles\r8vbe3iw.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://dr-amy.com
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-12-8 32008]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-12-4 36000]
    R1 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
    R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-12-8 76696]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-12-4 86224]
    R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-12-4 110032]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-12-4 74640]
    R2 DUMeterSvc;DU Meter Service;c:\program files\du meter4\DUMeterSvc.exe [2010-9-18 1411616]
    R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-11-9 1248256]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-12-1 119656]
    S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    S3 AM10;Cisco AM10 Driver;c:\windows\system32\drivers\AM10XP.sys [2011-5-17 816672]
    S3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\du meter4\DUM_XP32.sys [2010-9-18 16424]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-11-26 14336]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
    S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2010-8-24 1104656]
    .
    =============== Created Last 30 ================
    .
    2011-12-05 14:37:55 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-05 14:37:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-05 04:57:00 -------- d-----w- C:\ERDNT
    2011-12-05 03:40:11 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-12-05 03:40:11 138112 -c--a-w- c:\windows\system32\dllcache\afd.sys
    2011-12-04 17:01:51 -------- d-----w- c:\documents and settings\rich\application data\Avira
    2011-12-04 16:57:19 -------- d-----w- c:\windows\system32\NtmsData
    2011-12-04 16:48:38 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-12-04 16:48:38 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-12-04 16:48:37 -------- d-----w- c:\program files\Avira
    2011-12-04 16:48:37 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2011-12-04 16:31:52 -------- d-----w- c:\documents and settings\rich\application data\CheckPoint
    2011-12-04 16:31:19 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
    2011-12-04 05:24:47 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
    2011-12-04 03:35:05 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-12-03 23:52:30 -------- d-----w- c:\documents and settings\rich\application data\AVG2012
    2011-12-03 22:39:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-12-03 22:39:46 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2011-12-03 22:26:10 -------- d-sh--w- c:\documents and settings\rich\local settings\application data\a77dc65d
    2011-12-02 23:18:25 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-12-02 23:18:25 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-12-02 23:18:25 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-12-02 23:18:25 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-12-02 23:18:25 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-12-02 23:18:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-12-02 23:18:24 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-12-02 23:18:24 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-12-01 22:24:21 -------- d-----w- c:\program files\iPod
    2011-12-01 22:24:00 -------- d-----w- c:\program files\iTunes
    2011-12-01 19:47:08 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2011-12-01 19:46:41 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2011-12-01 19:46:41 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2011-12-01 14:50:32 876136 ----a-w- c:\windows\system32\nvhdagenco3220102.dll
    2011-12-01 14:50:32 26216 ----a-w- c:\windows\system32\nvhdap32.dll
    2011-12-01 14:50:32 119656 ----a-w- c:\windows\system32\drivers\nvhda32.sys
    2011-11-30 20:06:19 -------- d-----w- c:\windows\Logs
    2011-11-30 19:59:47 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
    2011-11-30 19:59:47 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
    2011-11-30 19:59:47 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2011-11-30 19:59:47 4980736 ----a-w- c:\windows\system32\nvcuda.dll
    2011-11-30 19:59:47 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-11-30 19:59:47 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-11-30 19:59:47 1958400 ----a-w- c:\windows\system32\nvapi.dll
    2011-11-30 19:59:47 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
    2011-11-30 19:59:47 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
    .
    ==================== Find3M ====================
    .
    2011-12-04 00:13:33 149904 ----a-w- c:\windows\system32\nvsvc32.exe
    2011-12-02 03:10:55 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
    2011-11-14 20:01:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    .
    ============= FINISH: 7:29:57.93 ===============

    Attach.txt:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/19/2007 12:03:39 AM
    System Uptime: 12/5/2011 7:26:18 AM (0 hours ago)
    .
    Motherboard: Intel Corporation | | DG965WH
    Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | LGA 775 | 1864/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 274 GiB total, 38.633 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is FIXED (NTFS) - 1863 GiB total, 344.773 GiB free.
    G: is Removable
    H: is Removable
    I: is Removable
    K: is Removable
    N: is FIXED (NTFS) - 1863 GiB total, 1258.315 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description:
    Device ID: ACPI\AWY0001\4&12686F5B&0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\AWY0001\4&12686F5B&0
    Service:
    .
    ==== System Restore Points ===================
    .
    RP1: 12/4/2011 7:08:52 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    .
    Acrobat.com
    Adobe Acrobat 9 Pro Extended - English, Fran├žais, Deutsch
    Adobe Acrobat 9.4.6 - CPSID_83708
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Help Center 2.1
    Adobe Photoshop Elements 5.0
    Adobe Photoshop Elements 8.0
    Adobe Photoshop Lightroom 3.2
    Adobe Photoshop.com Inspiration Browser
    Adobe Premiere Elements 8.0
    AnswerWorks 4.0 Runtime - English
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Avira Free Antivirus
    AviSynth 2.5
    Bonjour
    BreezeBrowser Pro
    BufferChm
    Canon Utilities Digital Photo Professional 3.7
    Canon Utilities EOS Utility
    Canon Utilities Original Data Security Tools
    Canon Utilities PhotoStitch
    Canon Utilities Picture Style Editor
    CASSiPalm
    CDDRV_Installer
    Compatibility Pack for the 2007 Office system
    Copy
    CP_AtenaShokunin1Config
    cp_dwShrek2Albums1
    cp_dwShrek2Cards1
    CreativeProjects
    CreativeProjectsTemplates
    Critical Update for Windows Media Player 11 (KB959772)
    CueTour
    DENTRIX G2
    DENTRIX G2 Required Components
    Destinations
    Diamond G1000 Trainer v6.01
    Director
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Setup
    DivX Version Checker
    DocProc
    DocumentViewer
    Downloader Pro
    DU Meter
    Evernote
    Falcon 4.0: Allied Force
    FLV Player 2.0 (build 25)
    Free Video to iPhone Converter version 2.1
    FreeUndelete
    GameSpy Arcade
    getPlus(R) for Adobe
    Google Earth
    Google Earth Plug-in
    Google SketchUp 8
    Google Toolbar for Firefox
    Google Toolbar for Internet Explorer
    Google Update Helper
    Graphing Calculator
    HandBrake 0.9.5
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Image Zone 4.7
    HP Officejet Pro 8500 A910 Basic Device Software
    HP Officejet Pro 8500 A910 Help
    HP Software Update
    HPSystemDiagnostics
    I.R.I.S. OCR
    InstantShare
    Intel Audio Studio 2.0
    Intel(R) Matrix Storage Manager
    Intel(R) PRO Network Connections Drivers
    ISO Recorder
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 23
    JDownloader
    Karen's Replicator
    KhalInstallWrapper
    LightScribe 1.4.89.1
    Logitech Harmony Remote Software 7
    Logitech SetPoint
    Macro Express 3
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 1.0 Hotfix (KB2572066)
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.0 Hotfix (KB979904)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Halo
    Microsoft IntelliType Pro 6.3
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 97, Professional Edition
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional 2007
    Microsoft Office Professional 2007 Trial
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Office Word Viewer 2003
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Windows Journal Viewer
    MobileMe Control Panel
    Mole Setup
    Mozilla Firefox 8.0.1 (x86 en-US)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser
    Nero Suite
    NIS eTrans 3.0
    NVIDIA Display Control Panel
    NVIDIA HD Audio Driver 1.2.24.0
    NVIDIA Install Application
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.11.0621
    OCA Client history tool install
    Palm
    Palm Outlook Conduits Updater
    PanoStandAlone
    Pegasus Imaging PICVideo Motion JPEG 4.0
    Pegasus Mail
    PhotoGallery
    PowerStrip 3 (remove only)
    PrimoPDF
    Punch! Professional Home Design - Platinum
    QFolder
    QuickBooks
    QuickBooks Pro 2011
    QuickTime
    Radmin Viewer 3.1
    Remote Administrator v2.2
    Remote Cameras
    Remote Control USB Driver
    ScannerCopy
    Security Update for Microsoft .NET Framework 2.0 (KB928365)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    SigmaTel Audio
    SkinsHP1
    SmartSound Quicktracks for Premiere Elements 8.0
    Sonic CinePlayer
    Spelling Dictionaries Support For Adobe Reader 8
    Star Wars Battlefront
    Star Wars Battlefront II
    Star Wars Republic Commando
    TiVo Desktop 2.8.2
    TiVo Photos 2.0
    TrayApp
    TroopMaster 2009
    TurboTax 2008
    TurboTax 2008 wcaiper
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wrapper
    TurboTax 2009
    TurboTax 2009 wcaiper
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    TurboTax 2010
    TurboTax 2010 wcaiper
    TurboTax 2010 WinPerFedFormset
    TurboTax 2010 WinPerReleaseEngine
    TurboTax 2010 WinPerTaxSupport
    TurboTax 2010 wrapper
    TurboTax Deluxe Deduction Maximizer 2006
    TurboTax ItsDeductible 2006
    TurboTax Premier 2007
    Uninstall 1.0.0.1
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Media Player 10 (KB910393)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676-v2)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    VC 9.0 Runtime
    VC80CRTRedist - 8.0.50727.4053
    Videora TiVo Converter 0.80
    ViewSonic Windows XP Signed Files
    VLC media player 1.1.11
    Wallpaper Changer for Windows XP
    WD Diagnostics
    WD Firewire HID Driver
    WebFldrs XP
    WebReg
    WexTech AnswerWorks
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Installer Clean Up
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Media Center Edition 2005 KB2502898
    Windows XP Media Center Edition 2005 KB888316
    Windows XP Media Center Edition 2005 KB890629
    Windows XP Media Center Edition 2005 KB890760
    Windows XP Media Center Edition 2005 KB894553
    Windows XP Media Center Edition 2005 KB895198
    Windows XP Media Center Edition 2005 KB895678
    Windows XP Media Center Edition 2005 KB925766
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    WinRAR 4.00 beta 3 (32-bit)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/4/2011 8:46:38 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
    12/4/2011 7:16:36 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service ehSched with arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}
    12/4/2011 11:28:15 AM, error: SRService [104] - The System Restore initialization process failed.
    12/3/2011 7:46:17 AM, error: Dhcp [1002] - The IP address lease 192.168.1.200 for the Network Card with network address 001676C905F7 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    12/1/2011 8:38:31 AM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    12/1/2011 11:05:47 AM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
    11/30/2011 6:46:19 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Media Center Extender Service service to connect.
    11/30/2011 6:46:19 PM, error: Service Control Manager [7000] - The Media Center Extender Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/30/2011 6:23:00 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
    11/29/2011 11:30:41 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    11/29/2011 11:30:31 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gusvc with arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
    .
    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I have deleted your duplicate thread. Sometimes it takes a bit for post to go through.

    Welcome to TechSpot! Avira has given that instruction incorrectly and it has been done inappropriately on other systems. Please don't do anything else while I'm helping you unless I instruct you to do so.
    =========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    I would like to make some suggestions to you:

    1. there are 24 entries for Turbotax. Consider moving the yearly returns to a CD. That's a lot of information to keep on a system.

    The infected entry is Mbam is a (Backdoor.Agent.Gen) We cannot guarantee it has be entirely removed and that the system hasn't been compromised.
    ---------------------------
    2. I highly recommend you remove all of these domains from the Trusted Zone. The security setting is lower in that zone so your system is more vulnerable. Nothing needs to be in the Trusted Zone. It is frequently a marketing tool so that they can send pros past your security and possibly spam:
    3. Strongly recommend you take all of these off of Startup:
    ===========================================
    Please do not act on any alerts from Avira while I'm helping you:
    ===========================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =============================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
  3. rda

    rda Newcomer, in training Topic Starter

    The first time the login had timed out and I didn't think the thread had posted after I logged in again, so I did it over. Thank you for catching that.

    Will do.

    I moved the data files off a while back. I suspect those entries are left over from old TurboTax installations. Should I remove the programs? I was keeping them around to make it easier to open the old returns if I have to in the future.

    OK, I did that. All of those were added in the past because something didn't work, but that was when I ran much tighter IE security settings (for both regular and trusted zones). I should have removed them when I backed off to "regular" settings.

    Done. I'll need to put at least some of those back at some point as they are tools I depend on.

    I'm using Firefox 8.0.1. The control-click opened http://www.eset.com/us/online-scanner/, but I don't see anything like the image you wrote about on that page, and clicking on the image in your post does nothing. I'm afraid I don't understand what you want me to do. There is a button on the page to run the eset online scanner, but rather than risking a mis-step, I'll ask for further instruction.

    Also, having removed those start-up items, shall I reboot before running any scanners?

    Thank you!
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Click on the Eset download screen. A new Window will popup for your to get the Installer for Firefox.

    "shall I reboot before running any scanners?" ]Yes
    You did not have to do them all at this moment. Perhaps I should have made the more clear.

    But you should know that you can access any of them through All Programs or shortcuts in the QuickLaunch Toolbar. Why have them all start on boot and run in the background the entire times you're on the internet?
  5. rda

    rda Newcomer, in training Topic Starter

    Hello again.

    Eset ran for most of day. It reported about 6 infections on my primary drive, and about 14 more on accessory drives (backups, primarily).

    Combfix reported infection by ZeroAccess rootkit. I disabled Avira when I started Combofix, but did not think to disable it again after reboots, which happened twice. I didn't see any reports from Avira. Hopefully it didn't interfere.

    Thank you for your assistance!

    Here is the ESET log:
    ============================================
    C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\6.0\3\52f0cbc3-4217eb88 a variant of Java/Agent.DW trojan
    C:\Program Files\PowerStrip\PStapi.exe probably a variant of Win32/Agent.LWYJTAT trojan
    F:\Backups from Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe probably a variant of Win32/Agent.JBZVJYN trojan
    F:\Backups from Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe probably a variant of Win32/Agent.JBZVJYN trojan
    F:\Backups from Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe probably a variant of Win32/Agent.JBZVJYN trojan
    F:\Backups from Office\My Docs\Downloads\cnet_vlc-1_1_11-win32_exe.exe a variant of Win32/InstallCore.D application
    F:\From Maxtor 320\Program Files\PowerStrip\PStapi.exe probably a variant of Win32/Agent.LWYJTAT trojan
    N:\From Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe probably a variant of Win32/Agent.JBZVJYN trojan
    N:\From Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe probably a variant of Win32/Agent.JBZVJYN trojan
    N:\From Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe probably a variant of Win32/Agent.JBZVJYN trojan
    =========================================


    Here is the log.txt from Combofix:
    =========================================
    ComboFix 11-12-06.01 - Rich 12/06/2011 8:35.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3078 [GMT -8:00]
    Running from: c:\documents and settings\Rich\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\TEMP\3EFB0FE0.TMP
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\Rich\Desktop\msg.txt
    c:\documents and settings\Rich\My Documents\~WRL0001.tmp
    c:\documents and settings\Rich\My Documents\~WRL0005.tmp
    c:\documents and settings\Rich\My Documents\~WRL1783.tmp
    c:\documents and settings\Rich\My Documents\~WRL1896.tmp
    c:\documents and settings\Rich\My Documents\~WRL1983.tmp
    c:\documents and settings\Rich\WINDOWS
    c:\windows\$NtUninstallKB40671$
    c:\windows\$NtUninstallKB40671$\2278235436
    c:\windows\$NtUninstallKB40671$\2810037853\@
    c:\windows\$NtUninstallKB40671$\2810037853\L\uaawvnhi
    c:\windows\$NtUninstallKB40671$\2810037853\loader.tlb
    c:\windows\$NtUninstallKB40671$\2810037853\U\@00000001
    c:\windows\$NtUninstallKB40671$\2810037853\U\@000000c0
    c:\windows\$NtUninstallKB40671$\2810037853\U\@000000cb
    c:\windows\$NtUninstallKB40671$\2810037853\U\@000000cf
    c:\windows\$NtUninstallKB40671$\2810037853\U\@80000000
    c:\windows\$NtUninstallKB40671$\2810037853\U\@800000c0
    c:\windows\$NtUninstallKB40671$\2810037853\U\@800000cb
    c:\windows\$NtUninstallKB40671$\2810037853\U\@800000cf
    c:\windows\CSC\d6
    c:\windows\dasetup.log
    c:\windows\EventSystem.log
    c:\windows\kb913800.exe
    c:\windows\system32\
    c:\windows\system32\config\systemprofile\WINDOWS
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_a77dc65d
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-06 to 2011-12-06 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-05 20:49 . 2011-12-05 20:49 -------- d-----w- c:\program files\ESET
    2011-12-05 14:37 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-05 14:37 . 2011-12-05 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-05 04:57 . 2011-12-05 04:57 -------- d-----w- C:\ERDNT
    2011-12-05 03:40 . 2008-08-14 10:04 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-12-05 03:40 . 2008-04-13 19:19 138112 -c--a-w- c:\windows\system32\dllcache\afd.sys
    2011-12-04 17:01 . 2011-12-04 17:01 -------- d-----w- c:\documents and settings\Rich\Application Data\Avira
    2011-12-04 16:57 . 2011-12-05 14:14 -------- d-----w- c:\windows\system32\NtmsData
    2011-12-04 16:48 . 2011-10-20 00:56 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-12-04 16:48 . 2011-10-20 00:56 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-12-04 16:48 . 2011-10-20 00:56 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-12-04 16:48 . 2011-12-04 16:48 -------- d-----w- c:\program files\Avira
    2011-12-04 16:48 . 2011-12-04 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-12-04 16:31 . 2011-12-04 16:31 -------- d-----w- c:\documents and settings\Rich\Application Data\CheckPoint
    2011-12-04 16:31 . 2011-12-04 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint
    2011-12-04 05:24 . 2001-08-17 22:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
    2011-12-04 03:35 . 2011-12-04 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-12-03 23:52 . 2011-12-03 23:52 -------- d-----w- c:\documents and settings\Rich\Application Data\AVG2012
    2011-12-03 22:39 . 2011-12-04 00:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-12-03 22:39 . 2011-12-04 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-12-03 22:26 . 2011-12-03 22:26 -------- d-sh--w- c:\documents and settings\Rich\Local Settings\Application Data\a77dc65d
    2011-12-02 23:18 . 2011-12-02 23:18 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-12-02 23:18 . 2011-12-02 23:18 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-12-02 23:18 . 2011-12-02 23:18 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-12-02 23:18 . 2011-12-02 23:18 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-12-02 23:18 . 2011-12-02 23:18 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-12-02 23:18 . 2011-12-02 23:18 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-12-02 23:18 . 2011-12-02 23:18 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-12-02 23:18 . 2011-12-02 23:18 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-12-01 22:24 . 2011-12-01 22:24 -------- d-----w- c:\program files\iPod
    2011-12-01 22:24 . 2011-12-01 22:26 -------- d-----w- c:\program files\iTunes
    2011-12-01 19:47 . 2011-12-01 19:47 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2011-12-01 19:46 . 2011-12-01 19:47 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2011-12-01 19:46 . 2011-12-01 19:46 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2011-12-01 14:50 . 2011-07-07 23:21 26216 ----a-w- c:\windows\system32\nvhdap32.dll
    2011-12-01 14:50 . 2011-07-07 23:21 119656 ----a-w- c:\windows\system32\drivers\nvhda32.sys
    2011-12-01 14:50 . 2011-07-07 23:21 876136 ----a-w- c:\windows\system32\nvhdagenco3220102.dll
    2011-11-30 20:06 . 2011-11-30 20:06 -------- d-----w- c:\windows\Logs
    2011-11-30 19:59 . 2011-01-08 03:27 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
    2011-11-30 19:59 . 2011-01-08 03:27 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
    2011-11-30 19:59 . 2011-01-08 03:27 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2011-11-30 19:59 . 2011-01-08 03:27 4980736 ----a-w- c:\windows\system32\nvcuda.dll
    2011-11-30 19:59 . 2011-01-08 03:27 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-11-30 19:59 . 2011-01-08 03:27 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-11-30 19:59 . 2011-01-08 03:27 1958400 ----a-w- c:\windows\system32\nvapi.dll
    2011-11-30 19:59 . 2011-01-08 03:27 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
    2011-11-30 19:59 . 2011-01-08 03:27 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-04 00:13 . 2011-01-08 03:58 149904 ----a-w- c:\windows\system32\nvsvc32.exe
    2011-12-02 03:10 . 2007-09-21 23:54 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
    2011-11-14 20:01 . 2011-05-16 13:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2006-11-26 20:47 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2006-11-26 20:46 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 18:41 . 2006-11-26 20:49 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 18:41 . 2006-11-26 20:49 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-12-02 23:18 . 2011-12-02 23:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-13 39408]
    "DU Meter"="c:\program files\DU Meter4\DUMeter.exe" [2010-08-31 2941984]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-09-30 2215768]
    "IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-03 9134080]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-20 258512]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
    backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
    backup=c:\windows\pss\QuickBooks_Standard_21.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Backup Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Backup Monitor.lnk
    backup=c:\windows\pss\WD Backup Monitor.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2010-09-23 01:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2006-09-27 23:13 61440 ----a-w- c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DtxQuickLaunch.exe]
    2006-10-25 17:24 77824 ----a-w- c:\program files\Dentrix\DtxQuickLaunch.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2004-09-13 23:49 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
    2006-07-06 22:15 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
    2008-06-10 20:56 1442888 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-13 07:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
    2010-08-25 00:02 437520 ----a-w- c:\program files\TiVo\Desktop\TiVoNotify.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
    2010-08-25 00:02 2264336 ----a-w- c:\program files\TiVo\Desktop\TiVoServer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
    2010-08-25 00:02 608528 ----a-w- c:\program files\TiVo\Desktop\TiVoTransfer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TranscodingService]
    2010-08-25 00:02 856336 ----a-w- c:\program files\TiVo\Desktop\Plus\TranscodingService.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
    2007-08-01 04:26 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "AdobeActiveFileMonitor5.0"=2 (0x2)
    "UPS"=3 (0x3)
    "UTSCSI"=2 (0x2)
    "Adobe LM Service"=3 (0x3)
    "avgwd"=2 (0x2)
    "AVGIDSAgent"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
    "c:\\Program Files\\Adobe\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=
    "c:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\program files\Google\Update\GoogleUpdate.exe"= Google Installer
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBUpdate\\qbupdate.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    .
    R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [12/8/2010 10:53 AM 32008]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/4/2011 8:48 AM 36000]
    R1 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [7/14/2007 5:37 PM 27992]
    R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [12/8/2010 9:03 AM 76696]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/4/2011 8:48 AM 86224]
    R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter4\DUMeterSvc.exe [9/18/2010 6:12 PM 1411616]
    R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [11/9/2011 10:59 AM 1248256]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/1/2011 6:50 AM 119656]
    S3 AM10;Cisco AM10 Driver;c:\windows\system32\drivers\AM10XP.sys [5/17/2011 3:21 PM 816672]
    S3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\DU Meter4\DUM_XP32.sys [9/18/2010 6:12 PM 16424]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [11/26/2006 12:50 PM 14336]
    S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
    S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [8/24/2010 4:02 PM 1104656]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = https://www.google.com/calendar/render?sourceid=navclient&ie=UTF-8&gsessionid=OK
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    TCP: DhcpNameServer = 192.168.1.1
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://71.129.8.190:81/kxhcm10.ocx
    DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
    FF - ProfilePath - c:\documents and settings\Rich\Application Data\Mozilla\Firefox\Profiles\r8vbe3iw.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://dr-amy.com
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG2012\avgtray.exe
    MSConfigStartUp-StxTrayMenu - c:\program files\Seagate\SystemTray\StxMenuMgr.exe
    AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-06 08:53
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
    "ImagePath"="c:\program files\DU Meter4\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3192)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\windows\system32\locator.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\eHome\ehmsas.exe
    c:\progra~1\DU Meter4\DUMeter.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-06 08:59:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-06 16:58
    ComboFix2.txt 2010-12-12 19:25
    .
    Pre-Run: 45,403,127,808 bytes free
    Post-Run: 45,582,802,944 bytes free
    .
    - - End Of File - - 6605E3490B386B8FD12A414669008DB5
    =========================================
  6. rda

    rda Newcomer, in training Topic Starter

    Startup items

    I suppose this is a little off topic, but since you asked:

    I use PTReplicator as part of my backup system. There are likely better tools around today, but I've found this to be reliable for years, and so continue to use it.

    MacExp is a macro system that lets me automate common tasks. Remembering to launch it each time I wanted to use a shortcut would severely cut into the shortcut nature of it!

    SetPoint makes my Logitech mouse buttons work the way I want.

    Wallpaper Changer gives me new background pictures automatically, which I like.

    The others were put in by various installers and I likely won't put them back.

    Thanks!
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    FYI: you were correct- the Eset directions were misleading and confusing. Check my rewrite for me and see if goes better:

    For checking purposes only- no need to run

    Pease run the Eset online virus scan:
    For Internet Explorer:> start here >>
    • Open the ESETOnlineScan
      -------------
      Note: If you are using a browser other than Internet Explorer> start here >>
    • Open Eset Smart Installer
    • Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    • Double click on the desktop icon to run.
    • After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    • Continue with the directions.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ****Let me know if you think confusion has been resolved.
    =============================
    The questions I ask and the suggestions I make are based on what I see in the logs. I take into account the resources used, the extra internet connections and the security of the system. And I base some of it on my own experiences over the years.

    However, unless something is actually malware, whether you take my suggestions is entirely up to you. You do not have to defend their use> it is your system after all!
    ===================================
    For the Eset entries: There are 3 drives with malware: C, F, N

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\6.0\3\52f0cbc3-4217eb88 
      C:\Program Files\PowerStrip\PStapi.exe probably a variant of Win32/Agent.LWYJTAT trojan
      F:\Backups from Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe 
      F:\Backups from Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe 
      F:\Backups from Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe 
      F:\Backups from Office\My Docs\Downloads\cnet_vlc-1_1_11-win32_exe.exe 
      F:\From Maxtor 320\Program Files\PowerStrip\PStapi.exe 
      N:\From Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe 
      N:\From Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe 
      N:\From Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ---------------------------------------
    Interesting to note in the Eset log that some of these entries just got moved around.
    Also interesting that I can't find description of either Win32/Agent.JBZVJYN trojan or Win32/Agent.LWYJTAT trojan
    If any of the 3 drives are a flash drive/USB drive, we should disinfect that also.
    =======================================
    Thanks for checking the Eset instruction rewrite.
    Will review Combofix log after lunch.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    The Combofix log is okay except for this entry:

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DtxQuickLaunch.exe]
    2006-10-25 17:24 77824 ----a-w- c:\program files\Dentrix\DtxQuickLaunch.exe

    I am only concerned because of the malware reported on this program and backup.
  9. rda

    rda Newcomer, in training Topic Starter

    I tried to run OTMovit per your instructions, but I think I may have messed up copying the commands over. I got this message when I tried to run it:

    Invalid time flag: Agent. ??? trojan
    must be numeric

    I wrote it down, but then somehow lost it, so that's my best memory of it. The "???" is a name I can't recall.

    Regarding the files on F: and N: are from backups, much of it files that I never actually use/run on this computer. I don't recall "PowerStrip" (which doesn't mean I never installed it, but I'm pretty sure it isn't used now).

    I can remove Dentrix from this machine if that would simplify things.

    I don't understand what you mean by ESet showing that the files just got moved around? I'll not that I haven't touched any of the files mentioned on N: or F: in months.

    Here is the OTMovit log. Should I try again?

    All processes killed
    Error: Unable to interpret <C:\Program Files\PowerStrip\PStapi.exe probably a variant of Win32/Agent.LWYJTAT trojan> in the current context!
    Error: Unable to interpret <F:\Backups from Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe > in the current context!
    Error: Unable to interpret <F:\Backups from Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe > in the current context!
    Error: Unable to interpret <F:\Backups from Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe > in the current context!
    Error: Unable to interpret <F:\Backups from Office\My Docs\Downloads\cnet_vlc-1_1_11-win32_exe.exe > in the current context!
    Error: Unable to interpret <F:\From Maxtor 320\Program Files\PowerStrip\PStapi.exe > in the current context!
    Error: Unable to interpret <N:\From Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe > in the current context!
    Error: Unable to interpret <N:\From Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe > in the current context!
    Error: Unable to interpret <N:\From Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe > in the current context!
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 49152 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 41044 bytes

    User: LocalService
    ->Temp folder emptied: 65748 bytes
    ->Temporary Internet Files folder emptied: 16786 bytes
    ->Flash cache emptied: 8105 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 17665 bytes

    User: Rich
    ->Temp folder emptied: 4268467 bytes
    ->Temporary Internet Files folder emptied: 1031378 bytes
    ->Java cache emptied: 44549436 bytes
    ->FireFox cache emptied: 706875302 bytes
    ->Google Chrome cache emptied: 6870674 bytes
    ->Flash cache emptied: 65427 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 509859 bytes
    %systemroot%\System32 .tmp files removed: 4637201 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 21660 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 733.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 12082011_125810

    Files moved on Reboot...

    Registry entries deleted on Reboot...
  10. rda

    rda Newcomer, in training Topic Starter

    I believe that is normal as it starts a "quick launch" app in the system tray for the Dentrix software. However, I don't use it and would be happy to remove it.
  11. rda

    rda Newcomer, in training Topic Starter

    BTW:

    C: is my system drive, as usual.

    F: is a large internal drive I use for storing data like photos and videos, and copies of backups from other computers.

    N: is a USB drive used exclusively for backup.

    I have other USB drives I use for off-site backups and transferring data, but I have been careful to not use any of them while working with you. I intend to ask you what to do about them before plugging them in again :)
     
  12. rda

    rda Newcomer, in training Topic Starter

    I suspect you intend that an IE user NOT click on "Eset Smart Installer" and then run it. If so, you might want to either have an instruction to skip over the installation instructions, or visually separate the two cases (IE and non-IE) by using 2 columns or by putting them into boxes or otherwise offsetting them.

    But something like this could work:

    If you use Internet Explorer:
    • Open the ESETOnlineScan
    • Skip to "Continue here"

    If you are using a browser other than Internet Explorer
    • Open Eset Smart Installer
    • Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    • Double click on the desktop icon to run.
    • After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    Continue here:
    • Check 'Yes...

    I hope that helps.

    I'm sorry if I sounded defensive before; that was not my intent. I thought you had wanted to know why I chose to run those programs as start-ups, so I was trying to answer. Certainly no offense taken on my part. I appreciate all your suggestions and advice!
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Sorry- that was my mistake- I forgot to remove the malware name off of one of the files:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\6.0\3\52f0cbc3-4217eb88 
      C:\Program Files\PowerStrip\PStapi.exe 
      F:\Backups from Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe 
      F:\Backups from Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe 
      F:\Backups from Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe 
      F:\Backups from Office\My Docs\Downloads\cnet_vlc-1_1_11-win32_exe.exe 
      F:\From Maxtor 320\Program Files\PowerStrip\PStapi.exe 
      N:\From Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe 
      N:\From Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe 
      N:\From Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    That should run okay. You may see "can't find" on all of the other entries if they were removed. It was just on one.
    ===================================
    You're going to have to disinfect the USB drive because you backed up infected files
    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    Thank you for suggestions for Eset scan- instructions look to be easier to follow.

    I am very security minded and I see logs from systems over and over that have vulnerabilities. I anticipate malware many times because I recognize many of the potential sources. I am also 'lean resource' minded, because I see so many people who are running a gazillion processes and can't understand why their system is slow!

    I tend to be pushy at times and lose track that, after all, it is the responsibility of the owner to decide what to run and when.
  14. rda

    rda Newcomer, in training Topic Starter

    OTMovit seemed to run without difficulty this time.

    N: is a USB drive that is always attached. I'm running flash_disinfector on it now.

    Would it be OK to wait until we're confident the main system is all cleaned up before doing the flash_disinfector on the drives I haven't had attached?

    THANK YOU!!!

    Here is the OVMovit log:

    All processes killed
    ========== FILES ==========
    File/Folder C:\Documents and Settings\Rich\Application Data\Sun\Java\Deployment\cache\6.0\3\52f0cbc3-4217eb88 not found.
    C:\Program Files\PowerStrip\PStapi.exe moved successfully.
    F:\Backups from Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe moved successfully.
    F:\Backups from Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe moved successfully.
    F:\Backups from Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe moved successfully.
    F:\Backups from Office\My Docs\Downloads\cnet_vlc-1_1_11-win32_exe.exe moved successfully.
    F:\From Maxtor 320\Program Files\PowerStrip\PStapi.exe moved successfully.
    N:\From Office\Dentrix Backups\Dentrix 1\Local\Old Mars files\dnetc-win32-x86-setup.exe moved successfully.
    N:\From Office\Dentrix Backups\Dentrix 2\Local\Old Mars files\dnetc-win32-x86-setup.exe moved successfully.
    N:\From Office\Dentrix Backups\Dentrix 3\Local\Old Mars files\dnetc-win32-x86-setup.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 16786 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Rich
    ->Temp folder emptied: 12777 bytes
    ->Temporary Internet Files folder emptied: 33300 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 112328458 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 1250 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 7568 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 107.00 mb

    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 65536 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Rich
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 12082011_145921

    Files moved on Reboot...

    Registry entries deleted on Reboot...
  15. rda

    rda Newcomer, in training Topic Starter

    A couple more observations:

    The desktop refreshes (icons redraw) more often than I recall happening in the past when I open and close Explorer windows, or sometimes when I just open folders within Explorer.

    Some processes still go to 50% (odd that it seems to stay right at 50%) CPU, and the associated applications run very slowly. They don't always do it the same. However, I've noticed that apps that have to do with display, like BreezeBrowser, PhotoShop, and LightRoom seem much more likely to experience this problem.

    Since I put in a new graphics card (GeForce GTX 570) not long before I started noticing these problems, it could be a driver issue instead of malware. Of course, I've promised to not change drivers, etc., until you're done with me, so I haven't tried anything yet. I did try to install the latest driver updates when I put the card in. However, I had problems at first because the previous drivers did not seem to uninstall fully, and I still have an "unknown device" that appeared in Device Manager when the card went in.

    Anyway, I'm hoping to get some photo editing done over the next couple of days, so I'm crossing my fingers that we are close to either solving this, or turning me loose from the malware demons to try to fix the problem.

    Thanks!
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Since you have mentioned 2 possible symptoms of this malware, let's check it out:

    Determine if you are infected with Zero.Access

    1. Open the Task Manager by pressing Ctrl + Shift + Esc on your keyboard or by right-clicking the Start Menu bar and selecting Task Manager.

    2. Be sure that "Show processes from all users" is selected at the bottom left-hand corner of the window. Click "Image Name" to sort this column alphabetically and then look at the top of the list.

    3. If you are infected with the Zero.Access rootkit, you will see a running process such as "1077238835:3433286335.exe" (example only; your computer may display different numbers).
    =======================================
    Unexplained crashes of Windows Explorer can occur if you have hidden files and folders visible:
    Check Control Panel> Folder Options> View tab> be sure "Show hidden files and folders" is Unchecked> be sure "Hide protected system files and folders"-(Recommended) is Checked> Apply> OK.
    =======================================
    Please explain each of the following more clearly:
    How/What are you noticing this?
    ----------------------------------
    Some malware can change your desktop background to a solid black color. If that has been happening intermittently, Go to the Control Panel> Display> Desktop> reset the background.
  17. rda

    rda Newcomer, in training Topic Starter

    I definitely noticed processes named like that in Task Manager before we started cleaning things up, but not since I started working with you, though I can't pin down the exact time they went away. There are none right now.

    Explorer was crashing before you started helping me, but I haven't had an Explorer crash since we started.

    Not to sound like a broken record, but I haven't seen this happening since we started cleaning up. What I noticed before was that Windows Firewall reported that Explorer was trying to connect to IP addresses I did not recognize. I was not doing anything with Explorer (or any other program) that I thought might cause a need for such connections, so I attempted to block them, and that got me started thinking I had an infection.

    It does not happen every time, but, for instance, I just now closed an Explorer window. The window closed, and all the icons on my Desktop (I have too many...) repainted. It seems to happen when I'm opening and closing folders with Explorer, but not consistently, and when I try to reproduce it by doing the same action again right away, it never seems to do it again.

    I have no reason to specifically believe this is malware, but I don't recall this behavior in the past. In the past, I would notice the icons repaint after I changed a setting or something, but I don't recall it happening just from closing a window or opening a folder.

    I have not seen that happening. My background images are not changing; only the icons for the files on the DeskTop

    Thank you!!!
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Your use of the word Explorer alone is confusing and technically not correct.

    There is Windows Explorer which is the file manager for the system. Think of it as exploring Windows.

    There is Internet Explorer which is the browser you use to access the internet. Think of it as exploring the internet.

    Either can crash. You need to be specific when you refer to "hang": what is not happening when you refer to hang? An application can hang either loading or shutting down. Is it that your desktop isn't loading correctly?? either a delay or something missing??

    How are the icons "changing"? Do you mean they disappear, then come back? What are you doing when this happens? Have the icons changed when they come back?

    "I just now closed an Explorer window." What Window?
    "..... Windows Firewall reported that Explorer (What Explorer?) was trying to connect to IP addresses I did not recognize."

    You have all of these domains in the Trusted Zone:
    Trusted Zone: adobe.com
    Trusted Zone: dr-amy.com
    Trusted Zone: dyndns.org\wvfcpao
    Trusted Zone: eset.com
    Trusted Zone: intuit.com
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: safeway.com\shop
    Trusted Zone: turbotax.com
    Do you know all their IPs? Could a process in one of these be trying to access the internet?

    You have also authorized all of the following to pass through the firewall. You don't need to list these separately. There are ports in firewalls for incoming and outgoing programs and apps. You would only list any that for some reason would not use the assigned port.
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    You have processes set to auto-update Java, Adobe, Google Update Helper
    QTTask.exe" -atboottime, iTunesHelper, HP Software Update.
    This means that every day, all day, they will be contacting the internet to see if there is an update. It may be months between updates.

    Open the Task Manager> how many processes are running> look lower left: 30-40 would be a good number. I suspect your will read about 60.

    I tell you these things because the more you have running-and you have an excess of processes starting on boot, the more chance you have for crashes, freezes and strange IPs trying to access the internet.

    And there could be an issue with RAM. If something freezes or crashes and you have to reboot to get started gain, it could be that the available RAM has been used and so the system will crash or freeze. Rebooting restores some of the RAM and the cycle begins again.

    How much RAM do you have?
     
  19. rda

    rda Newcomer, in training Topic Starter

    I thought I clarified that early on when I wrote "Explorer (not Internet Explorer)", but with all the threads you are likely following that is a detail that would be easy to drop. I will try to be more explicit. Wherever I have written "explorer" by itself, I am referring to "Windows Explorer", the program used to view listings of files and manipulate files and directories, and which I believe is also responsible for the task bar and much of the "desktop".

    According to Windows Firewall, it was "explorer.exe" (which I believe is the program that implements Windows Explorer) that was trying to access the internet. I haven't seen that warning since starting working with you.

    I do NOT use Internet Explorer, and have not for some time. I use Firefox 8.0.1.

    By "hang" I mean that an application stops responding to input in the normal way. In the case of Windows Explorer, clicking on files would stop working in the Windows Explorer windows, the task bar would become non-responsive, and sometimes clicking the "X" in the Windows Explorer windows would result in a dialog saying "The program is not responding" and sometimes nothing. Generally, I would have to reboot, or kill the explorer.exe process with Task Manager to recover. That has not happened since I began following your instructions.

    It looks the same as if I click on the desktop and then hit F5, which seems to redraw all the icons. Nothing moves, or changes. It just seems odd that it refreshes when I open or close directories in Windows Explorer (without making any change).

    It was a Windows Explorer window that I was using to look at files in a directory. I'm sorry I do not recall which directory. However, the behavior does not happen with just one directory. After a fresh reboot, I just opened a Windows Explorer window using <Windows>-E then clicked on the C: drive and saw the refresh behavior. After I closed that window and did the same thing again, there was no refresh behavior.
    Firewall reported that "explorer.exe" was trying to access the internet (to be sure we're talking about the same thing, this happened BEFORE any clean-up work and has not been seen since.)

    Those zones were in my trusted list for a long time before (when I used to use Internet Explorer) and never seemed to cause explorer.exe to do anything in the past, but I really don't know if they have anything to do with the problems at hand.

    Note that I did get rid of them already, per your earlier advice.

    I don't know much about how that list got made. I didn't specifically add them in, except perhaps by saying "yes" when Firewall said they wanted to use the internet, shortly after installing the programs. If Firewall said some program I installed months ago suddenly wanted to use the internet, I would be suspicious and not allow it. Other than the couple of times with explorer.exe, that hasn't happened.

    Yes, it is very annoying that many programs these days seem to install their own updaters, and it is very hard to figure out if they are doing good things, like applying useful security fixes, or just sucking up resources, or worse. Sometimes I make an effort to turn them off, but life is short and some of them are pretty persistent.

    Here they are (about 40, including the cmd, firefox, and my mail reader):

    Image Name PID Session Name Session# Mem Usage
    ========================= ====== ================ ======== ============
    System Idle Process 0 Console 0 28 K
    System 4 Console 0 244 K
    smss.exe 476 Console 0 436 K
    csrss.exe 548 Console 0 4,268 K
    winlogon.exe 580 Console 0 1,272 K
    services.exe 624 Console 0 4,304 K
    lsass.exe 648 Console 0 1,660 K
    nvsvc32.exe 828 Console 0 6,404 K
    svchost.exe 908 Console 0 5,316 K
    svchost.exe 956 Console 0 4,468 K
    svchost.exe 1024 Console 0 26,696 K
    svchost.exe 1076 Console 0 3,504 K
    svchost.exe 1164 Console 0 3,800 K
    svchost.exe 1240 Console 0 3,108 K
    spoolsv.exe 1344 Console 0 8,092 K
    sched.exe 1380 Console 0 1,656 K
    svchost.exe 1444 Console 0 3,992 K
    avguard.exe 1532 Console 0 14,712 K
    mDNSResponder.exe 1552 Console 0 3,112 K
    DUMeterSvc.exe 1588 Console 0 5,896 K
    QBCFMonitorService.exe 1864 Console 0 10,528 K
    explorer.exe 2036 Console 0 29,904 K
    QBIDPService.exe 336 Console 0 9,524 K
    locator.exe 1224 Console 0 2,824 K
    svchost.exe 1312 Console 0 3,948 K
    svchost.exe 1392 Console 0 5,956 K
    rundll32.exe 440 Console 0 5,828 K
    ehtray.exe 1452 Console 0 1,868 K
    avgnt.exe 1988 Console 0 3,056 K
    GoogleToolbarNotifier.exe 2096 Console 0 1,668 K
    DUMeter.exe 2164 Console 0 3,120 K
    ctfmon.exe 2148 Console 0 3,760 K
    winpm-32.exe 3064 Console 0 3,288 K
    avshadow.exe 3532 Console 0 2,696 K
    ehmsas.exe 4068 Console 0 2,968 K
    firefox.exe 2056 Console 0 179,384 K
    alg.exe 2136 Console 0 3,348 K
    wuauclt.exe 3820 Console 0 4,152 K
    taskmgr.exe 2472 Console 0 5,000 K
    cmd.exe 3020 Console 0 2,756 K
    tasklist.exe 404 Console 0 4,628 K
    wmiprvse.exe 188 Console 0 5,960 K

    I did cut back on the auto-starts per your earlier advice.

    I have 4GB installed, which is the least I can have and max out XP, according to the computer company.

    I have actually had very few system-wide freezes and crashes over the last few years. In fact, the system crashed today (BSoD) as I tried to bring it awake from a standby mode, and that's the first BSoD I can recall on this computer.

    Having said all that, let me note that, as of right now, the only symptoms that continue are:

    - Unexplained desktop refreshes detailed above
    - Some applications, especially those that deal with images (PhotoShop, LightRooom, BreezeBrowser, VLC, and even Word in documents with lots of pictures) see to sometimes slow WAY down. When I look in Task Manager, they are using 50% or more CPU, but seem to be doing nothing.
    - The one-off BSoD today.

    All of those could be either nothing (the refreshes) or symptoms of driver or hardware problems with my new graphics card. I really don't know.

    Would it help the diagnostic process if I either reinstalled the drivers for the new card, or removed them and the card and reinstalled the old card?

    I need to ask a question. I'm getting behind on my work. Is it safe to carefully move the following kinds of data (non-executable) files to another system to work on before we declare this system safe?

    quickbooks data files
    Word documents
    Excel documents
    photos (jpegs, camera raw, PhotoShop)
    movies (avi, mpg, flv)
    Favorites for Firefox

    I would use a USB drive that had Flash_Disinfector run on it and bring them into a Windows 7 account with limited privilege.

    Thanks again for your patience and assistance
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    All 3 of the drive had infected entries: C, F, N
    Disinfect all

    The Q&A with quotes between us is getting too time consuming:

    Please say Windows Explorer when you mean Windows Explorer.
    Please say Internet Explorer when you mean Internet Explorer.

    You can't expect me to remember when 'rda' says 'Explorer' he/she 'means' Windows Explorer> please use the correct terminology.

    About the processes given entry through the firewall: If you install a new program and it requires internet access, the first time you run it, you will be asked if you want to allow it to connect. You must be sure to allow it then, but do not give it server rights. Those programs would not be listed if you simply allowed the connection the first time.

    'Auto-starts' are controlled on the Startup Menu and/or Services.
    Auto-updaters are within the programs themselves. If you allow it, there will most likely be a separate process for it. They can all be controlled. I have 4 processes on my Startup menu and only the AV is allowed to auto-update.

    I have brought your attention to several things to help get unnecessary processes off of the system. For all you said you had moved them, you don't use them, they are 'left over', then you ask if your should remove them. The answer is yes.'

    Your descriptions of slow downs, refreshing, then of having 4GB of RAM suggests that one or more of the RAM chips may be bad. I would encourage you to start a new thread in the "Windows BSOD, Freezing, Restarting Help"> http://www.techspot.com/vb/menu46.html forum and approach the problem as being system related, not malware related..They can also help you check the drivers and look for Errors in the Event Viewer that might explain some of the things that are happening. I don't see evidence of any malware remaining.
    ======================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
  21. rda

    rda Newcomer, in training Topic Starter

    Thank you for your help.

    Goodbye.
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You're welcome. Good luck with the system problem- possibly related to the graphics card.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.