Inactive Redirect and svchost.exe problems

[obobo]

I am running Avira, Malware bytes, and Advanced Systemcare PRO on XP. All have detected an fixed many things, however, I am still redirecting and also have scvhost.exe using 99% of my resources.
I notice that in STEP1 you mention NOT to use one of the two free antivirus programs (listed below) and Avira is one of them.
How should I proceed?
Thank you in advance for your help!

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7458

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18372

8/14/2011 12:23:37 PM
mbam-log-2011-08-14 (12-23-37).txt

Scan type: Quick scan
Objects scanned: 346999
Time elapsed: 16 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Bobbye]

Let's get you started off right: Directions must be read carefully:

I notice that in STEP1 you mention NOT to use one of the two free antivirus programs (listed below) and Avira is one of them. How should I proceed?

What is says:

If you have a functioning, updating antivirus program, please leave it on the system for now. Do NOT add either of the free AV programs below.

It seems that no matter how clear we try to make this direction, members are still not reading it carefully:

What it means
It means that you should only have one antivirus program on the system. If you have one already, don't add another one!

We added that line because members thought they were suppose to add one of the AV programs, whether they already had one or not. So we frequently started out help telling them to remove one of the AV programs.

What you should do
If you did not have an AV program on the system, so you installed Avira> leave it.
Or if Avira is the AV program that has been running on the system> leave it.
If you already had an AV such as AVG, McAfee, Norton, etc. and it is current and working> remove Avira..
===================================
Do you understand?
==================================
Please proceed with the rest of the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
=======================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

 

[obobo]

I do understand

Step1
I have removed Advanced Systemcare PRO because it was a recent addition.
So I now have Avira and Malware bytes, both have been used and updated regularly.

Step2
Ran Malware bytes. Log as follows:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7458

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18372

8/14/2011 12:23:37 PM
mbam-log-2011-08-14 (12-23-37).txt

Scan type: Quick scan
Objects scanned: 346999
Time elapsed: 16 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Step 3
Disabled internet connection
disabled Avira
gmer log as follows:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-14 16:12:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-75MSA3 rev.10.01E04
Running: 2w3l70b8.exe; Driver: C:\DOCUME~1\BOBADV~1.AIA\LOCALS~1\Temp\kwpcypow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 897CF51B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 897CF51B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 897CF51B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 897CF51B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 897CF51B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 897CF51B

---- EOF - GMER 1.0.15 ----

 

[obobo]

testing reply to thread failure

0123456789

 

[obobo]

Step 4

DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_13
Run by Bob Advent at 16:22:17 on 2011-08-14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.841 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.

 

[obobo]

Step 4b

============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL =
mDefault_Search_URL =
mSearch Page =
mStart Page =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\bob advent.aia-62ce443b0df\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\bobadv~1.aia\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

 

[Bobbye]

Per PM, give me details of connectivity problem.

Also, another reminder to read the directions. There is no instructions to do the following to run GMER:

Step 3
Disabled internet connection
disabled Avira
gmer log as follows:

Maybe you had a problem with DDS because you were not connected!

Also a reminder> Avast is outdated. I don't need a scan from Avast, but you should updates it for the time it runs between the scans.
========================================
When able, please repost the complete DDS.txt log and the 2nd log from DDS names Attach.txt.>> Please note: the word 'attach' is a name, not a direction. So follow the instruction to paste it in and do not zip it.

 

[obobo]

I am connected. Pages come up fine until I hit 'submit reply' posting the logs.
The page says no connectivity only for that operation, everything else is fine.
So this morning I tried again and same thing. I did cut up the log file and it worked a couple of times as you can see. No connectivity seems like a crazy response for having too many characters. You have not heard of this before?

I will try again now

 

[obobo]

From scratch

I updated avira
re-ran malware bytes also updated
ran gmer
ran dds.scr
logs as follows:


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7474

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18372

8/15/2011 7:48:35 PM
mbam-log-2011-08-15 (19-48-35).txt

Scan type: Quick scan
Objects scanned: 349599
Time elapsed: 18 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\bob advent.aia-62ce443b0df\local settings\Temp\0.09496248407591135.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

 

[obobo]

gmer

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-15 19:58:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-75MSA3 rev.10.01E04
Running: 2w3l70b8.exe; Driver: C:\DOCUME~1\BOBADV~1.AIA\LOCALS~1\Temp\kwpcypow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8980551B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8980551B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8980551B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8980551B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8980551B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8980551B

---- EOF - GMER 1.0.15 ----

 

[obobo]

dds

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_13
Run by Bob Advent at 20:01:09 on 2011-08-15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.795 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Bob Advent.AIA-62CE443B0DF\Desktop\2w3l70b8.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe

 

[obobo]

dds2

============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL =
mDefault_Search_URL =
mSearch Page =
mStart Page =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\bob advent.aia-62ce443b0df\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\bobadv~1.aia\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn311\wlancfg5.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218071978937
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{06160C32-4B76-47B8-9813-2535EBCCFD30} : DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{521526A3-A489-47C1-8DCC-34B1155D925A} : DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{65E5B941-654D-4A0B-8D33-E6837EC45C3B} : DhcpNameServer = 65.32.5.111 65.32.5.112
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.

 

[obobo]

dds3

================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bob advent.aia-62ce443b0df\application data\mozilla\firefox\profiles\x6x6xulf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\bob advent.aia-62ce443b0df\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\bob advent.aia-62ce443b0df\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-20 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-20 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-20 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-20 66616]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-10 65536]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-27 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-27 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-20 41272]
.
=============== File Associations ===============
.
exefile="c:\documents and settings\networkservice.nt authority.001\local settings\application data\ryj.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-08-13 23:57:52 595017 ----a-w- c:\windows\system32\0.10011759339062531.exe
2011-08-13 23:56:45 79145 ----a-w- c:\windows\system32\0.6652486097998987.exe
2011-08-12 03:39:25 -------- d-----w- c:\documents and settings\bob advent.aia-62ce443b0df\application data\IObit
2011-08-12 03:39:21 -------- d-----w- c:\program files\IObit
2011-08-11 17:09:36 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-11 17:09:36 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-11 15:45:01 0 ----a-w- c:\documents and settings\all users.windows\application data\mrmb.exe
2011-08-11 15:45:00 0 ----a-w- c:\documents and settings\all users.windows\application data\wmqf.exe
2011-08-11 15:45:00 0 ----a-w- c:\documents and settings\all users.windows\application data\smks.exe
2011-08-11 15:45:00 0 ----a-w- c:\documents and settings\all users.windows\application data\doku.exe
2011-08-10 15:41:28 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 15:39:38 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-09 13:41:25 -------- d-----w- C:\SPEARSMFG
2011-08-09 13:38:11 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2011-08-09 13:38:11 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2011-08-09 13:38:11 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2011-08-09 13:38:11 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2011-08-09 13:38:10 692224 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2011-08-09 13:38:09 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2011-08-09 13:38:09 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2011-08-04 13:36:53 -------- d-----w- c:\documents and settings\bob advent.aia-62ce443b0df\Turbo Squid Tentacles
2011-08-04 04:27:04 -------- d-----w- c:\program files\Turbo Squid Tentacles
2011-08-04 04:26:43 -------- d-----w- c:\program files\Microsoft WSE
2011-08-04 04:20:28 -------- d-----w- c:\program files\Autodesk
2011-08-04 03:57:06 -------- d-----w- c:\program files\3ds
2011-07-31 23:34:13 -------- d-----w- c:\program files\common files\SolidWorks Shared
2011-07-31 23:33:36 -------- d-----w- c:\program files\common files\eDrawings2011
2011-07-28 21:09:51 -------- d-----w- c:\program files\Right Hemisphere
2011-07-28 17:17:19 -------- d-----w- c:\documents and settings\bob advent.aia-62ce443b0df\application data\Right Hemisphere
2011-07-28 17:17:19 -------- d-----w- c:\documents and settings\all users.windows\application data\Reprise
2011-07-28 15:32:11 348256 ----a-w- c:\documents and settings\all users.windows\application data\microsoft\vstahost\coreldesigner\9.0\1033\ResourceCache.dll
2011-07-28 14:49:27 -------- d-----w- c:\documents and settings\all users.windows\application data\Corel DESIGNER Technical Suite X5

 

[obobo]

dds final

==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 19:06:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-29 00:17:26 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-08 14:40:10 313168 ----a-w- c:\windows\system32\WPPFilt.dll
2011-06-06 19:55:34 47512 ----a-w- c:\windows\system32\AdobePDF.dll
2011-06-06 19:55:32 22936 ----a-w- c:\windows\system32\AdobePDFUI.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2004-03-30 05:04:00 49152 ----a-w- c:\program files\common files\tx11_gif.flt
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x898056D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8980b9d0]; MOV EAX, [0x8980ba4c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x89879AB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000060[0x89867F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89863D98]
\Driver\atapi[0x89860C78] -> IRP_MJ_CREATE -> 0x898056D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8980551B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 20:03:04.84 ===============

 

[obobo]

attach

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/4/2008 8:02:34 PM
System Uptime: 8/15/2011 7:49:46 PM (1 hours ago)
.
Motherboard: Dell Inc | | 0UW457
Processor: AMD Sempron(tm) Processor 3400+ | Socket M2 | 1802/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 71 GiB total, 16.909 GiB free.
D: is CDROM ()
I: is CDROM ()
J: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1110: 8/4/2011 12:20:14 AM - Installed DirectX
RP1111: 8/4/2011 2:00:21 PM - Removed DraftSight.
RP1112: 8/4/2011 2:05:17 PM - Removed Microsoft IntelliPoint 5.2
RP1113: 8/4/2011 4:10:49 PM - Software Distribution Service 3.0
RP1114: 8/9/2011 9:41:24 AM - Installed Spears® Product Price Schedule
RP1115: 8/10/2011 12:02:59 PM - Software Distribution Service 3.0
RP1116: 8/11/2011 12:47:08 PM - Restore Operation
RP1117: 8/11/2011 1:08:44 PM - Restore Operation
RP1118: 8/11/2011 2:16:08 PM - Software Distribution Service 3.0
RP1119: 8/13/2011 7:34:25 PM - System Checkpoint
.
==== Installed Programs ======================
.
7300
7300_Help
7300Trb
Acrobat.com
Adobe Acrobat X Pro - English, Français, Deutsch
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
AiO_Scan
AiOSoftware
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Autodesk 3ds Max Design 2009 32-bit
Autodesk 3ds Max Design 2009 32-bit Additional Maps and Material Libraries
Autodesk 3ds Max Design 2009 32-bit Architectural Materials Library
Autodesk 3ds Max Design 2009 32-bit Movies
Autodesk 3ds Max Design 2009 32-bit ProMaterials™ Library
Autodesk 3ds Max Design 2009 32-bit Vault 2008 Plug-In
Autodesk 3ds Max Design 2009 32-bit Vault 2009 Plug-In
Autodesk Backburner 2008.1
Avira AntiVir Personal - Free Antivirus
Bluerock Technologies Flight Studio 3ds Max Design 2009 32-bit
Bonjour
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
BufferChm
CD-DVD Printer Application
Copy
Corel DESIGNER Technical Suite X5
Corel DESIGNER Technical Suite X5 - EN
Corel DESIGNER Technical Suite X5 - IPM
Corel DESIGNER Technical Suite X5 - Setup Files
Corel Graphics - Windows Shell Extension
CorelDRAW Graphics Suite X5 - Capture
CorelDRAW Graphics Suite X5 - Common
CorelDRAW Graphics Suite X5 - Connect
CorelDRAW Graphics Suite X5 - Custom Data
CorelDRAW Graphics Suite X5 - Designer
CorelDRAW Graphics Suite X5 - Draw
CorelDRAW Graphics Suite X5 - EN
CorelDRAW Graphics Suite X5 - Filters
CorelDRAW Graphics Suite X5 - FontNav
CorelDRAW Graphics Suite X5 - PHOTO-PAINT
CorelDRAW Graphics Suite X5 - Photozoom Plugin
CorelDRAW Graphics Suite X5 - Redist
CorelDRAW Graphics Suite X5 - VBA
CorelDRAW Graphics Suite X5 - VideoBrowser
CorelDRAW Graphics Suite X5 - VSTA
CorelDRAW Graphics Suite X5 - WT
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Debugging Tools for Windows (x86)
Deep Exploration 6 CE
Destinations
Director
DocProc
DocumentViewer
E.M. Total Video Player 1.31
eDrawings for SketchUp
Fax
FBX Plugin 2009.0 for Max 2009
gBurner
Google Chrome
Google Earth
Google SketchUp 8
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Diagnostic Assistant
HP Image Zone 4.7
HP Image Zone Express
HP PSC & OfficeJet 4.2
HP Software Update
HPSystemDiagnostics
Image Resizer Powertoy for Windows XP
InstantShare
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 7
Magic ISO Maker v5.5 (build 0265)
MagicDisc 2.7.106
Malwarebytes' Anti-Malware version 1.51.1.1800
Media Player Codec Pack 3.2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Personal Folders Backup
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft Visual Studio Tools for Applications 2.0 Runtime
Microsoft WSE 3.0 Runtime
MobileMe Control Panel
Mozilla Firefox 5.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
NETGEAR WPN311 Wireless Adapter
NVIDIA Drivers
Overland
PhotoGallery
PrintScreen
ProductContext
QFolder
QuickProjects
QuickTime
Readme
Rosetta Stone Version 3
Safari
Scan
ScannerCopy

 

[obobo]

attach2

Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)

 

[obobo]

attach final

Serif Premium Template Pack 1 for WebPlus
Serif WebPlus X4
Serif WebPlus X4 Resources
SigmaTel Audio
SkinsHP1
System Requirements Lab
TrayApp
TuneUp Companion 1.8.0
Turbo Squid Tentacles 3ds Max 2009 32-bit
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2586924)
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual Basic for Applications (R) Core
Visual Basic for Applications (R) Core - English
Vuze
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8 Release Candidate 1
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
8/14/2011 3:53:45 PM, error: Service Control Manager [7034] - The Advanced SystemCare Service service terminated unexpectedly. It has done this 1 time(s).
8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Workstation service terminated unexpectedly. It has done this 1 time(s).
8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s).
8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Server service terminated unexpectedly. It has done this 1 time(s).
8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 1 time(s).
8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 1 time(s).
8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The HID Input Service service terminated unexpectedly. It has done this 1 time(s).
8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Fast User Switching Compatibility service terminated unexpectedly. It has done this 1 time(s).
8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s).
8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s).
8/13/2011 9:18:42 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s).
8/13/2011 6:59:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Live ID Sign-in Assistant service to connect.
8/13/2011 6:59:56 PM, error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/12/2011 9:44:40 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
8/12/2011 9:29:45 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
8/12/2011 9:29:45 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/12/2011 4:42:47 PM, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 7 time(s).
8/12/2011 4:42:47 PM, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 7 time(s).
8/12/2011 4:42:47 PM, error: Service Control Manager [7034] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 7 time(s).
8/12/2011 4:42:47 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 7 time(s).
8/12/2011 4:42:47 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 7 time(s).
8/12/2011 4:42:47 PM, error: Service Control Manager [7031] - The Wireless Zero Configuration service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/12/2011 4:42:47 PM, error: Service Control Manager [7031] - The Windows Time service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/12/2011 4:42:47 PM, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 7 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/12/2011 11:26:01 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 9 time(s).
8/12/2011 11:26:01 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 9 time(s).
8/12/2011 11:14:50 PM, error: Service Control Manager [7034] - The MS Software Shadow Copy Provider service terminated unexpectedly. It has done this 1 time(s).
8/11/2011 3:19:45 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
8/11/2011 3:19:45 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
8/11/2011 3:19:45 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/11/2011 11:43:00 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 2 time(s).
8/11/2011 11:43:00 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 2 time(s).
8/11/2011 11:43:00 PM, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
8/11/2011 1:05:10 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
.
==== End Of File ===========================

 

[obobo]

let me know how I did

I appreciate your help I have been down for days
BOB

 

[obobo]

Svchost

the malware bytes update may have handled the svchost.exe issue. I can actually use the machine

 

[obobo]

revised

that was a lie

 

[Bobbye]

Okay Bob- I have 3 1-sentence emails from you. How about telling me what's going on.

 

[obobo]

Seriously?

I explained my connectivity situation followed by 9 pages of logs.
That is prior to my "three 1-line messages" one of which was thanking you. Can you help?

 

[Bobbye]

I am connected. Pages come up fine until I hit 'submit reply' posting the logs.
The page says no connectivity only for that operation, everything else is fine.
So this morning I tried again and same thing. I did cut up the log file and it worked a couple of times as you can see. No connectivity seems like a crazy response for having too many characters. You have not heard of this before?

If you're timing out while posting, please contact your ISP. "Too many characters" doesn't time you out. IF you are on some type of contract with your ISP for limited bandwidth use, that could explain it. But again, it's between you and the ISP.

I am connected. Pages come up fine until I hit 'submit reply' posting the logs.
The page says no connectivity only for that operation, everything else is fine.

Looking at the logs you've posted, they are not exceeding the character limit for TechSpot. You do not have to put each log in a separate post. As long as you define the end of one log and the beginning of the next log, there is character space you are not using.

If you are on a limited bandwidth, try doing as much as you can by using Work Offline in the browser File menu.
========================================
You have used one post to tell me this:

the malware bytes update may have handled the svchost.exe issue. I can actually use the machine

Then another to tell me this:

that was a lie

Neither one of these post give me any information.
========================================
Please run this: Bootkit Remover:

Download bootkitremover.rar and save to your desktop.

1. Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
2. Double-click on the remover.exe file to run the program.
   (Vista/7 users,right click on remover.exe and click Run As Administrator.)
3. You will see a black screen with data
4. Right click on the screen and click Select All.
5. Press CTRL+C
6. Open a Notepad and press CTRL+V
7. Paste the output in your next reply.

=====================================
Results should be one of the following:

• OK (DOS/Win32 Boot code found)
  - MBR boot code is clean.
• Unknown boot code
  - MBR boot code is modified. This practically corresponds to either
  an active bootkit infection, or a custom boot manager installed (such
  as GRUB).
• Controlled by rootkit!
  - a bootkit with self-hiding capabilities is detected.

==============================================

 

[obobo]

remover

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02738a00

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

 

[Bobbye]

• Open Notepad
• Copy and paste the text in the codebox into Notepad:

@ECHO OFF
START remover.exe fix  \\.\PhysicalDrive0  
EXIT

• Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
• In the FILE NAME box type fix.bat.
• Save fix.bat to your Desktop.
• Double click on fixbat to run.
  You may see a black box appear; this is normal.
• When done, run remover.exe again and post its output.

When done, run remover.exe again and post its output.