PDA

View Full Version : Can't access AV servers or do Win Restore


rjs483374
2010-08-10, 14:14
I believe I have a very subtle virus. It won't allow any AV software to access it's virus database servers. Nor can I restore from a Windows backup. If it weren't for Windows Security Center alerting me to the fact that my AV software is out-of-date, I wouldn't know that anything is wrong. Initially, SBS&D found malware and cleaned it up. But, that didn't change any of the symptoms I have found. It now reports all-OK. Here's the DDS log you require.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Richard at 7:48:23.12 on Tue 08/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.439 [GMT -4:00]


============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\THINKV~2\AMSG\amsg.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SMSC\SetIcon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digiportal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Digiportal Software\ChoiceMail\ChoiceMail.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Digiportal Software\ChoiceMail\IzyMail.exe
C:\Documents and Settings\Richard\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://webmail.nc.rr.com/do/logout?l=en-US&v=standard
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ChoiceMail] "c:\program files\digiportal software\choicemail\ChoiceMail.exe"
uRun: [QuickenBillminder] c:\program files\quicken\Billmind.exe
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Cookienator] "c:\program files\pc world programs\cookienator\cookienator.exe" /auto
uRun: [\\USC-PC\EPSON Stylus Photo RX680 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticja.exe /fu "c:\docume~1\richard\locals~1\temp\E_S77.tmp" /EF "HKCU"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [amsg] c:\progra~1\thinkv~2\amsg\amsg.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [ControlCenter] "c:\program files\thinkvantage fingerprint software\ctlcntr.exe" /startup
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [AMSG] c:\progra~1\thinkv~2\amsg\amsg.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [SetIcon] \Program Files\SMSC\SetIcon.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [<NO NAME>]
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [amsg] c:\progra~1\thinkv~2\amsg\amsg.exe
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psfus.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Notification Packages = scecli ACGina csspwntfy
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 192.168.15.135 USCMobile

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richard\applic~1\mozilla\firefox\profiles\5m8omcu1.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\richard\application data\mozilla\firefox\profiles\5m8omcu1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\documents and settings\richard\application data\mozilla\firefox\profiles\5m8omcu1.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\richard\application data\mozilla\firefox\profiles\5m8omcu1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2006-8-21 6912]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-9-28 19504]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-8-2 3968]
R2 SmiHlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2005-7-12 3328]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\18.tmp --> c:\windows\system32\18.tmp [?]

=============== Created Last 30 ================

2010-08-06 12:10:31 0 dc----w- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2010-08-06 02:31:16 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-04 17:55:58 0 d-----w- c:\docume~1\richard\applic~1\SafeReturner
2010-08-04 17:55:52 0 d-----w- c:\program files\Safe Returner
2010-08-04 14:28:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-21 14:49:00 0 d-----w- c:\program files\Sophos
2010-07-19 21:17:50 69 ----a-w- c:\windows\system32\32414875.bat

==================== Find3M ====================

2010-08-08 04:00:01 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-01-03 19:19:08 5031168 ----a-w- c:\program files\common files\lpuninstall.exe
2008-12-30 22:51:01 32768 -csh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008123020081231\index.dat

============= FINISH: 7:50:02.43 ===============
Blade81
2010-08-14, 17:36
Hi,

Please post attach.txt contents too.
rjs483374
2010-08-15, 00:18
Here's the file you requested. Thanks.
Blade81
2010-08-15, 09:17
Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
rjs483374
2010-08-15, 22:25
I ran combofix per your and bleepingcomputer.com's instructions. Here are the two output files you requested. I'm just going to attach rather than paste them in the forum. If that is not OK, please let me know. FYI, combofix may have done the job; I was able to update one of the AV packages after it did it's work. The true test will come after this post when I try to install and update AVAST.
Blade81
2010-08-15, 22:37
Hi again,

I prefer log contents posted instead of attaching. Don't have to repost now but post the next requested logs contents :)

Open notepad and copy/paste the text in the quotebox below into it:



DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
FileLook::
c:\windows\system32\32414875.bat



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Get updates 9.3.2 & 9.3.3 for Adobe Reader here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).


Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 21 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
rjs483374
2010-08-17, 20:32
Hi, phew! I think I got everything you requested. And, as you requested, I'm going to post three log files: combofix.txt, kasperskylog.txt, and dds.txt. Kaspersky found more viruses; now all I need is help getting rid of them!:)

BTW, stribune.org does not exist anymore, I had to go to bleepingcomputer.com to get my copy of ATF Cleaner.

ComboFix 10-08-15.04 - Richard 08/16/2010 9:44.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.487 [GMT -4:00]
Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Richard\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))
.

2010-08-16 12:33 . 2010-08-16 12:33 -------- d-----w- c:\documents and settings\Richard\Local Settings\Application Data\PCHealth
2010-08-15 22:45 . 2010-08-15 22:45 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-08-15 20:43 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-15 20:43 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-15 20:43 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-15 20:43 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-15 20:43 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-15 20:43 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-15 20:43 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-15 20:42 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-15 20:42 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-15 19:59 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-14 17:51 . 2010-08-14 17:51 -------- d-----w- c:\documents and settings\Richard\Application Data\Registry Mechanic
2010-08-14 17:46 . 2010-08-14 17:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-11 13:32 . 2010-08-16 02:07 63488 ----a-w- c:\documents and settings\Richard\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-11 13:32 . 2010-08-11 13:32 52224 ----a-w- c:\documents and settings\Richard\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-11 13:32 . 2010-08-16 02:07 117760 ----a-w- c:\documents and settings\Richard\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-11 13:31 . 2010-08-11 13:31 -------- d-----w- c:\documents and settings\Richard\Application Data\SUPERAntiSpyware.com
2010-08-11 13:31 . 2010-08-11 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-11 13:31 . 2010-08-11 13:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-10 11:46 . 2010-08-10 11:47 -------- d-----w- c:\program files\ERUNT
2010-08-06 12:20 . 2010-08-06 12:20 -------- d-----w- c:\program files\Alwil Software
2010-08-06 12:10 . 2010-08-06 12:10 -------- dc----w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2010-08-05 20:46 . 2010-08-05 20:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2010-08-05 20:46 . 2010-08-06 11:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\liitcmopr
2010-08-04 17:55 . 2010-08-05 20:41 -------- d-----w- c:\documents and settings\Richard\Application Data\SafeReturner
2010-08-04 17:55 . 2010-08-05 20:41 -------- d-----w- c:\program files\Safe Returner
2010-08-04 14:28 . 2010-08-04 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-21 14:49 . 2010-07-21 14:49 -------- d-----w- c:\program files\Sophos
2010-07-19 21:17 . 2010-07-19 21:17 69 ----a-w- c:\windows\system32\32414875.bat
2010-07-19 15:21 . 2010-07-12 15:32 822784 ----a-w- c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\5m8omcu1.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 23:13 . 2008-08-16 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-15 04:00 . 2006-08-09 16:10 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-08-08 20:06 . 2006-08-20 08:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-08 18:48 . 2006-08-20 08:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-07 17:40 . 2010-06-26 16:21 -------- d-----w- c:\documents and settings\Richard\Application Data\QuickScan
2010-08-05 20:46 . 2009-07-12 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-05 20:46 . 2006-08-20 08:42 -------- d-----w- c:\program files\Lavasoft
2010-08-04 15:41 . 2007-12-01 16:19 -------- d-----w- c:\program files\PCDR5
2010-07-14 21:02 . 2010-07-14 21:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\IBM
2010-07-11 23:28 . 2010-07-11 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-11 22:50 . 2008-06-03 17:59 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-11 22:31 . 2010-07-11 22:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-11 22:31 . 2010-07-11 22:31 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-30 12:31 . 1980-01-01 07:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-26 16:29 . 2010-06-26 16:29 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-06-26 16:29 . 2010-06-26 16:29 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-06-26 16:29 . 2010-06-26 16:29 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-06-26 16:29 . 2010-06-26 16:29 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-06-24 12:22 . 1980-01-01 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 1980-01-01 07:00 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-22 03:46 . 2010-06-22 03:46 -------- d-----w- c:\documents and settings\NetworkService\Application Data\IBM
2010-06-21 15:27 . 1980-01-01 07:00 354304 ------w- c:\windows\system32\drivers\srv.sys
2010-06-18 20:39 . 2010-06-18 20:38 -------- d-----w- c:\documents and settings\Richard\Application Data\U3
2010-06-17 14:03 . 1980-01-01 07:00 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-09 17:52 744448 ------w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 1980-01-01 07:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-04 12:49 . 2009-07-15 00:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-01 06:53 . 2010-06-01 06:53 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-31 20:34 . 2010-06-26 16:21 702120 ----a-w- c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\5m8omcu1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-05-31 20:34 . 2010-06-26 16:21 868456 ----a-w- c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\5m8omcu1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-01-03 19:19 . 2010-01-03 19:19 5031168 ----a-w- c:\program files\Common Files\lpuninstall.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\32414875.bat ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 69
Created time: 2010-07-19 21:17
Modified time: 2010-07-19 21:17
MD5: 604802586163BDC9EDA42F6A471E01AD
SHA1: FC255017A78E3EC103F73C8C8651EFFE08089C81


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"ChoiceMail"="c:\program files\Digiportal Software\ChoiceMail\ChoiceMail.exe" [2005-04-26 3518464]
"QuickenBillminder"="c:\program files\Quicken\Billmind.exe" [2006-10-27 17408]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2009-06-10 334224]
"Cookienator"="c:\program files\PC World Programs\Cookienator\cookienator.exe" [2009-10-19 1333472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"TpShocks"="TpShocks.exe" [2007-09-28 181544]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"ControlCenter"="c:\program files\ThinkVantage Fingerprint Software\ctlcntr.exe" [2005-07-12 125026]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-29 344064]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2007-04-27 120368]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2006-08-21 1997568]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 208896]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-10 868352]
"SetIcon"="\Program Files\SMSC\SetIcon.exe" [2004-04-28 42496]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-08-01 540672]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-08 91688]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2010-1-3 5031168]
Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2010-1-3 5031168]

c:\documents and settings\Richard\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-9-2 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-4-9 221247]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2005-7-21 577597]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-1 50688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-07-12 16:45 109664 ------w- c:\program files\ThinkVantage Fingerprint Software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 04:16 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChoiceMail]
2005-04-26 02:10 3518464 ------w- c:\program files\Digiportal Software\ChoiceMail\ChoiceMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"= c:\\WINDOWS\\System32\\mmc.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\java.exe"=
"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMail.exe"=
"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\IzyMail.exe"=
"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\WebMailSetupWizard.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [8/21/2006 5:04 AM 6912]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [9/28/2007 8:28 PM 19504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/15/2010 4:43 PM 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/15/2010 4:43 PM 17744]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 5:11 PM 46142]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/2/2005 8:47 PM 3968]
R2 SmiHlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [7/12/2005 12:37 PM 3328]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\18.tmp --> c:\windows\system32\18.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\Billminder.job
- c:\program files\Quicken\billmind.exe [2004-07-17 02:21]

2010-08-03 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-09 09:19]

2006-08-19 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-08-09 00:32]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.nc.rr.com/do/logout?l=en-US&v=standard
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
IE: Send To &Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: intuit.com\ttlc
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\5m8omcu1.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\5m8omcu1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\5m8omcu1.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\5m8omcu1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 09:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\18.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkVantage Fingerprint Software\ExtVapi.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\program files\Common Files\Virtual Token\resmgr.dll
c:\program files\Common Files\Virtual Token\Remote.dll
c:\program files\Common Files\Virtual Token\passport.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ThinkVantage Fingerprint Software\psfus.dll
c:\windows\system32\tphklock.dll
c:\program files\Common Files\Virtual Token\psdlg.dll
c:\program files\Common Files\Virtual Token\config.dll
c:\program files\Common Files\Virtual Token\LocPass.dll
c:\program files\Common Files\Virtual Token\SBioPass.dll

- - - - - - - > 'Explorer.exe'(3668)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-16 09:52:37
ComboFix-quarantined-files.txt 2010-08-16 13:52

Pre-Run: 122,486,464,512 bytes free
Post-Run: 122,490,916,864 bytes free

- - End Of File - - 53A2EB7505BF6DD1007181AA5D72F9B3

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 16, 2010 14:06:36
Records in database: 4133591
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 123982
Threats found: 10
Infected objects found: 13
Suspicious objects found: 0
Scan duration: 11:23:37


File name / Threat / Threats count
C:\Documents and Settings\LocalService\Application Data\IBM\Java\Deployment\cache\javapi\v1.0\jar\des.jar-7fcabe2b-5a71a85a.zip Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Documents and Settings\LocalService\Application Data\IBM\Java\Deployment\cache\javapi\v1.0\jar\des.jar-7fcabe2b-5a71a85a.zip Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Documents and Settings\LocalService\Application Data\IBM\Java\Deployment\cache\javapi\v1.0\jar\des.jar-7fcabe2b-5a71a85a.zip Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\risdptsk.sys.vir Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP691\A0062688.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.br 1
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP724\A0069438.exe Infected: Trojan.Win32.FraudPack.bbsu 1
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP724\A0069511.exe Infected: Trojan.Win32.FraudPack.bbsu 1
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP737\A0071755.sys Infected: Virus.Win32.TDSS.b 1
E:\Richard's Documents\Downloads\freeripmp3.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.br 1
E:\Richard's Documents\Downloads\My Old Downloads\InboxScreensaver.exe Infected: not-a-virus:AdWare.Win32.WebSearch.bv 1
E:\Richard's Documents\Downloads\My Old Downloads\Other Apps\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
E:\Richard's Documents\Downloads\My Old Downloads\Other Apps\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
E:\Richard's Documents\Downloads\My Old Downloads\Security Apps\cain_and_abel_password_cracker_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1

Selected area has been scanned.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Richard at 14:17:16.00 on Tue 08/17/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.562 [GMT -4:00]


============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SMSC\SetIcon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Richard\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://webmail.nc.rr.com/do/logout?l=en-US&v=standard
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ChoiceMail] "c:\program files\digiportal software\choicemail\ChoiceMail.exe"
uRun: [QuickenBillminder] c:\program files\quicken\Billmind.exe
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
uRun: [Cookienator] "c:\program files\pc world programs\cookienator\cookienator.exe" /auto
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [ControlCenter] "c:\program files\thinkvantage fingerprint software\ctlcntr.exe" /startup
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [SetIcon] \Program Files\SMSC\SetIcon.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psfus.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richard\applic~1\mozilla\firefox\profiles\5m8omcu1.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\richard\application data\mozilla\firefox\profiles\5m8omcu1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\documents and settings\richard\application data\mozilla\firefox\profiles\5m8omcu1.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\richard\application data\mozilla\firefox\profiles\5m8omcu1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2006-8-21 6912]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-9-28 19504]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-8-2 3968]
R2 SmiHlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2005-7-12 3328]
RUnknown aswFsBlk;aswFsBlk; [x]
RUnknown aswSP;aswSP; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\18.tmp --> c:\windows\system32\18.tmp [?]

=============== Created Last 30 ================

2010-08-16 19:41:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-16 19:41:11 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 19:59:58 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-15 17:13:37 0 d-sha-r- C:\cmdcons
2010-08-15 17:11:11 77312 ----a-w- c:\windows\MBR.exe
2010-08-15 17:11:11 256512 ----a-w- c:\windows\PEV.exe
2010-08-15 17:11:10 98816 ----a-w- c:\windows\sed.exe
2010-08-15 17:11:10 161792 ----a-w- c:\windows\SWREG.exe
2010-08-14 17:51:02 0 d-----w- c:\docume~1\richard\applic~1\Registry Mechanic
2010-08-11 13:31:33 0 d-----w- c:\docume~1\richard\applic~1\SUPERAntiSpyware.com
2010-08-11 13:31:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-11 13:31:23 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-06 12:10:31 0 dc----w- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2010-08-04 17:55:58 0 d-----w- c:\docume~1\richard\applic~1\SafeReturner
2010-08-04 17:55:52 0 d-----w- c:\program files\Safe Returner
2010-08-04 14:28:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-21 14:49:00 0 d-----w- c:\program files\Sophos
2010-07-19 21:17:50 69 ----a-w- c:\windows\system32\32414875.bat

==================== Find3M ====================

2010-08-15 04:00:00 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-07-27 06:30:35 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 21:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\dllcache\srv.sys
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\drivers\srv.sys
2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\dllcache\msxml3.dll
2010-01-03 19:19:08 5031168 ----a-w- c:\program files\common files\lpuninstall.exe
2008-12-30 22:51:01 32768 -csh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008123020081231\index.dat

============= FINISH: 14:18:22.78 ===============
Blade81
2010-08-17, 20:45
Hi,

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Delete these files:
c:\windows\system32\32414875.bat
C:\Documents and Settings\LocalService\Application Data\IBM\Java\Deployment\cache\javapi\v1.0\jar\des.jar-7fcabe2b-5a71a85a.zip
E:\Richard's Documents\Downloads\freeripmp3.exe
E:\Richard's Documents\Downloads\My Old Downloads\InboxScreensaver.exe
E:\Richard's Documents\Downloads\My Old Downloads\Security Apps\cain_and_abel_password_cracker_setup.exe

How's the system running?
rjs483374
2010-08-18, 13:55
Deleted all the files you requested. I was hopeful until I installed AVAST 5 again. It is still being blocked from accessing it's virus database servers! I was able to access the database servers for Spybot and SUPERAntiSspyware. Both found additional viruses. Spybot found: Fraud.AVSecuritySuite (2 registry entries) and Win32.IRCBot.auf (1 browser setting). SUPERAntiSpyware found a bunch of infected files in C:\IBMWORK directories. Both apps deleted the infected files, which didn't change the blocked virus database servers problem. So, I think that I'm still infected.
Blade81
2010-08-18, 19:38
Hi,


I was hopeful until I installed AVAST 5 again. It is still being blocked from accessing it's virus database servers!
Any error message?

Post fresh dds logs contents, please.
rjs483374
2010-08-18, 23:09
Message just says "unable to connect to server." All of the other PCs on my network can connect to the same server OK. So I believe it's the virus blocking it. All of the things you've asked me to do seemed to discover and remove stuff, but apparently they aren't to the root of the infection.
Blade81
2010-08-19, 06:16
Post fresh dds logs as requested, please.
rjs483374
2010-08-19, 13:41
Sorry, I totally overlooked this request. Here they are:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Richard at 7:35:50.93 on Thu 08/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.435 [GMT -4:00]


============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SMSC\SetIcon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Digiportal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Digiportal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Digiportal Software\ChoiceMail\IzyMail.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Documents and Settings\Richard\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://webmail.nc.rr.com/do/logout?l=en-US&v=standard
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [ChoiceMail] "c:\program files\digiportal software\choicemail\ChoiceMail.exe"
uRun: [QuickenBillminder] c:\program files\quicken\Billmind.exe
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
uRun: [Cookienator] "c:\program files\pc world programs\cookienator\cookienator.exe" /auto
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [ControlCenter] "c:\program files\thinkvantage fingerprint software\ctlcntr.exe" /startup
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [SetIcon] \Program Files\SMSC\SetIcon.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psfus.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richard\applic~1\mozilla\firefox\profiles\5m8omcu1.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\richard\application data\mozilla\firefox\profiles\5m8omcu1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\documents and settings\richard\application data\mozilla\firefox\profiles\5m8omcu1.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\richard\application data\mozilla\firefox\profiles\5m8omcu1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2006-8-21 6912]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-9-28 19504]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-8-2 3968]
R2 SmiHlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2005-7-12 3328]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\18.tmp --> c:\windows\system32\18.tmp [?]

=============== Created Last 30 ================

2010-08-16 19:41:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-16 19:41:11 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 19:59:58 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-15 17:13:37 0 d-sha-r- C:\cmdcons
2010-08-15 17:11:11 77312 ----a-w- c:\windows\MBR.exe
2010-08-15 17:11:11 256512 ----a-w- c:\windows\PEV.exe
2010-08-15 17:11:10 98816 ----a-w- c:\windows\sed.exe
2010-08-15 17:11:10 161792 ----a-w- c:\windows\SWREG.exe
2010-08-14 17:51:02 0 d-----w- c:\docume~1\richard\applic~1\Registry Mechanic
2010-08-11 13:31:33 0 d-----w- c:\docume~1\richard\applic~1\SUPERAntiSpyware.com
2010-08-11 13:31:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-11 13:31:23 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-06 12:10:31 0 dc----w- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2010-08-04 17:55:58 0 d-----w- c:\docume~1\richard\applic~1\SafeReturner
2010-08-04 17:55:52 0 d-----w- c:\program files\Safe Returner
2010-08-04 14:28:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-21 14:49:00 0 d-----w- c:\program files\Sophos

==================== Find3M ====================

2010-08-15 04:00:00 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-07-27 06:30:35 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 21:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\dllcache\srv.sys
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\drivers\srv.sys
2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\dllcache\msxml3.dll
2010-01-03 19:19:08 5031168 ----a-w- c:\program files\common files\lpuninstall.exe
2008-12-30 22:51:01 32768 -csh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008123020081231\index.dat

============= FINISH: 7:36:38.51 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/19/2006 4:33:37 AM
System Uptime: 8/18/2010 1:27:40 PM (18 hours ago)

Motherboard: IBM | | 2531MTU
Processor: Intel(R) Pentium(R) M processor 2.00GHz | None | 1995/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 196 GiB total, 113.972 GiB free.
D: is CDROM (UDF)
E: is FIXED (NTFS) - 97 GiB total, 90.707 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP654: 5/21/2010 10:51:05 AM - System Checkpoint
RP655: 5/22/2010 11:28:35 AM - System Checkpoint
RP656: 5/23/2010 11:29:55 AM - System Checkpoint
RP657: 5/24/2010 12:29:55 PM - System Checkpoint
RP658: 5/25/2010 1:29:56 PM - System Checkpoint
RP659: 5/26/2010 3:00:22 AM - Software Distribution Service 3.0
RP660: 5/27/2010 3:29:57 AM - System Checkpoint
RP661: 5/28/2010 3:30:20 AM - System Checkpoint
RP662: 5/29/2010 4:30:18 AM - System Checkpoint
RP663: 5/30/2010 5:30:17 AM - System Checkpoint
RP664: 5/31/2010 6:30:17 AM - System Checkpoint
RP665: 6/1/2010 6:42:18 AM - System Checkpoint
RP666: 6/1/2010 10:06:57 PM - Restore Operation
RP667: 6/1/2010 10:11:27 PM - Restore Operation
RP668: 6/2/2010 10:19:40 PM - System Checkpoint
RP669: 6/3/2010 10:52:45 PM - System Checkpoint
RP670: 6/4/2010 11:24:15 PM - System Checkpoint
RP671: 6/5/2010 11:48:59 PM - System Checkpoint
RP672: 6/7/2010 12:48:57 AM - System Checkpoint
RP673: 6/8/2010 1:48:57 AM - System Checkpoint
RP674: 6/9/2010 2:44:22 AM - System Checkpoint
RP675: 6/10/2010 3:44:26 AM - System Checkpoint
RP676: 6/11/2010 4:44:26 AM - System Checkpoint
RP677: 6/12/2010 5:44:28 AM - System Checkpoint
RP678: 6/16/2010 9:42:44 PM - System Checkpoint
RP679: 6/17/2010 9:46:19 PM - System Checkpoint
RP680: 6/18/2010 10:46:20 PM - System Checkpoint
RP681: 6/19/2010 11:47:25 PM - System Checkpoint
RP682: 6/21/2010 12:11:45 AM - System Checkpoint
RP683: 6/22/2010 12:23:29 AM - System Checkpoint
RP684: 6/23/2010 1:23:31 AM - System Checkpoint
RP685: 6/25/2010 10:20:54 PM - System Checkpoint
RP686: 6/26/2010 3:40:56 PM - Spybot-S&D Spyware removal
RP687: 6/27/2010 4:31:30 PM - System Checkpoint
RP688: 6/28/2010 11:07:05 AM - Spybot-S&D Spyware removal
RP689: 6/29/2010 11:23:19 AM - System Checkpoint
RP690: 6/29/2010 4:18:52 PM - Spybot-S&D Spyware removal
RP691: 7/1/2010 4:59:31 PM - Spybot-S&D Spyware removal
RP692: 7/2/2010 9:04:33 PM - System Checkpoint
RP693: 7/3/2010 11:06:37 PM - System Checkpoint
RP694: 7/4/2010 11:38:26 PM - System Checkpoint
RP695: 7/6/2010 12:01:21 AM - System Checkpoint
RP696: 7/7/2010 1:01:23 AM - System Checkpoint
RP697: 7/8/2010 2:01:20 AM - System Checkpoint
RP698: 7/9/2010 3:01:22 AM - System Checkpoint
RP699: 7/10/2010 3:07:29 AM - System Checkpoint
RP700: 7/11/2010 4:07:30 AM - System Checkpoint
RP701: 7/12/2010 4:30:32 AM - System Checkpoint
RP702: 7/13/2010 5:01:04 AM - System Checkpoint
RP703: 7/14/2010 12:25:53 PM - System Checkpoint
RP704: 7/16/2010 5:25:55 PM - System Checkpoint
RP705: 7/17/2010 5:35:23 PM - System Checkpoint
RP706: 7/18/2010 6:00:45 PM - System Checkpoint
RP707: 7/20/2010 2:03:52 PM - System Checkpoint
RP708: 7/21/2010 10:01:21 PM - System Checkpoint
RP709: 7/22/2010 10:32:01 PM - System Checkpoint
RP710: 7/23/2010 11:30:55 PM - System Checkpoint
RP711: 7/26/2010 2:34:27 PM - System Checkpoint
RP712: 7/27/2010 2:45:43 PM - System Checkpoint
RP713: 7/28/2010 3:04:31 PM - System Checkpoint
RP714: 7/29/2010 4:18:54 PM - System Checkpoint
RP715: 7/30/2010 5:14:07 PM - System Checkpoint
RP716: 7/31/2010 6:16:38 PM - System Checkpoint
RP717: 8/1/2010 6:49:36 PM - System Checkpoint
RP718: 8/2/2010 7:50:37 PM - System Checkpoint
RP719: 8/3/2010 7:50:53 PM - System Checkpoint
RP720: 8/4/2010 10:28:23 AM - avast! Free Antivirus Setup
RP721: 8/4/2010 1:28:34 PM - avast! Free Antivirus Setup
RP722: 8/5/2010 4:03:14 PM - Restore Operation
RP723: 8/5/2010 4:07:44 PM - Restore Operation
RP724: 8/5/2010 6:49:28 PM - Restore Operation
RP725: 8/6/2010 8:20:30 AM - avast! Free Antivirus Setup
RP726: 8/7/2010 12:34:55 PM - System Checkpoint
RP727: 8/7/2010 1:24:08 PM - avast! Free Antivirus Setup
RP728: 8/8/2010 2:01:28 PM - System Checkpoint
RP729: 8/8/2010 6:59:53 PM - avast! Free Antivirus Setup
RP730: 8/8/2010 8:08:30 PM - avast! Free Antivirus Setup
RP731: 8/9/2010 4:18:25 PM - avast! Free Antivirus Setup
RP732: 8/10/2010 7:34:34 AM - avast! Free Antivirus Setup
RP733: 8/11/2010 7:45:49 AM - System Checkpoint
RP734: 8/12/2010 8:24:31 AM - System Checkpoint
RP735: 8/13/2010 9:20:09 AM - System Checkpoint
RP736: 8/14/2010 10:20:49 AM - System Checkpoint
RP737: 8/15/2010 12:26:07 PM - System Checkpoint
RP738: 8/15/2010 4:42:35 PM - avast! Free Antivirus Setup
RP739: 8/15/2010 6:45:00 PM - Software Distribution Service 3.0
RP740: 8/16/2010 3:23:55 PM - Removed IBM 32-bit Runtime Environment for Java 2, v1.4.2
RP741: 8/16/2010 3:25:47 PM - Software Distribution Service 3.0
RP742: 8/16/2010 3:40:44 PM - Installed Java(TM) 6 Update 21
RP743: 8/16/2010 7:58:06 PM - avast! Free Antivirus Setup
RP744: 8/17/2010 8:40:44 PM - System Checkpoint
RP745: 8/17/2010 10:38:33 PM - avast! Free Antivirus Setup
RP746: 8/17/2010 10:43:27 PM - avast! Free Antivirus Setup
RP747: 8/18/2010 11:32:00 PM - System Checkpoint

==== Installed Programs ======================


Access Help
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
APC PowerChute Personal Edition
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
Brother MFC-8890DW
Brother P-touch Editor 5.0
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
ccc-Branding
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Dutch
CCC Help English
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Portuguese
CCC Help Spanish
CCC Help Swedish
ChoiceMail One Single User 3.1
Click'N Design 3D
Cookienator
DING!
DropMyRights
Eraser 5.8.7
ERUNT 1.1j
Fingerprint Tutorial
Free Create-Burn ISO Image v2.0
FreeRIP v3.1
Help Center
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB922120-v6)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) PROSet/Wireless Software
InterVideo WinDVD
InterVideo WinDVD Creator 3
iSEEK AnswerWorks English Runtime
Java Auto Updater
Java(TM) 6 Update 21
LastPass (uninstall only)
Lenovo Battery Program
LiveUpdate 2.6 (Symantec Corporation)
Logitech Desktop Messenger
Logitech Harmony Remote Software 7
Magic ISO Maker v5.5 (build 0276)
Maintenance Manager
mCore
mDriver
Message Center
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.5
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Sounds
Microsoft Office Ultimate 2007
Microsoft Office Visio 2007 Service Pack 2 (SP2)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WinUsb 1.0
mMHouse
Mozilla Firefox (3.6.8)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mXML
Norton PartitionMagic
Norton PartitionMagic 8.0
OGA Notifier 2.0.0048.0
PC-Doctor 5 for Windows
Pretty Good Solitaire 2k
Productivity Center Supplement for ThinkPad
Quicken 2005
QuickTime
Readerware
RecordNow Audio
RecordNow Copy
RecordNow Data
Remote Control USB Driver
Remove Multimedia Center
Rescue and Recovery - Client Security Solution
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Safe Returner 1.22
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio 2007 (KB982127)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Skins
Software Installer
Sonic DLA
Sonic Express Labeler
Sonic Icons for Lenovo
Sonic Update Manager
Sony Picture Utility
Sony USB Driver
Sophos Anti-Rootkit 1.5.4
SoundMAX
Spybot - Search & Destroy
SUPERAntiSpyware
System Migration Assistant
System Update
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Keyboard Customizer Utility
ThinkPad Modem
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad Presentation Director
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
ThinkPad UltraNav Wizard
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Fingerprint Software 4.6.0
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
TrackPoint Accessibility Features
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wnciper
TurboTax 2009 wrapper
Tweak UI
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb2279264)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB 2.0 Multimedia Reader/Writer
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
vitalsource KEY 3
Wallpapers
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
XP Themes
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)

==== Event Viewer Messages From Past Week ========

8/15/2010 7:09:15 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524).
8/15/2010 6:47:54 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
8/15/2010 6:45:44 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
8/15/2010 6:45:44 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/15/2010 10:05:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/15/2010 10:04:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 ANC aswSP aswTdi Fips IBMTPCHK intelppm SASDIFSV SASKUTIL Smapint TDSMAPI TPHKDRV TPPWRIF TSMAPIP
8/15/2010 1:33:30 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
8/15/2010 1:20:59 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
8/15/2010 1:20:31 PM, error: ati2mtag [43034] - Unknown EDID version
8/15/2010 1:16:08 PM, error: Service Control Manager [7034] - The IBM KCU Service service terminated unexpectedly. It has done this 1 time(s).
8/15/2010 1:16:08 PM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

==== End Of File ===========================
Blade81
2010-08-19, 21:47
Hi,

Make sure firewall doesn't block Avast and try updating again.
rjs483374
2010-08-20, 14:39
Hi,

The only firewall I have running is Windows Firewall. And all of the other computers on my network are configured the same way and they don't have a problem updating AVAST virus definitions.

The error is: connecting to servers.def.vpx...failed to connect to server. The final message says the server is download931.avast.com (74.54.24.242:80).

Did the logs not show any infections?
rjs483374
2010-08-20, 15:56
Hi again,

I installed AVAST again and ran it with the virus defs it included in the installation package. It found several files infected with Win32:Alureon-FZ. I quarantined these files. I tried to download new file defs again, same error. I have to shut down the PC now, I will traveling the rest of the day. Check back with you tomorrow after I run some more scans and test downloading again. Thanks for sticking with me on this problem.:)
Blade81
2010-08-20, 22:13
Hi,

Please download MBRCheck (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log in your reply.
rjs483374
2010-08-22, 02:08
Hi, here's the report you requested:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 188):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7A90000 \WINDOWS\system32\KDCOM.DLL
0xF79A0000 \WINDOWS\system32\BOOTVID.dll
0xF7461000 ACPI.sys
0xF7A92000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7450000 pci.sys
0xF7590000 isapnp.sys
0xF79A4000 compbatt.sys
0xF79A8000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B58000 pciide.sys
0xF7810000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7432000 pcmcia.sys
0xF75A0000 MountMgr.sys
0xF7413000 ftdisk.sys
0xF7A94000 dmload.sys
0xF73ED000 dmio.sys
0xF7818000 PartMgr.sys
0xF79AC000 ACPIEC.sys
0xF7B59000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF75B0000 VolSnap.sys
0xF73D5000 atapi.sys
0xF75C0000 disk.sys
0xF75D0000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73B5000 fltmgr.sys
0xF73A3000 sr.sys
0xF738D000 DRVMCDB.SYS
0xF75E0000 PxHelp20.sys
0xF7376000 KSecDD.sys
0xF7363000 WudfPf.sys
0xF72D6000 Ntfs.sys
0xF7A96000 ANCSQ.sys
0xF72A9000 \WINDOWS\System32\drivers\NDIS.SYS
0xF728D000 Apsx86.sys
0xF7820000 ApsHM86.sys
0xF7828000 risdptsk.sys
0xF75F0000 ohci1394.sys
0xF7600000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7273000 Mup.sys
0xF7740000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7700000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6864000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6850000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6828000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF67FD000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xF7908000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF67D9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7910000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF67C5000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xF64A2000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xF7710000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7918000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6476000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7AD6000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7920000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7928000 \SystemRoot\system32\DRIVERS\nscirda.sys
0xF7202000 \SystemRoot\system32\DRIVERS\irenum.sys
0xF7930000 \SystemRoot\system32\DRIVERS\atmeltpm.sys
0xF71FA000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF71F6000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys
0xF7720000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7938000 \SystemRoot\system32\drivers\iviaspi.sys
0xF7AD8000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF7730000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7750000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6453000 \SystemRoot\system32\DRIVERS\ks.sys
0xF630F000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xF7BB9000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7940000 \SystemRoot\system32\DRIVERS\rasirda.sys
0xF7948000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7790000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6AC1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF62F8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7760000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7770000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF62E7000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7780000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7950000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7958000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF62B7000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF77A0000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7960000 \SystemRoot\system32\DRIVERS\psadd.sys
0xF7ADA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF61B9000 \SystemRoot\system32\DRIVERS\update.sys
0xF6AA9000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF77D0000 \SystemRoot\system32\DRIVERS\zumbus.sys
0xF77E0000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF6115000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF7800000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEE0C3000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xEE09F000 \SystemRoot\system32\drivers\portcls.sys
0xF7650000 \SystemRoot\system32\drivers\drmk.sys
0xEE088000 \SystemRoot\system32\drivers\AEAudio.sys
0xEE054000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xEDF62000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xEDEAF000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7968000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7680000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF723A000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7AF2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C7C000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AF4000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7990000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xF7840000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7848000 \SystemRoot\System32\drivers\vga.sys
0xF7AF6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7AF8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7850000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7858000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF722E000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEDD6F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEDD16000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF76D0000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xEDCC8000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEDCA0000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEDC7E000 \SystemRoot\System32\drivers\afd.sys
0xF76E0000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF7860000 \SystemRoot\System32\drivers\TSMAPIP.SYS
0xF7868000 \SystemRoot\System32\drivers\Tppwrif.sys
0xF7870000 \SystemRoot\System32\Drivers\TPHKDRV.SYS
0xF7878000 \SystemRoot\System32\drivers\TDSMAPI.SYS
0xF78A8000 \SystemRoot\System32\drivers\Smapint.sys
0xEDBEC000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF7880000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEDBC1000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF7CA8000 \SystemRoot\System32\Drivers\PQNTDrv.SYS
0xEDB51000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7AFC000 \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
0xF6297000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7888000 \SystemRoot\System32\Drivers\tcusb.sys
0xEDB2A000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF6287000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF61B1000 \SystemRoot\System32\drivers\ANC.SYS
0xF78B0000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF6277000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xED9E9000 \SystemRoot\System32\Drivers\Udfs.SYS
0xED9D1000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B3C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEDA12000 \SystemRoot\System32\drivers\Dxapi.sys
0xEDC6E000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B91000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF057000 \SystemRoot\System32\ati2cqag.dll
0xBF0B1000 \SystemRoot\System32\atikvmag.dll
0xBF101000 \SystemRoot\System32\atiok3x2.dll
0xBF113000 \SystemRoot\System32\ati3duag.dll
0xBF3DD000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEB729000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xEDE74000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF7CBF000 \SystemRoot\System32\DLA\DLADResN.SYS
0xEB6A3000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xEB71D000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xF7AB6000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xF7CC4000 \??\C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys
0xF78B8000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xEB663000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xEB64D000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xEB55D000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xEB42F000 \SystemRoot\system32\DRIVERS\irda.sys
0xEB559000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xEB68B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEB4E5000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xEB2D8000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xF7970000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xEB1C5000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xEB048000 \SystemRoot\system32\drivers\wdmaud.sys
0xF6257000 \SystemRoot\system32\drivers\sysaudio.sys
0xF71C5000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF78A0000 \SystemRoot\system32\DRIVERS\PROCDD.SYS
0xEDDA4000 \SystemRoot\System32\drivers\aspi32.sys
0xF7B06000 \??\C:\WINDOWS\SYSTEM32\EGATHDRV.SYS
0xF6F54000 \SystemRoot\System32\Drivers\HTTP.sys
0xF7101000 \??\C:\WINDOWS\system32\drivers\ibmfilter.sys
0xF6F40000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xF6D1D000 \SystemRoot\system32\DRIVERS\srv.sys
0xF7B1E000 \??\C:\WINDOWS\System32\drivers\pmemnt.sys
0xF706D000 \??\C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys
0xF7B8F000 \??\C:\Program Files\SMI2\smi2.sys
0xF7890000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xF6BBD000 \SystemRoot\System32\Drivers\btwusb.sys
0xF78D0000 \SystemRoot\system32\DRIVERS\btport.sys
0xB998D000 \SystemRoot\system32\DRIVERS\btwdndis.sys
0xB992B000 \SystemRoot\system32\drivers\btaudio.sys
0xBA758000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 93):
0 System Idle Process
4 System
896 C:\WINDOWS\system32\smss.exe
948 csrss.exe
976 C:\WINDOWS\system32\winlogon.exe
1024 C:\WINDOWS\system32\services.exe
1036 C:\WINDOWS\system32\lsass.exe
1204 C:\Program Files\Common Files\Virtual Token\vtserver.exe
1220 C:\WINDOWS\system32\ibmpmsvc.exe
1252 C:\WINDOWS\system32\ati2evxx.exe
1268 C:\WINDOWS\system32\svchost.exe
1360 svchost.exe
1400 C:\WINDOWS\system32\svchost.exe
1432 C:\WINDOWS\system32\svchost.exe
1512 C:\WINDOWS\system32\ati2evxx.exe
1620 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1672 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1760 svchost.exe
1956 svchost.exe
508 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
924 C:\WINDOWS\system32\spoolsv.exe
384 C:\WINDOWS\explorer.exe
1292 svchost.exe
1788 C:\WINDOWS\system32\IPSSVC.EXE
1800 C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
1832 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
1892 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1720 C:\WINDOWS\system32\TpShocks.exe
2076 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
2128 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
2144 C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
2256 C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
2264 C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
2288 svchost.exe
2296 C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.EXE
2344 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
2368 C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
2456 C:\WINDOWS\system32\svchost.exe
2504 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
2532 C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
2544 C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
2576 C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
2664 C:\WINDOWS\system32\rundll32.exe
2680 C:\Program Files\Java\jre6\bin\jqs.exe
2856 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
2912 C:\Program Files\SMSC\SetIcon.exe
2920 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
2932 C:\WINDOWS\system32\rundll32.exe
3008 C:\WINDOWS\system32\svchost.exe
3128 C:\Program Files\Lenovo\System Update\SUService.exe
3140 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
3240 C:\WINDOWS\system32\dla\DLACTRLW.EXE
3300 C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
3392 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
3396 C:\Program Files\Analog Devices\Core\smax4pnp.exe
3480 C:\Program Files\Zune\ZuneLauncher.exe
3620 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3640 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
3732 C:\WINDOWS\system32\TPHDEXLG.exe
3764 C:\WINDOWS\system32\TpKmpSvc.exe
3860 ibmtcsd.exe
3964 C:\Program Files\Digiportal Software\ChoiceMail\ChoiceMail.exe
4004 C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
4068 C:\Program Files\Eraser\Eraser.exe
4080 C:\Program Files\Digiportal Software\ChoiceMail\ChoiceMail.exe
612 C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
672 C:\WINDOWS\system32\searchindexer.exe
604 C:\Program Files\Windows Media Player\wmpnscfg.exe
1608 wmiprvse.exe
2220 C:\WINDOWS\system32\ZuneBusEnum.exe
2596 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
2608 C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
2640 C:\WINDOWS\system32\ctfmon.exe
2760 C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
3092 wmpnetwk.exe
3692 C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
3856 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
3912 C:\WINDOWS\system32\wscntfy.exe
268 C:\Program Files\Digital Line Detect\DLG.exe
2712 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
3688 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
4112 C:\Program Files\Southwest Airlines\Ding\Ding.exe
4296 C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
4564 C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
4624 alg.exe
4900 C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
5304 C:\Program Files\Digiportal Software\ChoiceMail\IzyMail.exe
5628 C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
1508 C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
5564 C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
2652 C:\WINDOWS\system32\searchprotocolhost.exe
2648 searchfilterhost.exe
5528 C:\Documents and Settings\Richard\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000032`452a4000 (NTFS)

PhysicalDrive0 Model Number: ST9320421AS, Rev: SD13

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 5187B93741D304E81260A9667239F6D3996602E7


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
Blade81
2010-08-22, 09:26
Hi,

1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format).
rjs483374
2010-08-22, 19:56
Hi,

I ran tdsskiller as instructed. It didn't find any infections, but, being suspcious, I checked the log file and didn't see any indication that the boot record had been scanned. So I unchecked the drivers, leaving only the boot record checked. As I suspected, it did not scan the boot record at all; I guess that the virus blocked it from running! So, I didn't think that you wanted to see the log file; if you do, just let me know and I will post it. Might it run from safe mode?
Blade81
2010-08-22, 22:03
Hi,

Re-run MBRCheck again.
When prompted, enter Y
Then enter 1 to dump the MBR to physical disk
Name the dumped file as Dump.dat

Enter -1 to exit

A log file named dump.dat will be located in the same folder as MBRCheck was saved, please zip it up and upload here (http://www.bleepingcomputer.com/submit-malware.php?channel=76).

Kindly include a link to this topic in the message.
rjs483374
2010-08-23, 05:00
Hi, I dumped the data into the attached zip file dumpdata.zip. The process was a little different than you instructed, but I think I reached the same result. Please let me know if it doesn't contain the info you need.
Blade81
2010-08-23, 17:57
Hi,

I'll get the dump checked. Meanwhile, could you try out Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html), please?
Blade81
2010-08-23, 19:48
Hi,

If you haven't tested Antivir yet then please ignore it and follow the instructions below.

Please follow steps guided here (http://www.kernelmode.info/tutorial-bootdisk/). The location where to upload requested "TRK0_DMP" file(s) is location behind this link (http://www.bleepingcomputer.com/submit-malware.php?channel=86). Kindly include a link to this forum topic there.
rjs483374
2010-08-24, 06:00
Hi, I didn't run antivir as you asked and tried to do the other process but it failed to produce the results you requested. I looked at dump.bat and saw that it called MBRTOOL, which I don't have anywhere on my PC? I suspect that's the reason for the failure.

So I went out to http://www.diydatarecovery.nl/mbrtool.htm and downloaded mbrtool. Is this the program that you want me to run in dump.bat?
Blade81
2010-08-24, 10:02
Hi,


I didn't run antivir as you asked and tried to do the other process but it failed to produce the results you requested.
Could you describe what step failed there (any error messages)?
rjs483374
2010-08-24, 17:05
Here's the output from running dump.bat:

Dumping Track 0 of all disks to 'trk0.dmp', please wait...
Error reading from drive A: DOS area: unknown command given to driver (A)bort, (I)gnore, (R)etry, (F)ail?
[repeats 7 times, then]
Bad command or filename - "MBRTOOL".
Done! Please reboot the computer now and upload "TRK0_DMP"

Both the beginning and ending sentences are echoed from dump.bat. My PC shows the C:\ prompt not A:\ as shown in the instructions; however the DIR command lists the files on the flash drive and no other drive is available? I don't know if that has anything to do with the failure, just thought I'd mention it. Here's the contents of dump.bat:

@ECHO OFF

ECHO Dumping Track 0 of all disks to 'trk0.dmp', please wait...

MBRTOOL /ST0 /DSK:A /FIL:TRK0_DMP

ECHO Done! Please reboot the computer now, and upload "TRK0_DMP"
Blade81
2010-08-24, 17:17
Hi,

Did you create bootable usb or floppy? Want to make sure you followed instructions as described in that link I posted.
rjs483374
2010-08-24, 19:52
Hi, yes, I did as instructed and created a bootable flash drive. However, the exe used to create the bootable drive only put two files on it: command.com and kernel.sys. So when I booted with it, dump.bat was not found. So I copied all of the files from the dos directory it provided onto the flash drive. This included dump.bat. After loading all this onto the flash drive the process was as described in the instructions, except for dump.bat, which failed to read track0 of any disk? Here is a list of the files on the flash drive:

Volume in drive F is LEXAR MEDIA
Volume Serial Number is 7C0E-1AD6

Directory of F:\

11/27/2002 03:39 PM 30,802 subst.exe
08/17/2006 09:57 PM 14,561 sys.com
08/30/2006 10:26 AM 2,009 tickle.com
07/07/2001 05:33 AM 9,893 tree.com
05/26/2004 06:14 PM 49,286 unzip.exe
02/08/2006 02:02 AM 3,745 XCDROM.SYS
08/02/2006 06:40 AM 15,543 xcopy.exe
02/15/2006 08:03 AM 2,535 xdma.sys
12/24/1999 07:37 AM 51,295 zip.exe
01/23/2006 11:14 PM 3,115 append.exe
01/26/1997 05:46 PM 13,867 assign.com
06/30/2003 07:10 PM 5,044 attrib.com
05/12/2004 08:03 PM 4,595 cdrcache.sys
07/03/2006 04:14 AM 35,380 chkdsk.exe
09/19/2003 07:08 PM 5,219 choice.exe
08/05/2003 04:27 PM 1,764 comp.com
06/29/2006 03:16 PM 27,780 country.sys
05/31/2003 06:09 PM 5,722 ctmouse.exe
08/31/2006 04:26 PM 33,767 cwsdpmi.exe
04/19/2004 09:38 AM 20,650 debug.com
08/03/2006 03:11 PM 46,607 defrag.exe
07/02/2006 04:37 AM 5,292 defrag.hlp
07/24/2006 03:22 AM 3,099 deltree.com
11/04/2005 07:19 AM 3,058 devload.com
06/05/2003 09:05 PM 6,490 diskcomp.com
08/06/2004 04:32 AM 24,505 diskcopy.exe
03/19/2003 11:10 AM 512 diskcopy.ini
08/06/2006 01:54 PM 62,535 display.exe
04/15/2006 12:19 AM 58,364 dosfsck.exe
06/29/2005 01:00 PM 16 drvon.com
08/23/2010 10:50 PM 184 dump.bat
07/24/2006 05:29 AM 59,743 edit.exe
05/14/2005 12:39 AM 30,189 edit.hlp
08/19/2006 05:43 AM 23,022 edlin.exe
08/25/2006 08:09 AM 16,799 emm386.exe
01/09/2005 08:03 PM 14,835 fc.exe
05/22/2005 11:16 PM 6,344 fdapm.com
09/04/2006 08:33 PM 881 fdconfig.sys
07/24/2006 06:56 AM 35,880 fdisk.exe
11/30/2002 05:14 AM 8,447 fdisk.ini
07/23/2002 03:04 PM 21,232 fdiskpt.ini
08/30/2006 12:22 PM 4,044 fdshield.com
05/28/2005 03:42 PM 4,620 FDXMS286.SYS
05/30/2003 10:57 AM 4,870 find.com
01/14/2006 04:15 AM 31,216 format.exe
06/11/2003 05:31 AM 2,498 graph-hp.com
06/09/2003 09:17 AM 2,423 graphpin.com
06/09/2003 09:17 AM 2,468 graph-ps.com
08/25/2006 07:53 AM 8,058 himem.exe
08/28/2006 03:49 PM 10,809 keyb.exe
08/25/2006 07:50 PM 33,196 keyboard.sys
08/25/2006 07:50 PM 25,431 keybrd2.sys
05/23/2003 03:38 PM 4,129 label.exe
08/30/2006 09:30 AM 7,443 lbacache.com
09/04/2006 08:29 PM 1,653 loadcd.bat
08/25/2006 10:26 PM 14,941 mem.exe
05/12/2005 01:05 PM 16,254 mode.com
07/15/2003 02:39 AM 5,658 more.exe
08/30/2006 04:20 AM 15,340 move.exe
06/29/2006 12:01 PM 4,291 nansi.sys
08/22/2006 08:40 AM 2,839 nlsfunc.exe
03/12/2005 10:53 AM 4,088 pcisleep.com
03/25/2001 04:10 AM 21,234 replace.exe
09/14/2005 03:09 AM 6,320 share.com
12/21/2005 10:31 AM 15,705 shrdrv86.exe
05/30/2005 05:18 AM 2,423 shsucdhd.exe
12/26/2005 05:00 AM 5,612 shsucdx.com
67 File(s) 1,022,169 bytes
0 Dir(s) 127,455,232 bytes free

When I first ran dump.bat I thought there was a problem running at the C:\ prompt because the dump.bat said that it was reading drive A:\? I even tried modifying the batch file, changing the "/DSK:A" to "DSK:C" for diagnosis purposes; the end result was the same error. This notebook has an unusal set of boot choices in the BIOS. I think that I made the correct choice because it does boot on the flash drive, but the fact that it is identified as drive C: is confusing to me. Again, I haven't installed MBRTOOL on the computer yet. I don't know why it wasn't part of the installation package that created the bootable flash drive?
Blade81
2010-08-25, 09:59
Hi,

Please clear your web browser cache and re-download the zip packet. Then follow instructions related to boot disk creation and using again.
rjs483374
2010-08-26, 01:55
Hi, OK I did it from scratch again, but this time it worked and produced two files: TRK0_DMP.128 and TRK0_DMP.129. I submitted both to the link you provided. I hope this leads to a solution:thanks:
Blade81
2010-08-26, 15:33
Hi,

Please check your private messages (http://forums.spybot.info/private.php).
Blade81
2010-08-26, 18:05
Hi,

Does your system have a recovery partition?
rjs483374
2010-08-26, 18:38
Yes, I believe so. It's a Lenovo Thinkpad Z60m. I believe that the only way I can access it is with the ThinkVantage software provided with the notebook.
Blade81
2010-08-26, 21:34
Ok, thanks for the info. Let's get back to that Avast updating issue. Please uninstall the program and try Antivir to see if it updates properly.
rjs483374
2010-08-27, 00:43
Hi, I uninstalled AVAST and another AV program I had (but not sure it was running). I installed Antivir as requested and updated it. No problem. I then did a scan using it. It found several viruses, which were quarantined. Here's the scan report it produced:

Avira AntiVir Personal
Report file date: Thursday, August 26, 2010 16:46

Scanning for 2754421 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : USCMOBILE

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 20:41:47
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 20:42:22
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 20:43:33
VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 20:43:33
VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 20:43:33
VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 20:43:33
VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 20:43:34
VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 20:43:34
VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 20:43:36
VBASE014.VDF : 7.10.9.255 997888 Bytes 7/29/2010 20:43:50
VBASE015.VDF : 7.10.10.28 139264 Bytes 8/2/2010 20:43:52
VBASE016.VDF : 7.10.10.52 127488 Bytes 8/3/2010 20:43:54
VBASE017.VDF : 7.10.10.84 137728 Bytes 8/6/2010 20:43:56
VBASE018.VDF : 7.10.10.107 176640 Bytes 8/9/2010 20:43:59
VBASE019.VDF : 7.10.10.130 132608 Bytes 8/10/2010 20:44:01
VBASE020.VDF : 7.10.10.158 131072 Bytes 8/12/2010 20:44:03
VBASE021.VDF : 7.10.10.190 136704 Bytes 8/16/2010 20:44:05
VBASE022.VDF : 7.10.10.217 118272 Bytes 8/19/2010 20:44:07
VBASE023.VDF : 7.10.10.246 130048 Bytes 8/23/2010 20:44:11
VBASE024.VDF : 7.10.11.11 144896 Bytes 8/25/2010 20:44:14
VBASE025.VDF : 7.10.11.12 2048 Bytes 8/25/2010 20:44:14
VBASE026.VDF : 7.10.11.13 2048 Bytes 8/25/2010 20:44:14
VBASE027.VDF : 7.10.11.14 2048 Bytes 8/25/2010 20:44:14
VBASE028.VDF : 7.10.11.15 2048 Bytes 8/25/2010 20:44:14
VBASE029.VDF : 7.10.11.16 2048 Bytes 8/25/2010 20:44:15
VBASE030.VDF : 7.10.11.17 2048 Bytes 8/25/2010 20:44:15
VBASE031.VDF : 7.10.11.28 107520 Bytes 8/26/2010 20:44:16
Engineversion : 8.2.4.46
AEVDF.DLL : 8.1.2.1 106868 Bytes 8/26/2010 20:45:02
AESCRIPT.DLL : 8.1.3.44 1364346 Bytes 8/26/2010 20:45:02
AESCN.DLL : 8.1.6.1 127347 Bytes 8/26/2010 20:44:56
AESBX.DLL : 8.1.3.1 254324 Bytes 8/26/2010 20:45:04
AERDL.DLL : 8.1.8.2 614772 Bytes 8/26/2010 20:44:55
AEPACK.DLL : 8.2.3.5 471412 Bytes 8/26/2010 20:44:50
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/26/2010 20:44:47
AEHEUR.DLL : 8.1.2.19 2867574 Bytes 8/26/2010 20:44:45
AEHELP.DLL : 8.1.13.3 242038 Bytes 8/26/2010 20:44:28
AEGEN.DLL : 8.1.3.20 397684 Bytes 8/26/2010 20:44:26
AEEMU.DLL : 8.1.2.0 393588 Bytes 8/26/2010 20:44:24
AECORE.DLL : 8.1.16.2 192887 Bytes 8/26/2010 20:44:22
AEBB.DLL : 8.1.1.0 53618 Bytes 8/26/2010 20:44:20
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, E:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, August 26, 2010 16:46

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\RNG\seed
[NOTE] The registry entry is invisible.
SynTPLpr.exe
[NOTE] The process is not visible.
c:\program files\thinkpad\connectutilities\acfnf5.exe
c:\Program Files\ThinkPad\ConnectUtilities\AcFnF5.exe
[NOTE] The process is not visible.
c:\program files\ibm thinkvantage\client security solution\cssplanarswap.exe
c:\Program Files\IBM ThinkVantage\Client Security Solution\cssplanarswap.exe
[NOTE] The process is not visible.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '29' Module(s) have been scanned
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '61' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '48' Module(s) have been scanned
Scan process 'avscan.exe' - '70' Module(s) have been scanned
Scan process 'avcenter.exe' - '63' Module(s) have been scanned
Scan process 'IzyMail.exe' - '21' Module(s) have been scanned
Scan process 'SPUVolumeWatcher.exe' - '24' Module(s) have been scanned
Scan process 'Ding.exe' - '68' Module(s) have been scanned
Scan process 'CCC.exe' - '42' Module(s) have been scanned
Scan process 'apcsystray.exe' - '29' Module(s) have been scanned
Scan process 'WindowsSearch.exe' - '67' Module(s) have been scanned
Scan process 'SvcGuiHlpr.exe' - '60' Module(s) have been scanned
Scan process 'BTSTAC~1.EXE' - '52' Module(s) have been scanned
Scan process 'DLG.exe' - '25' Module(s) have been scanned
Scan process 'BTTray.exe' - '49' Module(s) have been scanned
Scan process 'ccc.exe' - '156' Module(s) have been scanned
Scan process 'alg.exe' - '33' Module(s) have been scanned
Scan process 'ChoiceMail.exe' - '83' Module(s) have been scanned
Scan process 'AcMurocHlpr.exe' - '62' Module(s) have been scanned
Scan process 'ctfmon.exe' - '26' Module(s) have been scanned
Scan process 'WMPNSCFG.exe' - '27' Module(s) have been scanned
Scan process 'Eraser.exe' - '38' Module(s) have been scanned
Scan process 'ChoiceMail.exe' - '15' Module(s) have been scanned
Scan process 'avgnt.exe' - '54' Module(s) have been scanned
Scan process 'jusched.exe' - '22' Module(s) have been scanned
Scan process 'MOM.EXE' - '52' Module(s) have been scanned
Scan process 'ZuneLauncher.exe' - '22' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '32' Module(s) have been scanned
Scan process 'AwaySch.EXE' - '21' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '30' Module(s) have been scanned
Scan process 'scheduler_proxy.exe' - '21' Module(s) have been scanned
Scan process 'rundll32.exe' - '35' Module(s) have been scanned
Scan process 'ipoint.exe' - '47' Module(s) have been scanned
Scan process 'SetIcon.exe' - '19' Module(s) have been scanned
Scan process 'rundll32.exe' - '53' Module(s) have been scanned
Scan process 'ACWLIcon.exe' - '31' Module(s) have been scanned
Scan process 'pdservice.exe' - '24' Module(s) have been scanned
Scan process 'cssauth.exe' - '50' Module(s) have been scanned
Scan process 'issch.exe' - '11' Module(s) have been scanned
Scan process 'LPMGR.exe' - '40' Module(s) have been scanned
Scan process 'TpScrex.exe' - '19' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '18' Module(s) have been scanned
Scan process 'TPHKMGR.exe' - '41' Module(s) have been scanned
Scan process 'EzEjMnAp.Exe' - '24' Module(s) have been scanned
Scan process 'TpShocks.exe' - '18' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '33' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '15' Module(s) have been scanned
Scan process 'Explorer.EXE' - '106' Module(s) have been scanned
Scan process 'logmon.exe' - '13' Module(s) have been scanned
Scan process 'WMPNetwk.exe' - '53' Module(s) have been scanned
Scan process 'AcSvc.exe' - '68' Module(s) have been scanned
Scan process 'ZuneBusEnum.exe' - '26' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '58' Module(s) have been scanned
Scan process 'tvtsched.exe' - '42' Module(s) have been scanned
Scan process 'avshadow.exe' - '25' Module(s) have been scanned
Scan process 'rrservice.exe' - '48' Module(s) have been scanned
Scan process 'ibmtcsd.exe' - '16' Module(s) have been scanned
Scan process 'TpKmpSVC.exe' - '9' Module(s) have been scanned
Scan process 'TPHDEXLG.exe' - '15' Module(s) have been scanned
Scan process 'suservice.exe' - '54' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '21' Module(s) have been scanned
Scan process 'jqs.exe' - '33' Module(s) have been scanned
Scan process 'IntuitUpdateService.exe' - '60' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'btwdins.exe' - '21' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'mainserv.exe' - '33' Module(s) have been scanned
Scan process 'avguard.exe' - '56' Module(s) have been scanned
Scan process 'AcPrfMgrSvc.exe' - '51' Module(s) have been scanned
Scan process 'IPSSVC.EXE' - '14' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'sched.exe' - '48' Module(s) have been scanned
Scan process 'spoolsv.exe' - '71' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '28' Module(s) have been scanned
Scan process 'EvtEng.exe' - '55' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '31' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'svchost.exe' - '172' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '54' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '28' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '11' Module(s) have been scanned
Scan process 'vtserver.exe' - '30' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '35' Module(s) have been scanned
Scan process 'winlogon.exe' - '81' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1859' files ).


Starting the file scan:

Begin scan in 'C:\' <IBM_PRELOAD>
C:\Program Files\Digiportal Software\ChoiceMail.zip
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.1 worm
--> ChoiceMail/coach.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.1 worm
[WARNING] This file is a mailbox. To avoid damaging your emails this file will not be repaired or deleted.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP706\A0067284.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP710\A0068373.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP724\A0069438.exe
[DETECTION] Is the TR/FraudPack.bbsu Trojan
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP724\A0069511.exe
[DETECTION] Is the TR/FraudPack.bbsu Trojan
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP737\A0071554.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.1 worm
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP755\A0074223.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.1 worm
Begin scan in 'E:\' <Data>
E:\Richard's Documents\Downloads\More of MY DOWNLOADS\Products\ChoiceMail-FInstaller.exe
[0] Archive type: ZIP SFX (self extracting)
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.E worm
--> CMFREEINSTALL265.EXE
[1] Archive type: ZIP SFX (self extracting)
--> COACH.EXE
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.E worm
E:\Richard's Documents\Downloads\More of MY DOWNLOADS\Software\Choice Mail Free v265 Installer.exe
[0] Archive type: ZIP SFX (self extracting)
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768 worm
--> CMFREEINSTALL26.EXE
[1] Archive type: ZIP SFX (self extracting)
--> COACH.EXE
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768 worm
E:\Richard's Documents\Downloads\My Old Downloads\ChoiceMail\CMO3.0-Installer.exe
[0] Archive type: ZIP SFX (self extracting)
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.1 worm
--> CMWSINGLEUSERINSTALL31.EXE
[1] Archive type: ZIP SFX (self extracting)
--> COACH.EXE
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.1 worm
E:\Richard's Documents\Downloads\My Old Downloads\ZDNet\datacd.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Agent.127249.A Trojan
--> DATACD.EXE
[DETECTION] Is the TR/Agent.127249.A Trojan
E:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP737\A0071660.com
[DETECTION] Is the TR/Hijacker.Gen Trojan
--> Object
[DETECTION] Is the TR/Hijacker.Gen Trojan
E:\WINWORD\VIRUSFIX\SCAN.DOC
[DETECTION] Contains HEUR/Macro.Word95 suspicious code

Beginning disinfection:
E:\WINWORD\VIRUSFIX\SCAN.DOC
[DETECTION] Contains HEUR/Macro.Word95 suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to the quarantine directory under the name '4f124887.qua'.
E:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP737\A0071660.com
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '579460cd.qua'.
E:\Richard's Documents\Downloads\My Old Downloads\ZDNet\datacd.zip
[DETECTION] Is the TR/Agent.127249.A Trojan
[NOTE] The file was moved to the quarantine directory under the name '05873df6.qua'.
E:\Richard's Documents\Downloads\My Old Downloads\ChoiceMail\CMO3.0-Installer.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.1 worm
[NOTE] The file was moved to the quarantine directory under the name '639f7200.qua'.
E:\Richard's Documents\Downloads\More of MY DOWNLOADS\Software\Choice Mail Free v265 Installer.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768 worm
[NOTE] The file was moved to the quarantine directory under the name '263b5f13.qua'.
E:\Richard's Documents\Downloads\More of MY DOWNLOADS\Products\ChoiceMail-FInstaller.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.E worm
[NOTE] The file was moved to the quarantine directory under the name '59206d7c.qua'.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP755\A0074223.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.1 worm
[NOTE] The file was moved to the quarantine directory under the name '15db410e.qua'.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP737\A0071554.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.1 worm
[NOTE] The file was moved to the quarantine directory under the name '69c3015e.qua'.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP724\A0069511.exe
[DETECTION] Is the TR/FraudPack.bbsu Trojan
[NOTE] The file was moved to the quarantine directory under the name '44992e13.qua'.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP724\A0069438.exe
[DETECTION] Is the TR/FraudPack.bbsu Trojan
[NOTE] The file was moved to the quarantine directory under the name '5df1158a.qua'.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP710\A0068373.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '31ad39bb.qua'.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP706\A0067284.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '40140029.qua'.
C:\Program Files\Digiportal Software\ChoiceMail.zip
[DETECTION] Contains recognition pattern of the WORM/SdBot.352768.1 worm
[WARNING] The file was ignored!


End of the scan: Thursday, August 26, 2010 18:33
Used time: 1:45:24 Hour(s)

The scan has been done completely.

12686 Scanned directories
562445 Files were scanned
12 Viruses and/or unwanted programs were found
1 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
12 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
562432 Files not concerned
13087 Archives were scanned
1 Warnings
12 Notes
703314 Objects were scanned with rootkit scan
4 Hidden objects were found

So now what? I don't know if it found all of the infection or just some of it. I won't feel like it's gone until other AV software, like AVAST, says that I'm clean.
Blade81
2010-08-27, 07:10
Hi,

Those ChoiceMail related findings look like possible false positives. To me your system looks ok. If it was AV updates blocking infection there then it would likely affect other AV than Avast too.
rjs483374
2010-08-27, 17:53
I agree. That Choicemail zip file has been around for years. It was part of the original installation package so I tend to believe that it's OK.

I'm going to uninstall Antivir and reinstall AVAST and see if it works OK now. I'll let you know what happens.:)
Blade81
2010-08-27, 19:21
Ok, shall wait for your report :)
rjs483374
2010-08-28, 00:05
Well, I was able to install and update AVAST. I then ran a complete scan of the computer. I came up clean. Then I ran spybot search & destroy. It found two MalwareC entries in the registry:

--- Search result list ---
Fraud.AVSecuritySuite: [SBI $5587D6DE] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer=...http=127.0.0.1:5643...

Fraud.AVSecuritySuite: [SBI $5587D6DE] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer=...http=127.0.0.1:5643...

Right Media: Tracking cookie (Internet Explorer: Richard) (Cookie, fixed)

I'm not sure if this is a real virus issue. ChoiceMail, an email spam removal program I've been using for many years, required that I set both incoming and outgoing mail servers to this value (127.0.0.1) in Outlook. However, it doesn't specify a port (5643)??? So I don't know if I still have a problem or not?
Blade81
2010-08-28, 10:03
Hi,

TDL infection had added that port number. Does it still appear in Spybot scan after reboot? Please post a fresh dds.txt log.
rjs483374
2010-08-28, 18:41
I turned the computer off last night (after Spybot had removed the two infectious files. I ran Spybot again this morning and it found no problems. Here's the new dds.txt you requested:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Richard at 12:35:14.62 on Sat 08/28/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.433 [GMT -4:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SMSC\SetIcon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Zune\ZuneLauncher.exe
svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Digiportal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Digiportal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Eraser\Eraser.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\Program Files\Digiportal Software\ChoiceMail\IzyMail.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
E:\Richard's Documents\Virus Documentation & Files\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [ChoiceMail] "c:\program files\digiportal software\choicemail\ChoiceMail.exe"
uRun: [QuickenBillminder] c:\program files\quicken\Billmind.exe
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
uRun: [Cookienator] "c:\program files\pc world programs\cookienator\cookienator.exe" /auto
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [ControlCenter] "c:\program files\thinkvantage fingerprint software\ctlcntr.exe" /startup
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [SetIcon] \Program Files\SMSC\SetIcon.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop

messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psfus.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richard\applic~1\mozilla\firefox\profiles\5m8omcu1.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\richard\application

data\mozilla\firefox\profiles\5m8omcu1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\documents and settings\richard\application

data\mozilla\firefox\profiles\5m8omcu1.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\richard\application

data\mozilla\firefox\profiles\5m8omcu1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",

"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys [2006-8-21 6912]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-9-28 19504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-27 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-27 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-27 40384]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-8-2 3968]
R2 SmiHlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2005-7-12 3328]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-27 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-27 40384]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\18.tmp --> c:\windows\system32\18.tmp [?]

=============== Created Last 30 ================

2010-08-27 16:05:27 38848 ----a-w- c:\windows\avastSS.scr
2010-08-22 17:45:25 0 d-----w- C:\tdsskiller
2010-08-16 19:41:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-16 19:41:11 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 19:59:58 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-15 17:13:37 0 d-sha-r- C:\cmdcons
2010-08-15 17:11:11 77312 ----a-w- c:\windows\MBR.exe
2010-08-15 17:11:11 256512 ----a-w- c:\windows\PEV.exe
2010-08-15 17:11:10 98816 ----a-w- c:\windows\sed.exe
2010-08-15 17:11:10 161792 ----a-w- c:\windows\SWREG.exe
2010-08-14 17:51:02 0 d-----w- c:\docume~1\richard\applic~1\Registry Mechanic
2010-08-11 13:31:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-06 12:10:31 0 dc----w- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2010-08-04 17:55:58 0 d-----w- c:\docume~1\richard\applic~1\SafeReturner
2010-08-04 17:55:52 0 d-----w- c:\program files\Safe Returner
2010-08-04 14:28:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

==================== Find3M ====================

2010-08-22 14:26:26 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-07-27 06:30:35 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 21:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\dllcache\msxml3.dll
2010-01-03 19:19:08 5031168 ----a-w- c:\program files\common files\lpuninstall.exe
2008-12-30 22:51:01 32768 -csh--w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008123020081231\index.dat

============= FINISH: 12:36:05.01 ===============
Blade81
2010-08-28, 19:17
That looks good :)

Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK



Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
rjs483374
2010-08-29, 06:59
Blade,

Thanks for all your help! I think I'm virus free now. I followed most of your suggestions. I have Windows firewall turned on, but none other. I'm back using AVAST and it has updated itself several times now. And I have Windows update set to update automatically. I guess I'm left wondering how/why I was exposed. AVAST didn't catch this one. Is there a better (free) AV program out there? Or was that part of the problem, using a free version? At any rate, thanks a lot for all your help. :thanks:

Richard
Blade81
2010-08-29, 09:51
You're welcome :)

Malware keeps changing all the time so AV vendors updates won't always detect new threat. None of available AV programs (free or commercial) can protect from all possible threats. Avast is a good choice :)
Blade81
2010-09-04, 11:37
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.