Pointer stops dead - serving-sys?

[rsteeves]

The pointer just stops, then jumps to where the mouse went. AVG reported serving-sys two days ago, said it was potentially dangerous, but couldn't heal it or move it to the virus vault. More recent AVGs don't report anything scary, nor do Spybot, AdAware and Malware bytes. Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:38 AM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\Program Files\AIM Toolbar\aimhelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe -expressboot
O4 - HKUS\S-1-5-21-3646181656-1487682723-3042452539-1010\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'Grandchildren')
O4 - HKUS\S-1-5-21-3646181656-1487682723-3042452539-1010\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Grandchildren')
O4 - HKUS\S-1-5-21-3646181656-1487682723-3042452539-1010\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Grandchildren')
O4 - HKUS\S-1-5-21-3646181656-1487682723-3042452539-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Grandchildren')
O4 - HKUS\S-1-5-21-3646181656-1487682723-3042452539-1010\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'Grandchildren')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...0Installer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1110466153218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143917816001
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\DOCUME~1\Bob\LOCALS~1\APPLIC~1\Skype\shared\SKYPE4~1.DLL (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8367 bytes


Thanks in advance.

Bob Steeves

[ken545]

Hello Bob

Welcome to Safer Networking.

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.


Sorry for the delay but things get crazy around here.


Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, is considered Adware, uses system resources and is not needed for anything.



Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

Download DDS by sUBs from one of the following links. Save it to your desktop.

• DDS.com
• DDS.scr
• DDS.pif
  
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results, click no to the Optional_Scan
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control Here

[rsteeves]

Here is DDS.txt:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Bob at 20:44:48.73 on Thu 12/03/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.524 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Bob\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nytimes.com/
mSearchAssistant = hxxp://channels.aimtoday.com/search/aimtoolbar.jsp
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AIMSite Class: {d70e6a20-7060-4829-b3d7-b6624a1de7c6} - c:\program files\aim toolbar\aimhelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WinPatrol] c:\program files\winpatrol\winpatrol.exe -expressboot
mRun: [WinPatrol [FREE Edition]] c:\program files\winpatrol\winpatrol.exe -expressboot
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG9_TRAY] c:\program files\avg\avg9\avgtray.exe
mRun: [mxomssmenu] c:\program files\maxtor\onetouch status\maxmenumgr.exe
mRun: [POINTER] point32.exe
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: scouting.org\scoutnet
Trusted Zone: wachovia.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110466153218
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143917816001
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora~1.1\EuShlExt.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bob\applic~1\mozilla\firefox\profiles\8zide729.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\bob\application data\mozilla\firefox\profiles\8zide729.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-1 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-31 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-31 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-31 360584]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-31 353672]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-3 285392]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 slnt;Realtek RTL8139 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [2009-3-8 17999]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1028432]
S3 palmmdm;Palm Modem;c:\windows\system32\drivers\palmmdm.sys [2006-1-30 9728]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SAUSBHW;%SAUSBHW.SvcDesc%;c:\windows\system32\drivers\SAUSB.SYS [2005-4-1 171600]
S3 suscom;Susteen Serial port driver;c:\windows\system32\drivers\suscom.sys [2005-4-2 39680]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [2005-4-2 805808]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-11-30 22:19:19 0 d-----w- c:\program files\Microsoft Hardware
2009-11-30 22:17:07 0 d-----w- c:\program files\Microsoft IntelliPoint 4.12
2009-11-25 15:54:59 0 d-sh--w- c:\documents and settings\bob\IECompatCache
2009-11-25 02:47:57 0 d-----w- c:\docume~1\bob\applic~1\WinPatrol
2009-11-25 02:43:50 0 d-----w- c:\program files\WinPatrol
2009-11-24 03:47:50 0 d-----w- c:\program files\Western Digital Corporation
2009-11-11 19:10:07 0 d-----w- c:\program files\MediaMonkey
2009-11-11 04:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-11 04:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-11-10 13:33:32 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-04 00:32:14 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-04 00:31:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-21 18:04:20 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-03-29 19:18:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032920090330\index.dat

============= FINISH: 20:46:54.89 ===============

attach.txt is zipped and attached.

As far as it taking a while to get to me, I understand. I do low level tech support for a number of people, and I have a couple of "experts" I turn to when I can't figure it out, but this virus and malware stuff is pretty specialized. I really appreciate that you and your associates take the time to help others.

Bob Steeves

[ken545]

Hi,

Nothing is jumping out at me as bad.

Please download Malwarebytes from Here or Here

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report and also a new HJT log please

[rsteeves]

Here's the log, but there wasn't anything...

Malwarebytes' Anti-Malware 1.42
Database version: 3290
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/3/2009 11:09:27 PM
mbam-log-2009-12-03 (23-09-27).txt

Scan type: Quick Scan
Objects scanned: 150313
Time elapsed: 28 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Bob Steeves

[rsteeves]

Here's the log, but there wasn't anything...

Malwarebytes' Anti-Malware 1.42
Database version: 3290
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/3/2009 11:09:27 PM
mbam-log-2009-12-03 (23-09-27).txt

Scan type: Quick Scan
Objects scanned: 150313
Time elapsed: 28 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Bob Steeves

[rsteeves]

Here's the log, but there wasn't anything...

Malwarebytes' Anti-Malware 1.42
Database version: 3290
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/3/2009 11:09:27 PM
mbam-log-2009-12-03 (23-09-27).txt

Scan type: Quick Scan
Objects scanned: 150313
Time elapsed: 28 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Bob Steeves

[ken545]

Hello Bob,

I don't believe your issue is malware related. The scans are not finding anything.

http://www.spywareremove.com/removeServingsys.html
This is just a tracking cookie and running a cleaner like we did should have removed it.

We just do malware removal on this forum, why dont you post here for help on the mouse issue as it appears to be a software or hardware problem.


This is our sister site , like Safer you will have to join but its free.
http://forums.whatthetech.com/Genera...ware_f126.html

Good Luck,

Ken

[rsteeves]

I appreciate your help. It would have been nice if it were malware, because by now it would be fixed! Anyway, thanks again.

Bob Steeves

[ken545]

Your welcome Bob

• How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

• Spybot Search and Destroy 1.6
  Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  
• Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  
• Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  
• IE-Spyad
  IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  
• Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken