1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

XP System Restore, Logoff, & Safe Mode Problems

Discussion in 'Virus & Other Malware Removal' started by BodyworkeR, Aug 24, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. BodyworkeR

    BodyworkeR Thread Starter

    Joined:
    Apr 3, 2001
    Messages:
    76
    XP System Restore, Logoff, & Safe Mode Problems
    I originally posted this in the Windows XP forum.
    I have an old HP Pavillion that in the past six months has started to manifest several problems. The 3 major problems are:

    Account logoff is very slow, Safe Mode does not work, and System Restore does not work.

    Logoff very slow - This used to take about 15-20 seconds. Now it's taking about 150. It moves quickly enough to the screen that

    says "Saving User Settings" and then sits there for about 75 seconds. Then the next screen, the one that lists the user accounts

    and the shut down line, takes about another 45 seconds before it reads any input from the mouse or keyboard. This just started

    after an MS update the weekend before last (8/16/2010)

    When I try rebooting in Safe Mode, or in Safe Mode with Command Line, I get a message box saying:
    "Video Mode not Supported". From the way the border is shaped I suspect this message originates in my monitor, but why is

    beyond me. Sometimes when the system is shutting down I get a windows message box entitled "SVCNTAUX app error" giving

    an error code and address inside the box. This SVCNTAUX error has been happening more often the past 10 days.
    I don't know if this is related but sometimes when I start Yahoo Mail it says video mode not supported 1280 x 1024 even tho

    that's what I'm running. I say use anyway & it works fine.
    Another thing that I don't know is related is I've been getting a BSOD about once every 6 weeks that when I let Windows send

    Microsoft the error report after I reboot, then goes on to tell me I've a video driver problem. I mention this mostly because in the

    half dozen tries I made to get a GMER scan and log I got this BSOD 3 times.

    System Restore won't do a restore. Checkpoint saves seem to work. When I try doing a System Restore the system reboots

    and the System Restore comes up saying "Your computer cannot be restored to..." and it doesn't matter which restore point I try

    restoring to. As best I can tell the restore Checkpoints are still being taken and I don't seem to get an error if I try doing a new

    restore checkpoint.

    Any help on any of these 3 problems would be greatly appreciated. I've attached a hijackthis.log that I took a few minutes ago

    just in case it helps. Also, for the record, I have AVG, Spyware Doctor, and ZoneAlarms free firewall installed. I ran an AVG and

    Spyware Doctor check this past weekend and found nothing. Also, since I had it available I ran an AVIRA scan from a bootable

    CD this past weekend as well and found nothing. Since I couldn't figure out how to update the virus definitions for Avira they

    were a couple of months old. AVG & Spyware doctor, as well as XP & Office, are all up to date.

    Supporting Data:
    I'm running Windows XP Media Center v2002 SP3 on an HP Pavillion a1430n with a 2GHz AMD Dual Processor 3800+ and with

    Nvidia graphics on the motherboard. I purchased it 51 months ago.

    HiJackThis.Log - I took one on 8/18 and another today 8/24. They are virtually identical. Here's the one from today:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:40:36 AM, on 8/24/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Security\Grisoft\AVG9\avgchsvx.exe
    C:\Program Files\Security\Grisoft\AVG9\avgrsx.exe
    C:\Program Files\Security\Grisoft\AVG9\avgcsrvx.exe
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    C:\Program Files\LSI SoftModem\agrsmsvc.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Security\Grisoft\AVG9\avgwdsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Security\Grisoft\AVG9\avgnsx.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Security\Grisoft\AVG9\avgemc.exe
    C:\Program Files\Security\Grisoft\AVG9\avgcsrvx.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\Security\Grisoft\AVG9\avgtray.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Logitech\SetPointP\SetPoint.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
    C:\HP\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Documents and Settings\HP_Administrator\My Documents\Security\Rootkit Scanners\RootRepeal.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Browsers\Mozilla Firefox 3\firefox.exe
    C:\Program Files\Browsers\Mozilla Firefox 3\plugin-container.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    file:///C:/Documents%20and%20Settings/All%20Users/Documents/myQuotes.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program

    Files\Security\Grisoft\AVG9\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program

    Files\ZoneAlarm\tbZone.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

    Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

    Files\Security\Grisoft\AVG9\avgssie.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement

    Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program

    Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

    Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program

    Files\Security\Grisoft\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

    files\google\googletoolbar1.dll
    O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} -

    C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

    Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

    Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows

    Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

    Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program

    Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program

    Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON

    Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program

    Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows

    Live\Toolbar\wltcore.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program

    Files\Security\Grisoft\AVG9\Toolbar\IEToolbar.dll
    O3 - Toolbar: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
    O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program

    Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\Security\Grisoft\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
    O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [PxDotNetLoader] "C:\Program Files\Fidelity Investments\Fidelity Active

    Trader\System\ATPStartupAssistant.exe"
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows

    Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} -

    C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

    C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

    C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} -

    C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

    C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file

    missing)
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

    C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file

    missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

    Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) -

    http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

    http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149145016984
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

    http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160215429156
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -

    http://www.crucial.com/controls/cpcScanner.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

    Files\Security\Grisoft\AVG9\avgpp.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI

    SoftModem\agrsmsvc.exe
    O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program

    Files\Security\Grisoft\AVG9\avgemc.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program

    Files\Security\Grisoft\AVG9\avgwdsvc.exe
    O23 - Service: CA-License Client (CA_LIC_CLNT) - Unknown owner - C:\WINDOWS\Lic98Rmt.exe
    O23 - Service: CA-License Server (CA_LIC_SRVR) - Unknown owner - C:\WINDOWS\Lic98RmtD.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\Accessories\iPod\bin\iPodService.exe
    O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program

    Files\CheckPoint\ZAForceField\IswSvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common

    Files\LogiShrd\Bluetooth\lbtserv.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program

    Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec

    Shared\CCPD-LC\symlcsvc.exe (file missing)
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner -

    C:\WINDOWS\system32\UAService7.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD -

    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 14660 bytes
    ----------------------------------------------------------------------------------------------------------------------------------------
    After I downloaded DDS, I uploaded it to Jotti AV checker. Amazingly two of their 19 virus checkers reported finding malware in

    the DDS.SCR program. I've attached a screenshot of it.
    DDS Log:
    ----------------------------------------------------
    DDS (Ver_10-03-17.01) - NTFSx86
    Run by HP_Administrator at 7:42:04.70 on Tue 08/24/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2270 [GMT -4:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Security\Grisoft\AVG9\avgchsvx.exe
    C:\Program Files\Security\Grisoft\AVG9\avgrsx.exe
    C:\Program Files\Security\Grisoft\AVG9\avgcsrvx.exe
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    svchost.exe
    C:\Program Files\LSI SoftModem\agrsmsvc.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Security\Grisoft\AVG9\avgwdsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Security\Grisoft\AVG9\avgnsx.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Spyware Doctor\swdsvc.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\UAService7.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Security\Grisoft\AVG9\avgemc.exe
    C:\Program Files\Security\Grisoft\AVG9\avgcsrvx.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\Security\Grisoft\AVG9\avgtray.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Logitech\SetPointP\SetPoint.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
    C:\HP\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Documents and Settings\HP_Administrator\My Documents\Security\Rootkit Scanners\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = file:///C:/Documents%20and%20Settings/All%20Users/Documents/myQuotes.htm
    uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uDefault_Page_URL =

    hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uDefault_Search_URL =

    hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Connection Wizard,ShellNext =

    hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program

    files\security\grisoft\avg9\toolbar\IEToolbar.dll
    uURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program

    files\security\grisoft\avg9\toolbar\IEToolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

    files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\security\grisoft\avg9\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search

    helper\SEPsearchhelperie.dll
    BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program

    files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

    shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program

    files\security\grisoft\avg9\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} -

    c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

    files\google\googletoolbarnotifier\2.0.301.5672\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows

    live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

    files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson

    web-to-page\EPSON Web-To-Page.dll
    BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program

    files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON

    Web-To-Page.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program

    files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program

    files\security\grisoft\avg9\toolbar\IEToolbar.dll
    TB: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
    TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program

    files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [PxDotNetLoader] "c:\program files\fidelity investments\fidelity active trader\system\ATPStartupAssistant.exe"
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [SDTray] c:\program files\spyware doctor\SDTrayApp.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [<NO NAME>]
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [AVG9_TRAY] c:\progra~1\security\grisoft\avg9\avgtray.exe
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
    mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\pavili~1.lnk - c:\documents and settings\all

    users\documents\cards\PAVILION.CRD
    IE: &Google Search - c:\program files\google\GoogleToolbar3.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar3.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar3.dll/cmtrans.html
    IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

    c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program

    files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

    c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

    c:\progra~1\micros~4\office12\REFIEBAR.DLL
    DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
    DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -

    hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

    hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149145016984
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

    hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160215429156
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
    DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

    hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\security\grisoft\avg9\avgpp.dll
    Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active

    trader\system\atngprot.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-11 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-8-26

    29584]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-11 243024]
    R1 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys [2007-4-13 39248]
    R1 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-4-13 52304]
    R1 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-4-13 59472]
    R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-4-13 83536]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-8 532224]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\security\grisoft\avg9\avgemc.exe [2010-7-15 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\security\grisoft\avg9\avgwdsvc.exe [2010-7-15 308136]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-23 55152]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-5-26 26352]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-5-26 493032]
    R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-7-15 10448]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
    R2 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-4-13 707080]
    R2 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe [2007-4-13 1302272]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service -->

    c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 ZD1211BU(ZyXEL);ZyXEL 802.11g Wireless USB Adapter Driver(ZyXEL);c:\windows\system32\drivers\ZD1211BU.sys

    [2007-6-18 417792]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN

    v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2003-1-17 28186]
    S3 CA_LIC_CLNT;CA-License Client;c:\windows\LIC98RMT.exe [2001-8-16 73728]
    S3 CA_LIC_SRVR;CA-License Server;c:\windows\LIC98RMTD.exe [2001-9-19 73728]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec

    shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
    S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
    S3 nenum13E;nenum13E;c:\docume~1\papa~1.yal\locals~1\temp\nenum13E.sys [2004-7-22 15872]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-10 14336]
    S3 rkhdrv40;Rootkit Unhooker Driver; [x]
    S3 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" -->

    c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache

    4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== Created Last 30 ================

    2010-08-23 22:35:26 0 d-----w- c:\program files\Sophos
    2010-08-14 09:15:42 0 d-----w- c:\windows\system32\winrm
    2010-08-14 09:15:37 0 dc-h--w- c:\windows\$968930Uinstall_KB968930$
    2010-08-13 11:25:00 0 d-----w- c:\temp\Jobsch 2010

    ==================== Find3M ====================

    2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
    2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-16 01:41:27 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
    2010-07-16 01:41:27 0 ---ha-w-

    c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
    2010-07-15 23:18:19 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-15 23:18:17 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-15 23:18:10 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-07-10 10:38:37 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
    2010-06-24 21:51:58 11077120 ----a-w- c:\windows\system32\dllcache\ieframe.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
    2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
    2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
    2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
    2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
    2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
    2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
    2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2010-06-24 12:21:58 1986560 ----a-w- c:\windows\system32\dllcache\iertutil.dll
    2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
    2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
    2010-06-23 17:51:22 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
    2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
    2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-06-18 11:39:18 16896 ------w- c:\windows\system32\dllcache\iecompat.dll
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
    2006-07-29 17:45:45 22 --sha-w- c:\windows\sminst\HPCD.sys
    2008-07-13 21:01:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local

    settings\history\history.ie5\mshist012008071320080714\index.dat
    2008-07-15 04:23:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local

    settings\history\history.ie5\mshist012008071520080716\index.dat

    ============= FINISH: 7:42:45.54 ===============

    GMER: I tried running GMER 6 times and it either hung three times and BSOD'ed three times. The BSOD is one I've been

    getting spontaneously about once every 4 to 6 weeks since my machine was new. The most frustrating was when it hung

    immediately after completing its scan (over 1 hour on my ancient machine) and wouldn't let me save the log file. I did save the

    prescan and here it is:
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-08-23 11:01:03
    Windows 5.1.2600 Service Pack 3
    Running: testHP.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\fgtirpod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
    AttachedDevice \FileSystem\Ntfs \Ntfs ikfileflt.sys (PCTools Research Pty Ltd.)
    AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat ikfileflt.sys (PCTools Research Pty Ltd.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies

    LTD)

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies

    LTD)

    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ,

    s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

    Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies

    LTD)

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ,

    s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software

    Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ,

    s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2

    Release 2)/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2

    Release 2)/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    When I couldn't get GMER to work I downloaded Sophos rootkit finder and the RootRepeal rootkit finder and ran each of them.

    The Sophos output is long so I've attached it. The RootRepeal is considerably shorter. Here it is:
    ----------------------------------------------------------------------------------------------------------------------------------------
    ROOTREPEAL (c) AD, 2007-2009
    ==================================================
    Scan Start Time: 2010/08/24 04:05
    Program Version: Version 1.3.5.0
    Windows Version: Windows XP Media Center Edition SP3
    ==================================================

    Drivers
    -------------------
    Name: dump_atapi.sys
    Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
    Address: 0xB5FD4000 Size: 98304 File Visible: No Signed: -
    Status: -

    Name: dump_WMILIB.SYS
    Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
    Address: 0xBA626000 Size: 8192 File Visible: No Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0xB28B2000 Size: 49152 File Visible: No Signed: -
    Status: -

    Hidden/Locked Files
    -------------------
    Path: C:\hiberfil.sys
    Status: Locked to the Windows API!

    Path: c:\windows\temp\perflib_perfdata_3f0.dat
    Status: Allocation size mismatch (API: 16384, Raw: 0)

    Path: C:\WINDOWS\Temp\IswTmp\Logs\ISWSHEX.swl
    Status: Locked to the Windows API!

    SSDT
    -------------------
    #: 031 Function Name: NtConnectPort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb6299534

    #: 037 Function Name: NtCreateFile
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb6293782

    #: 041 Function Name: NtCreateKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62b26dc

    #: 046 Function Name: NtCreatePort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb6299cc0

    #: 047 Function Name: NtCreateProcess
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62aceb4

    #: 048 Function Name: NtCreateProcessEx
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62ad2a2

    #: 050 Function Name: NtCreateSection
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62b6916

    #: 056 Function Name: NtCreateWaitablePort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb6299df6

    #: 062 Function Name: NtDeleteFile
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb6294398

    #: 063 Function Name: NtDeleteKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62b3fe4

    #: 065 Function Name: NtDeleteValueKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62b393c

    #: 068 Function Name: NtDuplicateObject
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62abdf0

    #: 098 Function Name: NtLoadKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62b493c

    #: 099 Function Name: NtLoadKey2
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62b4b44

    #: 116 Function Name: NtOpenFile
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb6293faa

    #: 122 Function Name: NtOpenProcess
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62af1ce

    #: 128 Function Name: NtOpenThread
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62aedf8

    #: 192 Function Name: NtRenameKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62b58d2

    #: 193 Function Name: NtReplaceKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62b5208

    #: 200 Function Name: NtRequestWaitReplyPort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62990f4

    #: 204 Function Name: NtRestoreKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62b62a4

    #: 210 Function Name: NtSecureConnectPort
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62997dc

    #: 224 Function Name: NtSetInformationFile
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb629475c

    #: 237 Function Name: NtSetSecurityObject
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62b5e12

    #: 247 Function Name: NtSetValueKey
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62b30c4

    #: 255 Function Name: NtSystemDebugControl
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62adf0a

    #: 257 Function Name: NtTerminateProcess
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62adc86

    #: 277 Function Name: NtWriteVirtualMemory
    Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xb64c8422

    Shadow SSDT
    -------------------
    #: 460 Function Name: NtUserMessageCall
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb6297f38

    #: 475 Function Name: NtUserPostMessage
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb629807a

    #: 476 Function Name: NtUserPostThreadMessage
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62981b2

    #: 491 Function Name: NtUserRegisterRawInputDevices
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb6295b4c

    #: 502 Function Name: NtUserSendInput
    Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb62985a6

    ==EOF==
    ----------------------------------------------------------------------------------------------------------------------------------------
    I ran the files RootRepeal found thru Jotti with these results:
    Name Description Jotti Result
    dump_atapi.sys - OK system file. copy of atapi.sys can't find apparently normal not 2 find this
    dump_WMILIB.SYS - OK system file. copy of WMiLib.sys can't find apparently normal not 2 find this
    rootrepeal.sys - this is part of RootRepeal itself.
    hiberfil.sys - XP's hibernation file 3 gig's worth
    perflib_perfdata_3f0.dat - generated by system monitor nothing
    ISWSHEX.swl - part of zone alarm? nothing
    vsdatant.sys - part of zone alarm nothing
    iksysflt.sys - part of PC Tools nothing
    ----------------------------------------------------------------------------------------------------------------------------------------
    Any help you can give me with these problems would be greatly appreciated.
    Thanks,
    Bodyworker

    NOTE: there are 3 attachments.
     

    Attached Files:

  2. BodyworkeR

    BodyworkeR Thread Starter

    Joined:
    Apr 3, 2001
    Messages:
    76
    I noticed today that the SVCNTAUX error has been occurring every time I shut down XP. This used to happen sporadically when I shut down and when I logged off a user account which is why it took me almost two weeks to notice that it has started to happen all the time. So I looked up SVCNTAUX.EXE and discovered that it was part of Spyware Doctor. So I uninstalled Spyware Docctor and installed SPYBOT Search and Destroy in its place. Now log offs and shut downs happen at normal speed and I haven't seen the SVCNTAUX error message since. This isn't even a full day so it's not a definitive fix but it looks like at least one of my three problems is resolved. Now if only someone can help me find a solution to my other two problems. . .
     
  3. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    28,770
    Hiya :)

    Sorry for the lateness in a reply, but these forums are very busy :(

    Are you still having this problem? If so, can you rescan with DDS, GMER and HijackThis, and post the fresh logs

    Regards

    eddie
     
  4. BodyworkeR

    BodyworkeR Thread Starter

    Joined:
    Apr 3, 2001
    Messages:
    76
    Changing from Spyware Doctor to Spybot S&D seems to have resolved my slow logoff problem. But I still can not come up in Safe Mode and System Restore does not work. Also a full GMER scan results in a Blue Screen of Death. I was able to get a Sophos rootkit scan to work. I'll post a fresh Hijack This, Sophos, and DDS scan this weekend.
    Sorry to take so long to reply. Usually I get an email when there's a reply to one of my threads here. Either the email didn't come or somehow I missed it. But thanks for eventually getting back to me.
     
  5. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    28,770
    Oki doki, no rush :)

    eddie
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/945392