Nikanj

I too started to exprience frequent desktop freezes etc. when my pro version of Malwarebytes was updated to version 1.6 a couple of days ago. I'm currently using: Windows XP with SP3 Zone Alarm Extreme Security ver 9.3.037.000 which includes Truevector security engine ver 9.3.037.000 Driver Version 9.1.522.000 AV/ASW engine version 8.0.2.48 Antispam version 6.0.0.2383 Browser Security 41.5.152.14 I originally thought the desktop freeze-ups were a further symptom of a possible infection I may have (I'd posted an as yet unreplied to request for assistance in the Hijack this logs forum - the dds log included with my Dec 27th post was generated when I still had malwarebytes ver 1.51.2.1300 installed.) The day after posting the log, I updated to the newly released MB version 1.6 to see if it could shed some light on the alerts I was getting from ZoneAlarm. Shortly thereafter the freeze-ups began. In my case, when the freeze-up occurs (sometimes right after a computer re-start, other times a few minutes after a re-boot, and in two instances a little over a hour after re-boot), the mouse cursor can still be moved freely around the desktop but it cannot highlight, select or enagage any of the icons on either the desktop or task bar. The desktop clock is frozen but the clock on my logitec keyboard remains active and current. During one of my trouble-shooting attempts after the freezes first appeared, I happened to have the processes tab of task manager open (sorting by CPU usage). After the desktop freezes, the image names of the processes continue to suffle as CPU usage changes (including the regular appearance of MB's process as it uses 40 - 60%). After a minute or two however, even the task manager window freezes. I stumbled onto this thread by accident and I'm glad I did. As malwarebyte's checked box indicating active live protection was greyed out and could not be unchecked, I accessed msconfig and disabled malwarebvytes from starting up altogether. After re-booting, I have not experienced any further desktop freezes.

Hi, I've started to get disquieting alerts from my anti-virus program (ZoneAlarm) notifying me that backdoor.Win32.Sinowal.knt has been discovered and repaired, only to have the same notice appear several times again later - about 10 "repairs" made since the notices started late last week (Dec 23rd). Zone Alarm says it is making repairs to \DEVICE\HARDDISK0\DR0 and \Device\harddisk1\DR1. I have not installed any new programs recently. I have Malwarebytes Anti-Malware Pro v1.51.2.1300 but it does not identify any issues when full and flash scans are run. First thing I tried was restoring XP to a point before the alerts started to appear only to find that the system would not restore to any of the dates I tried (I get the failed to restore notice at re-boot) I ran msconfig and looked through the start-up programs. There was one start-up program on the list written in a long string of Asian characters. I unchecked it and re-booted. Towards the end of the reboot, a sequence of two pop-up windows appeared saying a program referenced in registry was unable to start, but no indication was given as to what the program was. I went back to the list of start-up programs in msconfig and the one with the long string of Asian characters was gone, but there was now a startup program with one Asian character followed by a dot in the list. I also discovered that all my Windows XP restore points were also gone. I scanned my system with a couple of rootkit analyzers [rootkit buster and fseasyclean] with mixed results. Rootkit buster did highlight some potential issues (Several I suspect being tied to false positives with Acronis TrueImage.] I tried repairing the ones not Acronis specific but received "Could not repair" notices for all. fseayclean did not find anything. Whenever I re-boot, I still get the sequence of two pop-up windows appearing that say a program referenced in registry was unable to start, but there is no indication as to what the program is. I've included the DDS text output below and added the attach.zip with the attach.txt file as requested. Could you have a look through these logs to see if there is an issue? Perhaps Zone Alarm is giving a false positive (latest virus list for scanning was updated Dec 27) but I cannot find any reference to this problem on their forum. Also, if you happen to discover what the "missing program at start-up" is during your review, could you notify me so I can delete it entirely. Your help is appreciated. Best Regards Doug . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29 Run by Doug at 16:52:30 on 2011-12-27 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1225 [GMT -6:00] . AV: ZoneAlarm Extreme Security Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} FW: ZoneAlarm Extreme Security Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Creative\Shared Files\CTAudSvc.exe svchost.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe C:\WINDOWS\system32\nvsvc32.exe c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\vVX3000.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Nuance\PDF Create! 5\pdfcreate5hook.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe C:\Program Files\Pure Networks\Network Magic\nmapp.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Logitech\G-series Software\LGDCore.exe C:\Program Files\Logitech\G-series Software\LCDMon.exe C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe C:\Program Files\Logitech\SetPointP\SetPoint.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\CheckPoint\ZAForceField\ForceField.exe C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE C:\Program Files\Quicken\bagent.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wscntfy.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.canadagrain.com/ uWindows: load=? uWindows: Run=? BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf create! 5\bin\ZeonIEFavClient.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf create! 5\bin\ZeonIEFavClient.dll TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe uRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll" mRun: [Nuance PDF Create! 5-reminder] "c:\program files\nuance\pdf create! 5\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\pdf create! 5\ereg\Ereg.ini" mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [WinampAgent] "c:\program files\winamp\winampa.exe" mRun: [VX3000] c:\windows\vVX3000.exe mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r mRun: [updReg] c:\windows\UpdReg.EXE mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [PDFHook] c:\program files\nuance\pdf create! 5\pdfcreate5hook.exe mRun: [PDF5 Registry Controller] c:\program files\nuance\pdf create! 5\RegistryController.exe mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe" mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe" mRun: [Launch LGDCore] "c:\program files\logitech\g-series software\LGDCore.exe" /SHOWHIDE mRun: [Launch LCDMon] "c:\program files\logitech\g-series software\LCDMon.exe" mRun: [Launch Ai Booster] "c:\program files\asus\ai booster\OverClk.exe" mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming mRun: [CTxfiHlp] CTXFIHLP.EXE mRun: [CTHelper] CTHELPER.EXE mRun: [Corel File Shell Monitor] c:\program files\corel\corel paintshop photo pro\x3\pspclassic\CorelIOMonitor.exe mRun: [CallControl 4.7] "c:\program files\faxtalk communicator\FTCtrl32.exe" /autoload mRun: [bCWipeTM Startup] "c:\program files\jetico\bcwipe\BCWipeTM.exe" startup mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.16\AsRunHelp.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe" mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe IE: Append the content of the link to existing PDF file - c:\program files\nuance\pdf create! 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML IE: Append the content of the selected links to existing PDF file - c:\program files\nuance\pdf create! 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML IE: Append to existing PDF file - c:\program files\nuance\pdf create! 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML IE: Create PDF file - c:\program files\nuance\pdf create! 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML IE: Create PDF file from the content of the link - c:\program files\nuance\pdf create! 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML IE: Create PDF files from the selected links - c:\program files\nuance\pdf create! 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_Win32.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1270315320046 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab TCP: DhcpNameServer = 192.168.100.254 TCP: Interfaces\{962AC4CF-53EB-4FCD-A927-80C74451C492} : DhcpNameServer = 192.168.100.254 Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe" . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\doug\application data\mozilla\firefox\profiles\9rb8mt3h.default\ FF - prefs.js: browser.startup.homepage - FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 4444 FF - prefs.js: network.proxy.ssl - 127.0.0.1 FF - prefs.js: network.proxy.ssl_port - 4445 FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - plugin: c:\program files\nos\bin\np_gp.dll . ============= SERVICES / DRIVERS =============== . R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2011-9-15 128016] R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-4-7 911680] R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [2010-4-3 6144] R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-9-15 317072] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-9-15 528128] R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-4-7 2480048] R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-8-27 26352] R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-8-27 493032] R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-3-23 10448] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-5 366152] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-6-17 2253120] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-4-7 160704] R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032] R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056] R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728] R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2010-8-27 35568] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-5 22216] R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\26.tmp --> c:\windows\system32\26.tmp [?] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-27 136176] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-9-23 16512] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-4-2 79360] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-5-27 136176] S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-2-28 14336] S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2002-8-15 87968] . =============== Created Last 30 ================ . 2011-12-26 07:20:33 -------- d-----w- c:\program files\Sophos 2011-12-26 06:23:28 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2011-12-25 21:21:45 59888 ------w- c:\windows\system32\pxwma.dll 2011-12-25 21:21:45 126448 ------w- c:\windows\system32\pxinsi64.exe 2011-12-25 21:21:45 123888 ------w- c:\windows\system32\pxcpyi64.exe 2011-12-25 21:16:14 -------- d-----w- c:\documents and settings\doug\local settings\application data\Apple 2011-12-02 04:59:55 -------- d-----w- c:\program files\IrfanView . ==================== Find3M ==================== . 2011-12-20 23:59:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-12-01 01:34:42 2828 --sha-w- c:\documents and settings\all users\application data\KGyGaAvL.sys 2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec 2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll 2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-10-26 21:29:28 88 --sh--r- c:\documents and settings\all users\application data\E644C5072D.sys 2011-10-26 21:12:48 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin 2011-10-26 21:12:48 1 ----a-w- c:\windows\system32\nvdrssel.bin 2011-10-26 21:11:57 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin 2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-10-24 20:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2011-10-24 20:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts 2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll 2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-10-03 07:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl . ============= FINISH: 16:53:59.23 ===============

It appears my first posting a few days ago may have been overlooked. Given the number of requests for help that I see this site getting and the fact I am fortunate to have a current back-up of all my files on a separate hard drive, I decided this past weekend to bite-the-bullet and re-install windows rather than direct further effort towards removing the malware. In closing, some observations about the malware infecting my system: 1) The malware appears to have affected one or more of the network resource files; as mentioned in my earlier post, since becoming infected on the 26th of March, I have been getting a MS Outlook application pop-up stating

I've encountered an issue I hope you can help with. Background During research for my agriculture news service, I visit hundreds of web pages daily. This Friday past, when loading one of the Asian news sites on my regular daily review list, my firewall (ZoneAlarm} issued a couple of quick warnings concerning suspicious behaviour.. I declined access in both instances, but something else must have gotten through as, about a minute later, my computer suddenly re-booted as I was typing an e-mail. Observations i) After the re-boot, the computer was performing noticeably slower, and on occasion would freeze (windows, taskbars, etc could not be accessed, but mouse cursor could be moved around freely.) ii) I started to get an MS Outlook alert window that "Either there is no default e-mail client or the e-mail client cannot fulfill the messaging request, please install Outlook...." [Note: MS Outlook has never been installed on this computer. I use another e-mail client]. This MS Outlook alert window appears right after a re-boot and every time I submit a web based form using either IE or Firefox (such as entering an ID and password, registering for this site, etc... the Post action appears to trigger a request to access Outlook.. someone trying to get my access info delivered to their in-box?) iii) Since Friday, I have had 3 BSOD events... the first identified the problem as IRQL-not-equal-or-less-than [or something to that effect] while the other two gave Stop 0x0000008e 0xC0000005 0x805B1547 0x9354DC30 0x00000000 as the error code. To eliminate the possibility of ram issues, I ran memtest for four hours: no errors were found. With frustrating frequency, the computer continues to freeze, with no consistent obvious cause. iv) I noticed Sunday that my fax modem would no longer initialize (agere USB fax modem). I also discovered that a link's in control panel was corrupted (generic icon present but no description or path associated with it) and that in hardware devices there were no com ports to be found (one of which was previously associated with the fax modem) Actions taken to date; Confirmed Zone Alarm and Windows XP are up-to-date with latest resource files and security patches. Performed a deep scan using Zone Alarm: no infections found. Performed a 4 hour test of the RAM using memtest: no errors found. Downloaded and ran Malwarebytes' Anti-Malware quick scan: no errors found Rebooted windows into safe mode and did a full scan using Malwarebytes' Anti-Malware: trojan fraudpack found in registry. I had the program fix the problem. Rebooted windows in Normal mode: warning concerning the default e-mail client appeared again. Computer seemed to be faster than earleir. After about an hour, however, the computer froze again as before [often, but not always, when 3 or more IE and or Firefox tabs are loading pages (a Java issue??), but freezes have also occurred when using file manager, sending an e-mail, and even once while writing this message in notepad whih no other applications running.] Re-installed modem driver: modem will still not initialize Deleted java and re-installed the latest version available at Sun Microsytems website: no change in computer's behaviour (still get default email notice, periodic freeze-ups and unable to initialize modem. Ran Malwarebytes' Anti-Malware quick scan: no errors found Any help or direction would be appreciated. Here is the HikjackThis report created this morning (I am about to perform another full scan using Malwarebytes' Anti-Malware while in safe mode. It takes about 2.5 hours to complete.) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:09:33 AM, on 3/30/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe C:\Program Files\FaxTalk Communicator\FTCtrl32.exe C:\Program Files\Logitech\G-series Software\LGDCore.exe C:\Program Files\Logitech\G-series Software\LCDMon.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe C:\Program Files\Pure Networks\Network Magic\nmapp.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\vVX3000.exe C:\Program Files\Motorola\Software Update\mumservice.exe C:\Program Files\FaxTalk Communicator\FAPIEXE.EXE C:\Program Files\Nuance\PDF Create! 5\pdfcreate5hook.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Quicken\bagent.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\SEC\Natural Color Pro\NCProTray.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\system32\notepad.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canadagrain.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll O3 - Toolbar: Nuance PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files\Nuance\PDF Create! 5\bin\ZeonIEFavClient.dll O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.16\AsRunHelp.exe O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\AI Booster\OverClk.exe" O4 - HKLM\..\Run: [CallControl 4.7] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe" O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [bCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [mumservice] C:\Program Files\Motorola\Software Update\mumservice.exe O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [PDFHook] C:\Program Files\Nuance\PDF Create! 5\pdfcreate5hook.exe O4 - HKLM\..\Run: [PDF5 Registry Controller] C:\Program Files\Nuance\PDF Create! 5\RegistryController.exe O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [Nuance PDF Create! 5-reminder] "C:\Program Files\Nuance\PDF Create! 5\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\PDF Create! 5\Ereg\Ereg.ini" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NCProTray.lnk = ? O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1240200632109 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareup...15107/CTPID.cab O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe O23 - Service: Google Update Service (gupdate1c9cfeded8a9190) (gupdate1c9cfeded8a9190) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 11611 bytes PS: The web site I suspect was the source of this problem has been narrowed down to one of 6 to 8 (they were the pages loading into IE tabs at the time of the ZoneAlarm alert. They are all agriculture information and/or government news sites based in asia I have visted on a daily basis for the past copiule of years without issue. I can forward these links if you would like to test them on a protected machine (I have not tried accessing any of them again since Friday.)