Jump to content

Slowdown & Site Connectivity Issues


Recommended Posts

I am experiencing some issues, but can't tell if they're malware-related.

SYMPTOMS

System slow down

In the last two weeks, my system has slowed significantly. I did not install any software or make any changes to the configuration that might explain the change. Examples include unusually long launch times for applications and multi-second delays in the appearance of menus when selected or right-clicked (sometimes more than 10 seconds).

MalwareBytes and AVG Update Issues

As part of my troubleshooting, I downloaded MalwareBytes (on another computer) and installed it. When I tried to update it, I kept receiving error 732(12002,0) messages. After several attempts to troubleshoot (below), I copied an up to date rules.ref file from another computer and replaced my old one.

I have had similar trouble updating my AVG definitions. Scheduled and manual updates fail.

No other computers on our network have similar problems.

Site Connection Issues

The Internet connection for this computer (wired and wireless) is intermittently very slow. There is no discernible pattern that corresponds to sites, time of day, day of week or other criteria.

Also, I occasionally have trouble connecting to the MalwareBytes forum on the affected computer (I'm using another computer to avoid problems with posting and troubleshooting).

Flash Drive Infection

I am a substitute teacher, and I often use multiple computers in a week. I carry files with me on a flash drive, and I frequently pick up a trojan. When I use my flash drive at home on the affected computer, AVG blocks attempts at infection and removes the files from the flash drive. I frequently scan the flash drive with AVG, and after these issues arose, I also scanned it with MalwareBytes (on a school computer, so I don't have the log file). The school uses Computer Associates Integrated Threat Manager, which does not intercept the infection.

ATTEMPTED TROUBLESHOOTING

At first, I suspected my issues resulted from benign neglect. I took the following steps (not listed in order):

  • Spyware check (AdAware)
  • Several registry cleaners (Little Registry Cleaner, TweakNow RegCleaner, nCleaner)
  • Checked the hard drive integrity (WD Diagnostics)
  • Defragged the hard drive (Smart Defrag)
  • Virus scan (AVG)
  • Malware scan (Windows Malicious Software Removal Tool - manual scan)
  • Disk clean-up (Wise Disk Cleaner Free)

When the issues continued, I considered it might be a network or ISP issue. I took the following steps (not listed in order):

  • Basic network troubleshooting (reboot cable modem and router, check wireless signal strength, use wired connection)
  • Router firmware update (Linksys WRG54S v7 updated to latest firmware)
  • Check other computers on network (no connection or speed issues)
  • SpeedTest (other newer computer: 10ms ping, 5.44 Mb/s downstream, 0.54 Mb/s upstream; affected computer: 15 ms ping, 3.68 Mb/s downstream, 0.53 Mb/s upstream; multiple tests conducted consecutively)

I downloaded MalwareBytes on the other computer, copied it to the affected computer and installed succesfully. I chose to update at the end of the install, but the update failed. Multiple attempts to update manually failed, including following the instructions, "Error Code 732 - Internet Explorer 8, Possible Fix." (http://forums.malwarebytes.org/index.php?showtopic=24605) A scan using the older, installed rules found a registry and a file infection:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch
  • (Hijack.StartMenu) quarantined and deleted successfully
  • C:\Documents and Settings\David\Local Settings\Temp\dogpile_sub_installer.exe
  • (Trojan dropper) quarantined and deleted successfully

Thanks to the forum, I copied the rules.ref file from the healthy computer to the affected computer. I renamed the old file (rules.ref.old) and saved the up-to-date file in place of the old one. A scan with the up-to-date file found no infections on Quick Scan or Full Scan.

OTHER NOTES

When following the "I'm infected - What do I do now?" instructions, I had no trouble running DeFogger or DDS (I did all downloads on the healthy computer). When I ran the GMER Rootkit Scanner, it ran for several hours (three to four) and showed activity, but since it seemed to take longer than it should, I aborted the scan, then followed the instructions I found in the topic, "Rootkit.Agent that will not go away." (http://forums.malwarebytes.org/index.php?showtopic=35856).

The scan again ran for a long time, more than two hours, when I finally just let it run overnight. The next morning, the scan showed it completed successfully. I am including that log as directed, but thought the issue with running GMER might be relevant.

PASTE OR ATTACH?

According to the instructions on the forum, I'm supposed to zip and attach the files attach.txt and ark.txt. A moderator in a more recent post told the OP to paste all logs into the post and not to attach unless directed. I am following that more recent guidance.

Thank you,

David

Malwarebytes' Anti-Malware 1.44

Database version: 3921

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/28/2010 2:09:35 PM

mbam-log-2010-03-28 (14-09-35).txt

Scan type: Full Scan (C:\|)

Objects scanned: 236596

Time elapsed: 1 hour(s), 17 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-03-17.01) - NTFSx86

Run by David at 13:43:29.18 on Sat 03/27/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.122 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\AVG\AVG9\avgupd.exe

C:\Documents and Settings\David\Desktop\dds.com

C:\Program Files\AVG\AVG9\avgupd.exe

C:\Program Files\AVG\AVG9\fixcfg.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page =

uSearch Bar =

mSearchAssistant =

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.cartoonnetwork.com/games/ppg/rowdyruffboys/index.html"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [O2USB] o2usb.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

StartupFolder: c:\docume~1\david\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-explorer: NoLogoff = 01000000

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49}

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: intuit.com\ttlc

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab

DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://vil.motor.com/scriptx/smsx.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233557598249

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233560690805

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

IFEO: taskmgr.exe - "c:\program files\processexplorer\PROCEXP.EXE"

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-18 64288]

R0 OzCrd2k;OzCrd2k;c:\windows\system32\drivers\OzCrd2k.sys [2003-1-22 3104]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-2 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-2 29512]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-2 242696]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-2 353672]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-16 308064]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R3 WPC54GSv2;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;c:\windows\system32\drivers\WPC54GSv2.SYS [2006-12-1 610816]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208]

S4 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-2-11 317440]

=============== Created Last 30 ================

2010-03-27 18:21:10 0 ----a-w- c:\documents and settings\david\defogger_reenable

2010-03-25 01:04:41 0 d-----w- c:\program files\Trend Micro

2010-03-22 23:03:47 0 d-----w- c:\program files\Wise Disk Cleaner

2010-03-22 19:11:09 0 d-----w- c:\docume~1\david\applic~1\Windows Search

2010-03-22 13:36:50 0 d-----w- c:\program files\Seagate

2010-03-22 13:34:53 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-03-22 03:13:06 0 d-----w- c:\docume~1\david\applic~1\IObit

2010-03-22 03:13:02 0 d-----w- c:\program files\IObit

2010-03-19 00:39:24 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-19 00:06:41 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-03-19 00:05:12 0 d-----w- c:\program files\Lavasoft

2010-03-18 21:56:10 0 d-----w- c:\docume~1\david\applic~1\Malwarebytes

2010-03-18 21:55:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-18 21:55:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-18 21:55:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-03-18 21:55:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-18 20:32:12 0 d-----w- c:\docume~1\david\applic~1\Stardock

2010-03-18 20:31:16 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{A87EB928-0C6C-4071-AEF1-59E32BAEDF1B}

2010-03-18 20:31:09 0 d-----w- c:\program files\Stardock

2010-03-18 20:05:39 0 ----a-w- c:\windows\system32\w32apiw.dll

2010-03-18 20:05:37 0 d-----w- c:\docume~1\david\applic~1\nCleaner

2010-03-18 20:05:20 0 d-----w- c:\program files\NKProds

2010-03-18 19:17:04 0 d-----w- c:\program files\common files\Little Registry Cleaner

2010-03-18 19:16:12 0 d-----w- c:\program files\Little Registry Cleaner

2010-03-18 16:21:55 0 d-----w- c:\program files\Autoruns

2010-03-16 14:03:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll

==================== Find3M ====================

2010-03-16 14:03:17 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-16 14:03:03 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-02-22 00:29:51 41 ----a-w- c:\documents and settings\david\jagex_runescape_preferences.dat

2010-02-22 00:10:15 69 ----a-w- c:\documents and settings\david\jagex_runescape_preferences2.dat

2010-01-16 00:34:09 22675 ----a-w- c:\windows\system32\nvModes.dat

============= FINISH: 13:44:13.85 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 2/1/2009 7:37:05 PM

System Uptime: 3/27/2010 1:39:20 PM (0 hours ago)

Motherboard: Dell Computer Corporation | | Inspiron 2650

Processor: Mobile Intel® Pentium® 4 - M CPU 1.80GHz | U49 | 1795/100mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 112 GiB total, 67.936 GiB free.

D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP408: 12/19/2009 1:08:14 PM - System Checkpoint

RP409: 12/20/2009 1:30:02 PM - System Checkpoint

RP410: 12/21/2009 2:30:04 PM - System Checkpoint

RP411: 12/22/2009 8:21:39 AM - Avg8 Update

RP412: 12/23/2009 8:31:13 AM - System Checkpoint

RP413: 12/24/2009 8:43:48 AM - System Checkpoint

RP414: 12/25/2009 8:44:04 AM - System Checkpoint

RP415: 12/26/2009 9:44:08 AM - System Checkpoint

RP416: 12/27/2009 10:35:43 AM - System Checkpoint

RP417: 12/28/2009 12:43:05 PM - System Checkpoint

RP418: 12/29/2009 1:33:45 PM - System Checkpoint

RP419: 12/30/2009 3:56:08 PM - System Checkpoint

RP420: 12/31/2009 8:54:16 AM - Avg8 Update

RP421: 1/1/2010 9:16:10 AM - System Checkpoint

RP422: 1/4/2010 1:16:02 PM - System Checkpoint

RP423: 1/4/2010 5:45:10 PM - Printer Driver hp LaserJet 1000 Installed

RP424: 1/4/2010 5:45:41 PM - Printer Driver hp LaserJet 1000 Installed

RP425: 1/4/2010 5:45:54 PM - Printer Driver hp LaserJet 1000 Installed

RP426: 1/4/2010 5:46:06 PM - Printer Driver hp LaserJet 1000 Installed

RP427: 1/5/2010 7:06:08 PM - System Checkpoint

RP428: 1/6/2010 7:32:01 PM - System Checkpoint

RP429: 1/8/2010 4:56:13 PM - System Checkpoint

RP430: 1/9/2010 5:00:34 PM - System Checkpoint

RP431: 1/11/2010 8:13:41 PM - System Checkpoint

RP432: 1/12/2010 9:08:59 PM - System Checkpoint

RP433: 1/13/2010 10:00:39 PM - System Checkpoint

RP434: 1/14/2010 11:00:32 PM - System Checkpoint

RP435: 1/15/2010 11:31:44 PM - System Checkpoint

RP436: 1/17/2010 12:31:44 AM - System Checkpoint

RP437: 1/18/2010 1:07:46 AM - System Checkpoint

RP438: 1/18/2010 9:55:52 AM - Avg8 Update

RP439: 1/18/2010 12:27:41 PM - Software Distribution Service 3.0

RP440: 1/19/2010 1:07:28 PM - System Checkpoint

RP441: 1/19/2010 8:19:28 PM - Software Distribution Service 3.0

RP442: 1/21/2010 7:27:43 AM - System Checkpoint

RP443: 1/22/2010 6:06:11 AM - Software Distribution Service 3.0

RP444: 1/23/2010 1:39:46 PM - System Checkpoint

RP445: 1/24/2010 2:23:42 PM - System Checkpoint

RP446: 1/26/2010 9:23:46 AM - System Checkpoint

RP447: 1/26/2010 9:48:18 AM - Avg8 Update

RP448: 1/27/2010 6:41:47 AM - Installed Java 6 Update 18

RP449: 1/29/2010 9:13:02 AM - System Checkpoint

RP450: 1/31/2010 4:18:09 PM - System Checkpoint

RP451: 2/1/2010 5:58:42 PM - System Checkpoint

RP452: 2/5/2010 5:35:46 AM - System Checkpoint

RP453: 2/6/2010 2:39:28 PM - System Checkpoint

RP454: 2/8/2010 11:05:44 AM - System Checkpoint

RP455: 2/9/2010 3:19:59 PM - Software Distribution Service 3.0

RP456: 2/10/2010 3:45:57 PM - System Checkpoint

RP457: 2/11/2010 6:21:40 PM - System Checkpoint

RP458: 2/14/2010 12:14:03 PM - System Checkpoint

RP459: 2/15/2010 4:28:53 PM - System Checkpoint

RP460: 2/16/2010 7:22:32 PM - System Checkpoint

RP461: 2/18/2010 1:30:21 AM - System Checkpoint

RP462: 2/19/2010 12:10:46 PM - System Checkpoint

RP463: 2/20/2010 5:31:21 PM - System Checkpoint

RP464: 2/21/2010 6:44:56 PM - System Checkpoint

RP465: 2/24/2010 7:01:32 AM - Software Distribution Service 3.0

RP466: 2/25/2010 7:38:41 AM - System Checkpoint

RP467: 2/26/2010 1:03:26 PM - System Checkpoint

RP468: 2/27/2010 1:55:55 PM - System Checkpoint

RP469: 2/28/2010 4:33:55 PM - System Checkpoint

RP470: 3/1/2010 5:56:20 PM - System Checkpoint

RP471: 3/2/2010 7:21:42 PM - System Checkpoint

RP472: 3/3/2010 7:26:21 PM - System Checkpoint

RP473: 3/3/2010 8:53:24 PM - Installed TurboTax 2009 wrapper

RP474: 3/3/2010 8:54:49 PM - Installed TurboTax 2009 WinPerReleaseEngine

RP475: 3/3/2010 9:00:29 PM - Installed TurboTax 2009 WinPerFedFormset

RP476: 3/3/2010 9:05:37 PM - Installed TurboTax 2009 WinPerTaxSupport

RP477: 3/3/2010 10:08:33 PM - Installed TurboTax 2009 wksiper

RP478: 3/3/2010 10:09:01 PM - Installed TurboTax 2009 wmoiper

RP479: 3/4/2010 9:21:22 AM - Printer Driver hp LaserJet 1000 Installed

RP480: 3/4/2010 9:22:36 AM - Printer Driver hp LaserJet 1000 Installed

RP481: 3/4/2010 9:23:12 AM - Printer Driver hp LaserJet 1000 Installed

RP482: 3/5/2010 9:36:43 AM - System Checkpoint

RP483: 3/7/2010 1:36:29 AM - System Checkpoint

RP484: 3/8/2010 5:13:13 PM - System Checkpoint

RP485: 3/9/2010 5:46:28 PM - System Checkpoint

RP486: 3/10/2010 8:34:49 PM - Software Distribution Service 3.0

RP487: 3/11/2010 9:38:33 AM - Avg8 Update

RP488: 3/12/2010 10:16:45 AM - System Checkpoint

RP489: 3/13/2010 11:16:49 AM - System Checkpoint

RP490: 3/16/2010 9:03:38 AM - Avg Update

RP491: 3/17/2010 9:55:25 AM - System Checkpoint

RP492: 3/18/2010 9:02:42 AM - Avg Update

RP493: 3/18/2010 11:03:24 AM - Removed Europa Universalis III

RP494: 3/18/2010 11:17:48 AM - Removed Windows 7 Upgrade Advisor

RP495: 3/18/2010 11:28:13 AM - Configured Microsoft Office Enterprise 2007

RP496: 3/18/2010 2:26:11 PM - Before Little Registry Cleaner Registry Fix

RP497: 3/18/2010 2:34:54 PM - Before Little Registry Cleaner Registry Fix

RP498: 3/18/2010 3:08:56 PM - nCleaner2 - User Defined (03/18/10 15:08:47)

RP499: 3/22/2010 8:35:24 AM - Installed Microsoft Visual C++ 2005 Redistributable

RP500: 3/22/2010 8:36:48 AM - Installed SeaTools for Windows

RP501: 3/24/2010 9:59:10 PM - Removed Warner Bros. Digital Copy Manager

RP502: 3/27/2010 12:44:40 PM - System Checkpoint

==== Installed Programs ======================

1st Free Solitaire 1.7.1

3D Home Architect® Deluxe 3.0

Access 2003 Inside Out Sample Files

Acrobat.com

Ad-Aware

Ad-Aware Email Scanner for Outlook

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Reader 9.3.1

Adobe Reader for Palm OS, 3.05

Adobe Shockwave Player 11.5

AI RoboForm

Amazon Games & Software Downloader

AnswerWorks 5.0 English Runtime

ASAP Utilities

Avery Wizard 3.1

AVG Free 9.0

Belarc Advisor 7.2

Bullzip PDF Printer 6.0.0.744

Calendar Printing Assistant for Microsoft Office Outlook 2007

CDDRV_Installer

Compatibility Pack for the 2007 Office system

Conexant D480 MDC V.92 Modem

Dell Driver Download Manager

Dell Modem-On-Hold

erLT

EVEREST Ultimate Edition v5.01

EzRecover

FACTMASTER v1.2

Fences

GIMP 2.6.6

Google SketchUp 7.1

GPL Ghostscript Lite 8.63

HD Tune 2.55

HijackThis 2.0.2

Hotfix 2055 for SQL Server 2000 ENU (KB960082)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Format SDK (KB902344)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB922120-v6)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

hp LaserJet 1000

hp officejet 6100 series

HP Photo and Imaging 2.0 - All-in-One

HP Photo and Imaging 2.0 - All-in-One Drivers

HP Photo and Imaging 2.0 - hp officejet 6100 series

HP Print Diagnostic Utility

Inkscape 0.46

InstallMgr

InterVideo WinDVD

IZArc 3.81

Java 6 Update 18

KhalInstallWrapper

Little Registry Cleaner

Logitech SetPoint

Logitech Updater

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Calculator Plus

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Default Manager

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office 2003 Web Components

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Converter Pack

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office FrontPage 2003

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Live Add-in 1.4

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook 2003 Calendar Views Add-in

Microsoft Office Outlook 2003 with Business Contact Manager Update

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint 2003 Template Pack 1

Microsoft Office PowerPoint 2003 Template Pack 2

Microsoft Office PowerPoint 2003 Template Pack 3

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Sounds

Microsoft Office Word 2003 Redaction Add-in

Microsoft Office Word MUI (English) 2007

Microsoft OpenType Font File Properties Extension

Microsoft Outlook Personal Folders Backup

Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 12

Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)

Microsoft Sync Framework Runtime v1.0 (x86)

Microsoft Sync Framework Services v1.0 (x86)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Web Embedding Fonts Tool (III)

Microsoft Windows XP Video Decoder Checkup Utility

Modem Helper

Move Media Player

MSN Toolbar

nCleaner second 2.3.4.0

NVIDIA Windows 2000/XP Display Drivers

O2UsbCrd

Palm Outlook Conduits Updater

palmOne

Pixie 3.1 (remove only)

Publisher WordArt Compatibility Add-In

Quicken 2008

Remove Hidden Data Tool

SeaTools for Windows

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB978380)

Security Update for Microsoft Office Excel 2007 (KB978382)

Security Update for Microsoft Office Outlook 2007 (KB972363)

Security Update for Microsoft Office PowerPoint 2007 (KB957789)

Security Update for Microsoft Office Publisher 2007 (KB969693)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB969613)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978706)

SigmaTel AC97 Audio Drivers

Smart Defrag

SpeedFan (remove only)

Spelling Dictionaries Support For Adobe Reader 9

Synaptics Pointing Device Driver

SyncBack

SyncToy 2.0 (x86)

TurboTax 2008

TurboTax 2008 WinPerFedFormset

TurboTax 2008 WinPerProgramHelp

TurboTax 2008 WinPerReleaseEngine

TurboTax 2008 WinPerTaxSupport

TurboTax 2008 WinPerUserEducation

TurboTax 2008 wksiper

TurboTax 2008 wmoiper

TurboTax 2008 wrapper

TurboTax 2009

TurboTax 2009 WinPerFedFormset

TurboTax 2009 WinPerReleaseEngine

TurboTax 2009 WinPerTaxSupport

TurboTax 2009 wksiper

TurboTax 2009 wmoiper

TurboTax 2009 wrapper

Tweak UI

TweakNow RegCleaner

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office Access 2007 Help (KB963663)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office InfoPath 2007 (KB976416)

Update for Microsoft Office Infopath 2007 Help (KB963662)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Outlook 2007 Help (KB963677)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Publisher 2007 Help (KB963667)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 (KB974561)

Update for Microsoft Office Word 2007 Help (KB963665)

Update for Microsoft Windows (KB971513)

Update for Outlook 2007 Junk Email Filter (kb979895)

Update for Windows Internet Explorer 8 (KB968220)

Update for Windows Internet Explorer 8 (KB972636)

Update for Windows Internet Explorer 8 (KB973874)

Update for Windows Internet Explorer 8 (KB975364)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows XP (KB898461)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VC 9.0 Runtime

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

WD Diagnostics

WebFldrs XP

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Live ID Sign-in Assistant

Windows Media Format 11 runtime

Windows Media Player 11

Windows Search 4.0

Wise Disk Cleaner 5.2

ZoneAlarm

==== Event Viewer Messages From Past Week ========

3/27/2010 12:49:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip vsdatant

3/24/2010 8:50:55 PM, error: Service Control Manager [7022] - The Windows Search service hung on starting.

3/23/2010 6:58:22 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}

3/23/2010 11:02:41 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.

3/21/2010 9:06:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/21/2010 9:00:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

3/21/2010 12:10:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

3/20/2010 8:01:20 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX BANTExt Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip vsdatant

3/20/2010 8:01:20 PM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.

3/20/2010 8:01:20 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

3/20/2010 8:01:20 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/20/2010 8:01:20 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/20/2010 8:01:20 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-28 08:54:45

Windows 5.1.2600 Service Pack 3

Running: 0pfmjs3v.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\pwtdapoc.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF680DFC0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF680AC80]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xF6825170]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF680E580]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF6822900]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF6822B10]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF6826B10]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF680E670]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF680B210]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xF68259F0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xF68257A0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF6822280]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF6825F10]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF6825F90]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF680B070]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF6824180]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF6823F40]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF68266F0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF6826150]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF680DBE0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF6826540]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF680E190]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF680B440]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xF68254E0]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF6823200]

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xF6823080]

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS46D93.log 131072 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS46D94.log 131072 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS46D95.log 131072 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS46D96.log 131072 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS46D97.log 131072 bytes

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

  • 2 weeks later...

Hello David,

Your thread seems to have been overlooked for a good while, most likely due to the forum being very, very busy. Your patience is commendable.

Let me first observe that you should stay away from any "registry cleaning" tools.

You do mention that you have flash drive issues --- quite likely infection(s) of some sort.

So, we'll address that first.

But, do keep in mind, that the other issues you listed (like slowness issues or internet connectivity issues) may -not- be related to malware issues --- and thus take a long time to iron out.

Step 1

Disable the options "Automatically detect settings" and "Use automatic configuration script."

To do this:

1. Open Internet Explorer.

2. Click "Tools," and then click "Internet Options."

3. Click "Connections," and then click "LAN Settings."

4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.

Step 2

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 3

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 4

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Step 5

Gather up all your portable USB flash drives. Do not use them to transfer to other systems until they've been run thru the following "flash drive disinfector". If needed, repeat the disinfector step as many times as needed until you get all flash drives processed. {Likewise, be leary of using other peoples flash drives.}

Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.

The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:

http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx

Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.

http://download.bleepingcomputer.com/sUBs/...Disinfector.exe

There is no GUI interface or log file produced.

Repeat using the flash drive disinfector until all those devices are processed.

Keep in mind, the utility only takes care of removing autorun capability; it does not scan or remove infections.

For the latter, you have to scan the devices with anti-virus and anti-malware programs.

Please download >> DrWeb-CureIt << and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Always, Copy & Paste the contents of logs into main-body of reply.

Do NOT use the attach feature.

Reply with copy of the DrWeb Cure-it report

Link to post
Share on other sites

Maurice:

Thank you for tackling my issue. I am nearly finished with the steps you outlined. Right now, I am running Dr. Web CureIt in Safe Mode. My system still is executing the Express Scan, and is at one hour and 42 minutes (6,998 files). I will let it run overnight, then run the Complete Scan and post the results per your instructions.

Thank you,

David

Link to post
Share on other sites

Maurice:

I let the Express Scan for Dr. Web CureIt run overnight, but it still isn't finished. It now shows a scan time of 12:42:28 and 7,195 files. The progress bar is only about 15 percent full. The application is still working: the file counter ticks upward (just 35 files in the past two hours), and the scan time continues to run.

I'm guessing that this is not normal behavior. I am running in safe mode (no networking). I have no other applications open.

I tried to open Process Explorer (which I run in place of Task Manager) to check for running services, but it would not open. I first tried by using CTRL+ALT+DEL and selecting Task Manager (Process Explorer). After several minutes with no response, I right-clicked the task bar and selected Task Manager. I got an hourglass for a few seconds, then it reverted to a normal cursor and Process Explorer did not open. I gave it a few minutes and tried the same method again with the same results. Finally, I tried to open Process Explorer from the Start Menu. It took one or more minutes to display folders (I had to open two to reach the shortcut for Process Explorer). The final folder still hadn't displayed when Process Explorer opened from a previous attempt (which was at least five minutes ago).

I clicked off the Start Menu and walked away from the machine to give it time to refresh and show Process Explorer. It is showing CPU usage at 0.99 percent, Commit Charge at 15.50 percent, 18 processes and Physical Usage at 64.5 percent. There are occasional spikes in those numbers, but it has remained around those levels steadily. Here are the services it shows running:

System Idle Process

Interrupts

DPCs

System
smss.exe
csrss.exe

winlogon.exe
services.exe [Eventlog][PlugPlay]
svchost.exe [DcomLaunch]

svchost.exe [RpcSs]

svchost.exe [CryptSvc][helpsvc][srservice][winmgmt]

lsass.exe

avgchsvx.exeavgcsrvx.exe

explorer.exe

drwebcureit.exe
563kut.exe
86cs3xp.exe

procexp.exeavgcsrvx.exe (second instance)

I won't terminate the Express Scan without your direction. Should I continue to run it, or would you like me to take other action? I have not yet reached the Complete Scan step.

Thanks for your help.

David

Link to post
Share on other sites

Maurice:

Since I last posted, CureIt has returned to normal scanning speed. I looked up at around the 14:02:15 mark of the scan time and saw that it was flying through the files. As of this post, the scan time is 15:01:23 and CureIt has scanned 37,312 files. The progress bar is roughly 50 percent complete.

Assuming this continues, I will let this Express Scan finish. I will then run the Complete Scan per your instructions.

Please forgive the stream of updates. I'm assuming that you prefer information about non-standard behaviors as they may help in your diagnosis. Could the slow scan speed have anything to do with AVG running simultaneously? Should I have shut that down before running CureIt? More importantly, should I shut it down before running the Complete Scan? The files it was scanning when it was nearly frozen seemed all to be in the Windows System folders.

Respectfully,

David

Link to post
Share on other sites

Hopefully you are running the DrWeb Cure-It in SAFE mode (as per directions).

and if so, your antivirus would not be active.

On the other hand, if it -is- running the scan in Normal mode, I can see where your antivirus might be slowing it down.

Since the scan is making progress, just leave it running and allow it to finish. Meantime, do not use the pc for any other use..

btw, thanks for the details (re Task Manager). But they're not needed

Link to post
Share on other sites

Maurice:

I am running Dr. Web CureIt in safe mode. The Express Scan finally finished (no infections). I ran the Complete Scan, also in safe mode, and it ran overnight then crashed. I rebooted into safe mode and ran it again, cancelling out of the Express Scan and running the Complete Scan with the settings you provided. It ran overnight and crashed again ("86cs3xp.exe has encountered a problem and needs to close"; made it to 135,682 files scanned).

I tried one more time, this time without rebooting. I was still in safe mode, and I again cancelled the Express Scan and ran a Complete Scan following your directions. I ran the scan overnight. Thus far, the scan continues and it has not crashed. The scan time, though, is at 17:35:51. Is that unusual? The current count of scanned files is up to 186,885 and the progress bar looks like it has only three or four percent left to go.

The scan speed has slowed dramatically since the first thousands of files, from more than 800 KB/s to around 10 KB/s. For instance, for the last five hours, the app has been scanning the system32\drivers files, and processed about 90 of them. Thus far, the statistics tab shows no infections.

Thank you,

David

Link to post
Share on other sites

Maurice:

Of course, as soon as I sent my last post, the scan speed picked up and it is now finished. Dr. Web CureIt found no viruses. I could not save the report list because the option was grayed out.

As you requested, I took the steps below. I'll stand by and await further instructions.

Thanks for your help.

David

Step 1

Disable the options "Automatically detect settings" and "Use automatic configuration script."

***DONE***

Step 2

Backup registry using ERUNT

***DONE***

Step 3

Set Windows to show all files and all folders.

***DONE***

Step 4

Clean temp files with TFC

***DONE***

Step 5

Use TweakUI to turn off AutoPlay on all drive letters except CD/DVD drive letters

***DONE***

Run Flash Drive Disinfector on all flash drives

***DONE***

Step 6

Scan for viruses in Safe Mode using DrWebCureIt

ExpressScan

***DONE*** (no viruses)

CompleteScan

***DONE*** (no viruses)

Step 7

Reply with copy of the DrWeb Cure-it report

***DONE*** (no report; "Save Report List" grayed out)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.