Solved Unknown! Random crashes and XP freeze after 2-3 hours inactivity

[Resolved] Unknown! Random crashes and XP freeze after 2-3 hours inactivity

I need help from the super-gurus here, desperately! PLEASE!

I will try to be as brief, concise and provide as much info as possible...

I am a technology PM with average PC skills/experience.

SYMPTOMS:
Over the last couple of weeks, one of my PCs has been driving me crazy...it started with a crash and since then it has been extremely unstable/unreliable. It will work fine for hours and hours and then XP might simply lock up totally for seemingly no reason. Happens during surfing, file navigation, etc. Getting the occasional BSOD. Minidumps are not revealing any obvious culprits. Most frustrating is the regular XP system freeze [complete lockup on screen forcing manual reboot] which seems to occur every night after several hours of inactivity.

No browser hijacking, no redirects, no search/spyware/malware popups.

What drives me nuts is that this PC has been rock solid for almost 2 years prior to this!


HARDWARE:
- Dell Optiplex GX620 [out of the box, no hardware modifications];
- 1.5 GB RAM;
- 1.2 fixed pagefile

SOFTWARE / DRIVERS:
- XP SP2 with nearly all post SP2 patches/hotfixes/updates installed EXCEPT SP 3;
- all drivers for installed devices current per Dell/hardware manufacturers or MS;
- BIOS and Chipset upgraded to latest available from Dell, BIOS settings at defaults

STEPS TAKEN THUS FAR:
- Spybot scan = clean;
- Avira AV/Rootkit scan = clean;
- Panda Online scan = clean;
- Trend Micro online scan = clean;
- MalwareBytes scan = clean;
- MS Live AV scan = clean;
- Norman Malware/Rootkit scan = clean;
- Sophos AntiRootKit scan = clean;
- SpywareBlaster installed;
- MS MRT Tool scan = clean;
- XP sfc/scannow = no errors;
- XP Driver Verifier = no errors;
- Dell Driver Reset tool = no errors;
- Dell low level hardware diagnostic = no errors;
- Memtest = no errors;
- Performed in place XP REPAIR INSTALLATION = successful, forcing reapplication of all post SP2 hotfixes/patches/updates;
- CCleaner run regularly;
- SysInternals Process Explorer = shows no unusual process;
- SysInternals Autoruns = shows no unusual entries;
- SysInternals TCPView = shows no unusual activity;
- ShellEx Viewer = indicates only valid explorer.exe extensions;
- XP SystemRestore = OFF
- XP Hibernation = OFF
- XP Power Settings = ALWAYS ON [never power down for all]
- HJT log = shows no unusual entries

So I am pretty much at the end of what I know to try...now just hoping that someone can help out here!

There are 2 other strange things happening on my system [strange because I never noticed them before, but that does not mean they haven't been happening for a while]:

- Device manager lists my display adapter twice [Intel 82945G Express Chipset]; have tried disabling one, complete uninstall and reinstall but every time XP ends up installing both devices; this may be normal behavior with the updated drivers as this onboard display chipset seems to support multiple monitors;

- Broadcom NetXTreme 57xx NIC adapter [onboard] locks up XP when trying to run the included Broadcom diagnostics; I have been unable to find solution to this.

That's about it. DDS logs follow.

THANKS SO MUCH IN ADVANCE FOR ANY HELP ANYONE CAN RENDER!

cheers,
-mariusar


DDS Text:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Henry at 20:05:03.78 on Sun 08/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.734 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Henry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://news.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} -
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} -
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} -
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [basicsmssmenu] c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://go.microsoft.com/fwlink/?LinkId=82580
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175570443593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\henry\applic~1\mozilla\firefox\profiles\9rp5vw97.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - component: c:\documents and settings\henry\application data\mozilla\firefox\profiles\9rp5vw97.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - plugin: c:\documents and settings\henry\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "media.cache_size ", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "layout.css.dpi ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref( "geo.enabled ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-4 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-4 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-4 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-4 55640]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S3 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-3-8 61440]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\mediacoder\SysInfo.sys [2007-9-25 15152]
S3 i740;i740;c:\windows\system32\drivers\i740nt5.sys [2009-7-23 58592]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]

=============== Created Last 30 ================

2009-08-02 20:05 <DIR> --d----- c:\temp\RarSFX0
2009-08-02 15:33 128,896 -c------ c:\windows\system32\dllcache\fltmgr.sys
2009-08-02 15:33 23,040 -c------ c:\windows\system32\dllcache\fltmc.exe
2009-08-02 15:33 16,896 -c------ c:\windows\system32\dllcache\fltlib.dll
2009-08-02 14:30 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-08-02 14:23 2,376,760 -c------ c:\windows\system32\dllcache\WMVCore.dll
2009-08-02 14:23 683,520 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-08-02 14:23 1,028,096 -c------ c:\windows\system32\dllcache\WMNetmgr.dll
2009-08-02 14:23 96,768 -c------ c:\windows\system32\dllcache\logagent.exe
2009-08-02 14:10 1,290,752 -c------ c:\windows\system32\dllcache\quartz.dll
2009-08-02 14:10 332,800 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-08-02 14:10 119,808 -c------ c:\windows\system32\dllcache\t2embed.dll
2009-08-02 14:10 82,432 -c------ c:\windows\system32\dllcache\fontsub.dll
2009-08-02 14:00 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-08-02 14:00 202,752 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-08-02 14:00 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll
2009-08-02 14:00 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-08-02 14:00 1,193,414 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-08-02 14:00 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-08-02 13:38 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-02 13:38 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-08-02 13:38 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-08-02 13:38 268,288 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-08-02 13:38 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-08-02 13:38 6,067,200 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-08-02 13:38 2,452,872 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-08-02 13:38 380,928 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-08-02 13:38 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-08-02 12:26 16,384 a------t c:\temp\Perflib_Perfdata_ce8.dat
2009-08-02 12:25 16,384 a------t c:\temp\Perflib_Perfdata_9f0.dat
2009-08-02 01:42 16,384 a------t c:\temp\Perflib_Perfdata_fec.dat
2009-08-02 01:39 16,384 a------t c:\temp\Perflib_Perfdata_c40.dat
2009-08-02 01:36 139,264 a------- c:\windows\system32\igfxres.dll
2009-08-02 01:28 81,920 a------- c:\windows\system32\igfxcpl.cpl
2009-08-01 23:53 2,101,302 a------- c:\windows\ACD Wallpaper.bmp
2009-07-31 18:44 681,784 a------- c:\temp\WindowsXP-KB914440-v12-x86-ENU.exe
2009-07-31 17:09 2,186,112 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-31 17:09 2,142,720 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-31 17:09 2,062,976 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-31 17:09 2,020,864 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-31 16:09 985,088 -c------ c:\windows\system32\dllcache\setupapi.dll
2009-07-31 03:49 3,374,640 ac------ c:\windows\system32\dllcache\tourW.exe
2009-07-31 01:20 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-31 00:05 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-07-30 23:25 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-07-30 23:25 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-07-30 23:25 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-07-30 23:25 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-07-30 23:25 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-07-30 23:25 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-07-30 20:38 24,661 a------- c:\windows\system32\spxcoins.dll
2009-07-30 20:38 13,312 a------- c:\windows\system32\irclass.dll
2009-07-29 23:37 <DIR> --d----- c:\program files\SysInternals_Autoruns
2009-07-26 15:26 <DIR> --d----- c:\program files\Support Tools
2009-07-23 17:02 58,592 a------- c:\windows\system32\drivers\i740nt5.sys
2009-07-23 17:02 353,184 a------- c:\windows\system32\i740dnt5.dll
2009-07-23 16:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-07-23 16:47 60,968 a------- c:\documents and settings\henry\GoToAssistDownloadHelper.exe
2009-07-21 16:03 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-21 16:03 1,409 a------- c:\windows\QTFont.for
2009-07-21 01:50 <DIR> --d----- c:\program files\TCPView
2009-07-18 17:59 149,504 a------- c:\windows\UNWISE.EXE
2009-07-14 03:46 <DIR> --d----- c:\docume~1\henry\applic~1\HTNetMeter
2009-07-14 03:46 <DIR> --d----- c:\program files\HooTech
2009-07-11 19:36 <DIR> --d----- c:\program files\Camtech
2009-07-11 03:17 664 a------- c:\windows\system32\d3d9caps.dat
2009-07-10 23:08 <DIR> --d----- c:\program files\WOT
2009-07-09 22:18 <DIR> --d----- c:\program files\Defraggler
2009-07-09 16:43 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-08 18:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-08 18:55 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-08 18:55 <DIR> --d----- c:\docume~1\henry\applic~1\SUPERAntiSpyware.com
2009-07-08 17:33 262,144 a------- c:\windows\system32\default_user_class.dat
2009-07-08 00:24 <DIR> --d----- c:\program files\Sophos
2009-07-07 03:46 3,293,184 a------- c:\windows\system32\SET2E.tmp
2009-07-07 03:46 2,643,968 a------- c:\windows\system32\igxpdx32.dll
2009-07-07 03:46 1,670,144 a------- c:\windows\system32\igxpdv32.dll
2009-07-07 03:46 204,800 a------- c:\windows\system32\SET18.tmp
2009-07-07 03:46 151,040 a------- c:\windows\system32\igxpgd32.dll
2009-07-07 03:46 102,400 a------- c:\windows\system32\SETF.tmp
2009-07-07 03:46 58,704 a------- c:\windows\system32\igxpxk32.vp
2009-07-07 03:46 57,344 a------- c:\windows\system32\igxprd32.dll
2009-07-07 03:46 48,128 a------- c:\windows\system32\SET12.tmp
2009-07-07 03:46 23,216 a------- c:\windows\system32\igxpxs32.vp
2009-07-07 03:46 5,854,752 a------- c:\windows\system32\drivers\igxpmp32.sys
2009-07-07 03:38 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-07-07 03:38 294,250 a------- c:\windows\setupapi.old
2009-07-07 00:22 <DIR> --d----- c:\program files\ProcessMonitor
2009-07-06 17:30 <DIR> --d----- c:\documents and settings\henry\dwhelper
2009-07-06 16:46 <DIR> --d----- c:\docume~1\henry\applic~1\NuonSoft
2009-07-06 16:31 <DIR> --d----- c:\program files\UPHClean
2009-07-06 14:22 <DIR> --d----- c:\windows\system32\x64
2009-07-05 23:56 <DIR> --d----- c:\windows\system32\Dell
2009-07-05 19:19 <DIR> --d----- c:\program files\Debugging Tools for Windows (x86)
2009-07-05 18:47 <DIR> --d----- c:\docume~1\henry\applic~1\IObit
2009-07-05 18:47 <DIR> --d----- c:\program files\IObit
2009-07-05 17:31 45 a------- c:\windows\system32\initdebug.nfo
2009-07-05 17:31 <DIR> --d----- c:\program files\SpeedFan
2009-07-05 16:47 <DIR> --d----- c:\windows\system32\XPSViewer
2009-07-05 16:46 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-07-05 16:46 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-07-05 16:46 117,760 -------- c:\windows\system32\prntvpt.dll
2009-07-05 11:18 <DIR> --dsh--- c:\temp\Temporary Internet Files
2009-07-05 11:10 <DIR> --dsh--- c:\documents and settings\henry\IECompatCache
2009-07-05 11:06 <DIR> --dsh--- c:\documents and settings\henry\IETldCache
2009-07-05 00:18 <DIR> --d----- c:\docume~1\henry\applic~1\Auslogics
2009-07-05 00:17 <DIR> --d----- c:\program files\Auslogics
2009-07-04 23:51 <DIR> --d----- c:\program files\trend micro
2009-07-04 16:13 28,544 a------- c:\windows\system32\drivers\pavboot.sys.OLD
2009-07-04 15:00 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-04 15:00 <DIR> --d----- c:\program files\Avira
2009-07-04 15:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-04 01:43 <DIR> a-dshr-- C:\cmdcons
2009-07-03 21:51 319,456 a------- c:\windows\system32\difxapi.dll
2009-07-03 21:51 <DIR> --d----- C:\Intel
2009-07-03 21:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-03 21:36 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-03 20:15 <DIR> --d----- c:\program files\Media Player Classic

==================== Find3M ====================

2009-08-01 17:42 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-30 23:14 22,720 a------- c:\windows\system32\emptyregdb.dat
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-05-20 01:31 720,896 a------- c:\windows\iun6002ev.exe
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2006-05-03 05:06 163,328 a--shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 a--shr-- c:\windows\system32\msfDX.dll
2008-03-16 08:30 216,064 a--shr-- c:\windows\system32\nbDX.dll

============= FINISH: 20:05:44.03 ===============


ATTACH.TXT:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/30/2009 11:30:01 PM
System Uptime: 8/2/2009 5:30:31 PM (3 hours ago)

Motherboard: Dell Inc. | | 0FH884
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 2.011 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
ABC Amber LIT Converter
ABC Amber Palm Converter
ABC Amber Sony Converter
ABC Amber Text Converter
Abysma 1.1
ACDSee Classic
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11
Advanced Renamer
Audacity 1.2.6
AusLogics Disk Defrag
Avidemux 2.4
Avira AntiVir Personal - Free Antivirus
Battleships Forever v0.90b
Bejeweled 1.5
Big Two
Broadcom Advanced Control Suite
Broadcom ASF Management Applications
Broadcom Gigabit Integrated Controller
Bulk Image Downloader v1.39.0.6
calibre
CCleaner (remove only)
CDex extraction audio
CDisplayEx 1.4
Citrix Presentation Server Client
ClearType Tuning Control Panel Applet
Creative Jukebox Driver
Creative MediaSource 5
Creative Removable Disk Manager
Creative Software AutoUpdate
Creative System Information
Creative ZEN V Series (R2)
Debugging Tools for Windows (x86)
Defraggler (remove only)
Dell Driver Reset Tool
Digital Line Detect
DivX Codec 3.1alpha release
Drive Manager
DropBook
Duplicate Cleaner 1.3
Easy Video Joiner 5.21
Exact Audio Copy 0.99pb4
FastStone Image Viewer 3.6
FastStone Photo Resizer 2.8
File Writer output plugin for WinAMP 2 v1.17(c) (remove only)
FileZilla Client 3.1.4.1
FLV Player 2.0, build 24
FreeFileSync
GIF Movie Gear 4.2
Glary Utilities 2.10.0.622
GOM Player
Google Toolbar for Internet Explorer
Guitar Pro 5.0
HD Tune 2.55
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB921411)
Hotfix for Windows XP (KB950162)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Illustrator_10
Image Resizer Powertoy for Windows XP
Intel(R) Graphics Media Accelerator Driver
IrfanView (remove only)
iSilo
Java(TM) 6 Update 14
KC Softwares SUMo
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
MediaCoder 0.6.2
MediaJoin
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
Microsoft Plus! for Windows XP
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MIKSOFT Mobile Media Converter
Mobipocket Creator 4.2
Mobipocket Reader 6.2
Monkey's Audio
Mozilla Firefox (3.5.1)
Mp3tag v2.42
MPEG2 Codec(libmpeg2/mad)
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Net Meter 3.6 build 437
Nokia Connectivity Cable Driver
Nokia Flashing Cable Driver
Nokia PC Suite
Nokia Software Updater
NoteTab Light 5 (Remove only)
NuonSoft Wallpaper Cycler 3.6 Lite
OfotoNow
OMCI
PC Connectivity Solution
Peck's Power Join
PhotoShop_7_0_0
Player
Plucker 1.6
QuickTime
Reversi Prodigy (remove only)
RunAlyzer
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Smart Data Recovery v4.2
Smart Defrag 1.20
SnagIt_6_0_0
SolveigMM AVI Trimmer
Some PDF to Txt Converter 1.5
Sophos Anti-Rootkit 1.3.1
SoundMAX
Spybot - Search & Destroy
SpywareBlaster 4.2
SUPER © Version 2008.bld.32 (July 8, 2008)
Super Finder 1.5.3.0
Super TextTwist
SuperOthello
System Requirements Lab
TiBR Converter 1.0
TMPGEnc Plus 2.5
TomeRaider3 v3.23
Tweak UI
Unlocker 1.8.7
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
User Profile Hive Cleanup Service
VideoLAN VLC media player 0.8.6i
Warcraft III: All Products
WebFldrs XP
Winamp (remove only)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (03/05/2008 3.7)
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1)
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2)
Windows Driver Package - Nokia Modem (10/12/2007 3.6)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Support Tools
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinImage
WinRAR archiver
WinZip
WOT for Internet Explorer
XnView 1.96
XP Repair Install
Xvid 1.2.1 final uninstall
yBook
ZENcast Organizer

==== Event Viewer Messages From Past Week ========

8/2/2009 4:07:08 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007f0ea: Security Update for Windows XP (KB902400).
8/1/2009 6:54:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: pavboot
8/1/2009 5:21:09 AM, error: System Error [1003] - Error code 1000000a, parameter1 ffffff94, parameter2 0000001c, parameter3 00000000, parameter4 805379bb.
8/1/2009 1:54:20 PM, error: Dhcp [1002] - The IP address lease 192.168.1.4 for the Network Card with network address 0013727BC172 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
8/1/2009 1:53:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/1/2009 1:50:43 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT pavboot RasAcd Rdbss ssmdrv Tcpip
8/1/2009 1:50:43 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/1/2009 1:50:43 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/1/2009 1:50:43 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/1/2009 1:50:43 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/1/2009 1:50:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/31/2009 9:04:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/31/2009 3:49:28 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file tour.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.0.30.0.
7/31/2009 2:40:36 AM, error: Service Control Manager [7000] - The BASFND service failed to start due to the following error: The system cannot find the file specified.
7/31/2009 2:33:24 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file b57xp32.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 2.16.0.0.
7/31/2009 2:21:46 AM, error: System Error [1003] - Error code 0000000a, parameter1 00000004, parameter2 0000001c, parameter3 00000001, parameter4 805016ce.
7/31/2009 2:19:43 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/31/2009 2:18:55 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments " " in order to run the server: {000C101C-0000-0000-C000-000000000046}
7/31/2009 12:50:28 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file sisagp.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.12.1.2010.
7/30/2009 11:55:15 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the RemoteRegistry service.
7/30/2009 11:35:15 PM, error: Service Control Manager [7038] - The MSDTC service was unable to log on as NT AUTHORITY\NetworkService with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
7/30/2009 11:35:15 PM, error: Service Control Manager [7000] - The Distributed Transaction Coordinator service failed to start due to the following error: The service did not start due to a logon failure.
7/30/2009 11:32:17 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
7/30/2009 11:26:05 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments " " in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

==== End Of File ===========================

 

Broni, am hoping we can still move forward with the limited HDD space I have so far. Like I said before, I don't want to delete stuff unless ABSOLUTELY NECESSARY to try to get to the root of the problems.


Also, FYI, my reapplication of all the XP fixes occurred today. PC has NOT crashed or frozen yet [almost 5 hours now], but test will be if PC freezes overnight.

Will take steps mentioned above and get back ASAP.

THANKS AGAIN FOR QUICK RESPONSE AND JUMPING IN TO HELP!

cheers,
-mariusar

 

Broni:

You know, I have been running computers for a long time. Thinking back, I guess I have always had a tendency to run them close to the margin. Remember DoubleSpace in DOS/Win3.x? I mucked up my computer [and lost stuff] with that compression junk a couple of times...

Seems to me that bloatware is just something that is here to stay for good. XP needs more than 1.5 GB RAM, 1.5 GB pagefile and at least 15% free HDD space to run happily??!?!?! Sounds like a terrible joke to me! But I guess all the manufacturers are happy - software vendors don't have to worry about size and efficiency, HDD manufacturers kee pumping out bigger and bigger capacities and we poor consumers keep having to upgrade...<sigh>

OK, rant over...

Here is what I have done thus far, per your suggestions:

- uninstalled Spybot;
- uninstalled remnants of Ad-Aware;
- uninstalled remnants of AVG [using their uninstaller];

- installed and ran TFC [very aggressive little program! But only recovered 138MB for me so I can only assume my system was relatively clean];
- installed SpeedFan again...HDD temp hovers at 44C-45C;

- installed and running JavaCool SpywareGuard [looks like a keeper since I already use SpywareBlaster];
- installed and running WinPatrol [another nice little applet I plan to keep];

INFO:

- The network errors that DDS.scr reported initially are no longer a problem. DDS queried Event Viewer and came up with those errors which have since been corrected. They appeared when I first uninstalled and then reinstalled the onboard NIC card and drivers.

As of now, the only issue I have with the onboard NIC is what I mentioned, that the system freezes while trying to run the Broadcom diagnostics.

Free HDD space up to 4GB now...really going to have a tough time recovering much more than that.

Any chance we can try anyway and start looking into those suspicious files you noticed in system32 and start to hunt down possible malware?

- Also, the first night after reapplying all the post SP2 patches and updates, I woke to find the PC had frozen again around 5:40AM.

I am really really stumped and am desperately eager to do something more proactive like try and hunt down and eliminate malware as a cause of my problems.

If indeed the system is clean, then I will have to worry about other issues [like the HDD space issue, continuing driver problems or even a corrupted XP install], but at least we will have eliminated [as much as possible] the chance that the machine is infected with something bad.

Finally, the occasional BSOD I am getting does indicate the IRQL_NOT LESS THAN OR EQUAL issue, which everyone says points to driver issues. Unfortunately, WinDBgis not much help as it doesn't specify what driver is causing the BSOD - in the last one it simply points to NTOSKRNL.EXE.

However, I don't have the SYMBOLS set installed for WinDBg [the HDD space needed is huge!] so I might be missing something...

Anyway, thanks so much for your continuing assistance here...

cheers,
-mariusar

 

Broni:

Hope you didn't take personal offense to my rant re:XP. It was not directed at you! Just my general level of frustration right now...I know you are simply trying to help out here and I cannot thank you enough!

OK, here are your next steps as directed:

- Minidumps and Speedfan screencap here:
SpeedFan:
Does not seem to be recording anything other than HDD Temp on my system. Don't know why...


http://www.filedropper.com/minidumpspeedfan


Also, I cleaned the inside of the PC when the issues first cropped up and I couldn't resolve them right away.

But I did it again just now, making sure all connections are firm. I even re-adjusted the position of 1 of my RAM sticks. Original was position 1 and 3, now position 1 and 2. BIOS reads normal and XP booted up fine.

SO WEIRD this problem! PC is running super fast and responding perfectly! Bootup times are quick and the machine "feels" as snappy as always.

Have downloaded and will run Combofix as directed. Will post results when done.

Thanks again,
-mariusar

 

Broni:

OK, d/l and ran ComboFix. The ran HiJack this. Both logs are below. Interesting that ComboFix did indeed find some entries/files and deleted them...!

In the HiJackThis log, noticed the UNNAMED item, entry 024, DESKTOP COMPONENT. I saw this previously when I ran HiJackThis. Is this something to be concerned about?

Thanks again,
-mariusar


COMBOFIX LOG:

ComboFix 09-08-03.04 - Henry 08/04/2009 0:03.11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.987 [GMT -4:00]
Running from: c:\documents and settings\Henry\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Henry\Desktop\BeJeweled 2 .lnk
c:\program files\Mozilla Firefox\nspr4.dll
c:\program files\Mozilla Firefox\nssutil3.dll
c:\program files\Mozilla Firefox\plc4.dll
c:\program files\Mozilla Firefox\plds4.dll
c:\program files\Mozilla Firefox\softokn3.dll
c:\windows\Installer\116ed3.msi
c:\windows\Installer\127d8a.msi
c:\windows\Installer\1a5f6d.msi
c:\windows\Installer\24b1a574.msi
c:\windows\Installer\24d1611c.msi
c:\windows\Installer\3f38714.msi
c:\windows\Installer\5a15bd.msi
c:\windows\Installer\64f7f.msi
c:\windows\Installer\f4030.msi

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FAD


((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.

2009-08-04 04:12 . 2009-08-04 04:12 53248 ----a-w- c:\temp\catchme.dll
2009-08-04 04:10 . 2009-08-04 04:10 60416 ----a-w- c:\temp\Perflib_Perfdata__755.dat
2009-08-04 03:02 . 2009-08-04 03:19 -------- d-----w- C:\_0_WindowsBBS_FIX PC
2009-08-03 20:51 . 2009-08-04 04:09 -------- d-----w- c:\temp\BID
2009-08-03 05:48 . 2009-08-03 05:48 -------- d-----w- c:\documents and settings\Henry\Application Data\WinPatrol
2009-08-03 05:48 . 2007-04-03 01:04 0 ----a-w- c:\documents and settings\Henry\Application Data\WinPatrol\Config.sys
2009-08-03 05:48 . 2007-04-03 01:04 0 ----a-w- c:\documents and settings\Henry\Application Data\WinPatrol\Autoexec.bat
2009-08-03 05:48 . 2009-08-03 05:48 -------- d-----w- c:\program files\BillP Studios
2009-08-03 05:27 . 2009-08-03 05:28 -------- d-----w- c:\program files\SpywareGuard
2009-08-03 03:19 . 2009-08-04 02:56 -------- d-----w- c:\program files\SpeedFan
2009-08-02 19:33 . 2006-08-21 12:21 16896 -c----w- c:\windows\system32\dllcache\fltlib.dll
2009-08-02 19:33 . 2006-08-21 09:14 23040 -c----w- c:\windows\system32\dllcache\fltmc.exe
2009-08-02 19:33 . 2006-08-21 09:14 128896 -c----w- c:\windows\system32\dllcache\fltmgr.sys
2009-08-02 18:30 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-08-02 18:23 . 2008-06-10 11:07 2376760 -c----w- c:\windows\system32\dllcache\WMVCore.dll
2009-08-02 18:23 . 2008-04-11 18:50 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-08-02 18:23 . 2008-06-10 10:28 1028096 -c----w- c:\windows\system32\dllcache\WMNetmgr.dll
2009-08-02 18:23 . 2008-06-10 09:52 96768 -c----w- c:\windows\system32\dllcache\logagent.exe
2009-08-02 18:11 . 2009-03-06 14:00 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-08-02 18:11 . 2009-02-09 10:01 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-08-02 18:11 . 2009-02-06 10:22 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-08-02 18:11 . 2009-02-06 09:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-08-02 18:11 . 2005-07-26 04:20 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-08-02 18:11 . 2009-02-09 10:01 728576 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-08-02 18:11 . 2009-02-09 10:01 617984 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-08-02 18:11 . 2009-02-09 10:01 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-08-02 18:11 . 2009-02-09 10:01 715264 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-08-02 18:11 . 2009-02-06 09:41 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-02 18:11 . 2008-12-11 11:57 333184 -c----w- c:\windows\system32\dllcache\srv.sys
2009-08-02 18:11 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-02 18:10 . 2009-06-03 19:27 1290752 -c----w- c:\windows\system32\dllcache\quartz.dll
2009-08-02 18:10 . 2008-10-15 16:57 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-08-02 18:10 . 2009-06-16 14:55 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-08-02 18:10 . 2009-06-16 14:55 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-08-02 18:00 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-08-02 18:00 . 2008-05-08 12:28 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-08-02 18:00 . 2008-10-03 10:15 247326 -c----w- c:\windows\system32\dllcache\strmdll.dll
2009-08-02 18:00 . 2008-09-04 16:42 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-08-02 18:00 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-08-02 17:38 . 2009-06-29 16:12 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-02 17:38 . 2009-06-29 16:12 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-02 17:38 . 2009-06-29 16:12 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-02 17:38 . 2009-06-29 11:07 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-02 17:38 . 2009-07-19 13:32 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-02 17:38 . 2009-06-29 16:12 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2009-08-02 17:38 . 2009-06-29 16:12 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-02 17:38 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-02 05:36 . 2006-03-24 00:12 139264 ----a-w- c:\windows\system32\igfxres.dll
2009-07-31 21:09 . 2009-02-06 10:32 2186112 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-31 21:09 . 2009-02-06 10:29 2142720 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-31 21:09 . 2009-02-06 09:49 2020864 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-31 21:09 . 2009-02-06 09:49 2062976 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-31 20:09 . 2006-06-26 17:51 985088 -c----w- c:\windows\system32\dllcache\setupapi.dll
2009-07-31 07:49 . 2004-08-04 10:00 3374640 -c--a-w- c:\windows\system32\dllcache\tourW.exe
2009-07-31 04:05 . 2009-07-31 08:04 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2009-07-31 00:38 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-07-31 00:38 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-07-30 03:37 . 2009-07-30 03:38 -------- d-----w- c:\program files\SysInternals_Autoruns
2009-07-28 22:15 . 2009-04-18 02:07 89600 ----a-w- c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\9rp5vw97.default\extensions\{1ed6b678-1f93-4660-a9c5-01af87b323d3}\platform\WINNT_x86-msvc\components\leakmon.dll
2009-07-26 19:26 . 2009-07-26 19:26 -------- d-----w- c:\program files\Support Tools
2009-07-26 17:44 . 2008-11-03 15:29 731 ----a-w- c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\9rp5vw97.default\extensions\speedtest@gotomyhelp.com\test.bat
2009-07-26 17:44 . 2008-11-03 15:29 49152 ----a-w- c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\9rp5vw97.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
2009-07-26 17:44 . 2008-11-03 15:29 200 ----a-w- c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\9rp5vw97.default\extensions\speedtest@gotomyhelp.com\config.bat
2009-07-25 14:43 . 2009-07-25 14:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-23 21:02 . 2001-08-17 16:49 58592 ----a-w- c:\windows\system32\drivers\i740nt5.sys
2009-07-23 21:02 . 2001-08-17 18:56 353184 ----a-w- c:\windows\system32\i740dnt5.dll
2009-07-23 20:48 . 2009-07-23 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-07-23 20:47 . 2009-07-23 20:47 60968 ----a-w- c:\documents and settings\Henry\GoToAssistDownloadHelper.exe
2009-07-23 20:47 . 2009-07-23 20:47 -------- d-----w- c:\documents and settings\Henry\Local Settings\Application Data\Citrix
2009-07-21 05:50 . 2009-07-21 05:50 -------- d-----w- c:\program files\TCPView
2009-07-18 21:59 . 1999-06-25 14:55 149504 ----a-w- c:\windows\UNWISE.EXE
2009-07-18 21:04 . 2004-08-04 10:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-07-18 07:17 . 2009-07-18 07:17 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-14 07:46 . 2009-07-14 07:46 -------- d-----w- c:\documents and settings\Henry\Application Data\HTNetMeter
2009-07-14 07:46 . 2009-07-14 07:46 -------- d-----w- c:\program files\HooTech
2009-07-11 23:36 . 2009-07-11 23:36 -------- d-----w- c:\program files\Camtech
2009-07-11 07:17 . 2009-08-01 02:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-11 03:08 . 2009-07-11 03:08 -------- d-----w- c:\program files\WOT
2009-07-10 02:18 . 2009-07-10 02:19 -------- d-----w- c:\program files\Defraggler
2009-07-09 21:45 . 2009-07-09 21:45 -------- d-----w- c:\documents and settings\Henry\Application Data\InstallShield
2009-07-09 20:43 . 2009-07-09 20:43 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-09 20:42 . 2009-07-09 20:42 152576 ----a-w- c:\documents and settings\Henry\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-08 22:55 . 2009-07-08 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-08 22:55 . 2009-07-26 20:25 -------- d-----w- c:\documents and settings\Henry\Application Data\SUPERAntiSpyware.com
2009-07-08 22:55 . 2009-07-26 20:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-08 21:33 . 2009-07-08 21:33 262144 ----a-w- c:\windows\system32\default_user_class.dat
2009-07-08 07:26 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\9rp5vw97.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-07-08 04:24 . 2009-07-08 04:24 -------- d-----w- c:\program files\Sophos
2009-07-08 00:57 . 2009-07-08 07:31 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-07 23:50 . 2009-07-07 23:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-07 23:33 . 2009-07-07 23:33 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-07-07 23:22 . 2009-07-07 23:22 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-07 07:46 . 2008-02-15 17:12 1670144 ----a-w- c:\windows\system32\igxpdv32.dll
2009-07-07 07:46 . 2008-02-15 17:12 2643968 ----a-w- c:\windows\system32\igxpdx32.dll
2009-07-07 07:46 . 2008-02-15 17:12 57344 ----a-w- c:\windows\system32\igxprd32.dll
2009-07-07 07:46 . 2008-02-15 17:12 151040 ----a-w- c:\windows\system32\igxpgd32.dll
2009-07-07 07:46 . 2008-02-15 17:12 5854752 ----a-w- c:\windows\system32\drivers\igxpmp32.sys
2009-07-07 07:38 . 2009-07-07 07:38 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-07 04:22 . 2009-07-07 04:22 -------- d-----w- c:\program files\ProcessMonitor
2009-07-06 21:30 . 2009-07-06 21:30 -------- d-----w- c:\documents and settings\Henry\dwhelper
2009-07-06 20:46 . 2009-07-06 20:46 -------- d-----w- c:\documents and settings\Henry\Application Data\NuonSoft
2009-07-06 20:31 . 2009-07-06 20:31 -------- d-----w- c:\program files\UPHClean
2009-07-06 18:22 . 2009-07-06 18:22 -------- d-----w- c:\windows\system32\x64
2009-07-06 03:56 . 2009-07-06 03:56 -------- d-----w- c:\windows\system32\Dell
2009-07-05 23:19 . 2009-08-04 03:07 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2009-07-05 22:47 . 2009-07-05 22:47 -------- d-----w- c:\documents and settings\Henry\Application Data\IObit
2009-07-05 22:47 . 2009-07-05 22:47 -------- d-----w- c:\program files\IObit
2009-07-05 20:49 . 2009-07-11 03:38 -------- d-----w- c:\documents and settings\Henry\Local Settings\Application Data\Deployment
2009-07-05 20:47 . 2009-07-06 04:32 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-05 20:47 . 2009-07-05 20:47 -------- d-----w- c:\program files\MSBuild
2009-07-05 20:47 . 2009-07-05 20:47 -------- d-----w- c:\program files\Reference Assemblies
2009-07-05 20:46 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-05 20:46 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-05 20:46 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-05 16:42 . 2009-07-29 07:10 -------- d-----w- c:\documents and settings\Henry\Local Settings\Application Data\Google
2009-07-05 15:18 . 2009-08-04 04:12 -------- d-sh--w- c:\temp\Temporary Internet Files
2009-07-05 15:10 . 2009-07-05 15:10 -------- d-sh--w- c:\documents and settings\Henry\IECompatCache
2009-07-05 15:06 . 2009-07-08 03:17 -------- d-sh--w- c:\documents and settings\Henry\IETldCache
2009-07-05 04:18 . 2009-07-05 04:18 -------- d-----w- c:\documents and settings\Henry\Application Data\Auslogics
2009-07-05 04:17 . 2009-07-05 04:17 -------- d-----w- c:\program files\Auslogics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-03 20:46 . 2009-04-08 23:34 -------- d--h--w- c:\program files\InstallJammer Registry
2009-08-03 20:26 . 2007-04-22 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-03 03:10 . 2007-04-22 00:27 -------- d-----w- c:\program files\Lavasoft
2009-08-01 21:42 . 2007-12-25 11:03 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-01 16:22 . 2009-07-05 03:51 -------- d-----w- c:\program files\trend micro
2009-08-01 06:33 . 2008-02-21 17:50 -------- d-----w- c:\documents and settings\Henry\Application Data\uTorrent
2009-08-01 06:14 . 2008-02-21 17:50 -------- d-----w- c:\program files\uTorrent
2009-08-01 01:29 . 2009-01-13 01:38 -------- d-----w- c:\program files\MediaCoder
2009-07-31 20:23 . 2008-07-16 08:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-31 20:22 . 2007-04-22 00:28 -------- d-----w- c:\program files\SpywareBlaster
2009-07-31 07:09 . 2007-04-03 01:27 -------- d-----w- c:\program files\Broadcom
2009-07-31 03:14 . 2007-04-03 01:01 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-29 19:50 . 2009-01-16 07:39 -------- d-----w- c:\program files\Panda Security
2009-07-28 05:16 . 2009-03-19 21:28 -------- d-----w- c:\program files\XnView
2009-07-26 07:09 . 2007-04-22 22:02 -------- d-----w- c:\program files\Java
2009-07-24 07:18 . 2009-07-03 22:52 -------- d-----w- c:\program files\TweakNow RegCleaner
2009-07-24 07:18 . 2009-07-03 22:52 -------- d-----w- c:\documents and settings\Henry\Application Data\TweakNow RegCleaner
2009-07-23 20:47 . 2007-04-03 04:30 -------- d-----w- c:\program files\Citrix
2009-07-18 22:15 . 2008-01-22 22:16 -------- d-----w- c:\program files\Creative
2009-07-18 22:14 . 2008-01-22 22:16 -------- d--h--w- c:\program files\Creative Installation Information
2009-07-18 21:56 . 2007-04-03 01:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 21:36 . 2008-01-23 04:17 -------- d-----w- c:\documents and settings\Henry\Application Data\Creative
2009-07-18 07:17 . 2009-07-02 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 03:02 . 2009-03-05 23:16 31 ----a-w- c:\windows\popcinfo.dat
2009-07-14 03:54 . 2008-07-09 07:34 -------- d-----w- c:\program files\ProcessExplorer
2009-07-13 17:36 . 2009-07-02 21:49 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-07-02 21:49 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-11 07:46 . 2007-04-03 03:24 -------- d-----w- c:\program files\MSECACHE
2009-07-06 05:11 . 2008-07-10 00:40 -------- d-----w- c:\program files\Seagate
2009-07-06 04:35 . 2007-04-03 02:06 67504 ----a-w- c:\documents and settings\Henry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 03:56 . 2007-04-03 01:37 -------- d-----w- c:\program files\Dell
2009-07-05 01:25 . 2009-07-04 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-04 19:00 . 2009-07-04 19:00 -------- d-----w- c:\program files\Avira
2009-07-04 19:00 . 2009-07-04 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-04 00:29 . 2009-07-04 00:15 -------- d-----w- c:\program files\Media Player Classic
2009-07-04 00:14 . 2009-07-04 00:14 -------- d-----w- c:\documents and settings\Henry\Application Data\Media Player Classic
2009-07-03 23:11 . 2009-01-23 09:20 -------- d-----w- c:\program files\Glary Utilities
2009-07-03 22:46 . 2009-01-23 09:23 -------- d-----w- c:\documents and settings\Henry\Application Data\GlarySoft
2009-07-02 21:49 . 2009-07-02 21:49 -------- d-----w- c:\documents and settings\Henry\Application Data\Malwarebytes
2009-07-02 21:49 . 2009-07-02 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 07:12 . 2007-04-22 08:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-06-29 16:12 . 2006-03-04 03:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-28 19:07 . 2007-10-06 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-06-28 19:06 . 2008-04-11 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-25 20:31 . 2009-06-25 20:31 -------- d-----w- c:\program files\DeskSave
2009-06-23 08:42 . 2009-03-06 22:57 -------- d-----w- c:\program files\ABC Amber LIT Converter
2009-06-21 15:30 . 2009-06-21 15:30 80896 ----a-w- c:\documents and settings\Henry\Application Data\Seven Zip\Codecs\LZMA.dll
2009-06-21 15:30 . 2009-06-21 15:30 5632 ----a-w- c:\documents and settings\Henry\Application Data\Seven Zip\Codecs\Swap.dll
2009-06-21 15:30 . 2009-06-21 15:30 5120 ----a-w- c:\documents and settings\Henry\Application Data\Seven Zip\Codecs\Copy.dll
2009-06-21 15:30 . 2009-06-21 15:30 18944 ----a-w- c:\documents and settings\Henry\Application Data\Seven Zip\Codecs\Branch.dll
2009-06-21 15:30 . 2009-06-21 15:30 129024 ----a-w- c:\documents and settings\Henry\Application Data\Seven Zip\Formats\7z.dll
2009-06-21 15:30 . 2009-06-21 15:30 -------- d-----w- c:\documents and settings\Henry\Application Data\Seven Zip
2009-06-16 14:55 . 2004-08-04 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 20:43 . 2009-06-14 20:43 -------- d-----w- c:\program files\Smart PC Solutions
2009-06-03 19:27 . 2004-08-04 10:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-20 05:31 . 2009-05-20 05:32 720896 ----a-w- c:\windows\iun6002ev.exe
2009-05-07 15:44 . 2004-08-04 10:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-07-15 20:30 . 2009-07-06 07:43 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2006-05-03 09:06 . 2008-08-11 01:42 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2008-08-11 01:42 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2008-08-11 01:42 216064 --sha-r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"basicsmssmenu "= "c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMAXPnP "= "c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"WinPatrol "= "c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-07-27 341312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Henry\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=" "

[HKLM\~\startupfolder\C:^Documents and Settings^Henry^Start Menu^Programs^Startup^ChkDisk.lnk]
path=c:\documents and settings\Henry\Start Menu\Programs\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg "=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"SpybotSD TeaTimer "=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Games\\Warcraft III\\Warcraft III.exe "=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe "=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe "=
"c:\\Duke_Nukem_3D\\EDuke32.exe "=
"c:\\WINDOWS\\system32\\mmc.exe "=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/4/2009 3:00 PM 108289]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S3 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/8/2005 7:46 PM 61440]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [9/25/2007 10:59 AM 15152]
S3 i740;i740;c:\windows\system32\drivers\i740nt5.sys [7/23/2009 5:02 PM 58592]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://news.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\9rp5vw97.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - component: c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\9rp5vw97.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - plugin: c:\documents and settings\Henry\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.cache_size ", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "layout.css.dpi ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "geo.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 00:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-1123561945-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-220523388-1123561945-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E4E5E73-0410-2229-4CAC-A3BE892618B8}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oagkekchgckmdidhonffdfhbhipdok "=hex:64,61,64,6d,67,61,70,6d,00,50
"oacjebjaijncbiahjhamcnmpeihigg "=hex:69,61,6c,6d,67,6a,65,6e,6f,64,66,65,65,6a,
65,65,6a,62,00,00
"naijgjfijnfeifjiehclamfjcdma "=hex:69,61,6c,6d,67,6a,65,6e,6f,64,66,65,65,6a,
65,65,6a,62,00,00

[HKEY_USERS\S-1-5-21-220523388-1123561945-725345543-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-220523388-1123561945-725345543-1003)
@Allowed: (Read) (S-1-5-21-220523388-1123561945-725345543-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3804)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\windows\system32\wdfmgr.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2009-08-04 0:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-04 04:16

Pre-Run: 4,780,354,048 bytes free
Post-Run: 4,712,364,544 bytes free

376 --- E O F --- 2009-08-02 20:33




HiJackThis LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:38 AM, on 8/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ProcessExplorer\procexp.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [basicsmssmenu] C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175570443593
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5870 bytes

 

Broni:

Well, now we are really getting someplace!

SCREENSHOTS:

http://www.filedropper.com/everestdrweb


- Everest on reports HDD Temp as well. STRANGE!

FYI, the other drive is a friend's USB drive I borrowed to try and offload some stuff temporarily.


- DrWeb express scan:

This is SCARY!

It seems this PC is indeed infected with a stealth rootkit which has defied detection thus far. This BackDoor.Maosboot seems like a nasty, tricky one!

I DID NOT allow Dr. Web to do anything yet to try and cure this. I am very nervous since this seems to be infecting my MBR.

- Should I allow Dr. Web to cure this?
- Is Dr. Web "guaranteed" to be safe to my precious MBR?

Please advise ASAP...I am very reluctant to take any steps further without more info from you please Broni...

Thanks!
-mariusar

 

Broni:

I could not wait. Did some research on this BackDoor.Maos.Boot infection that DrWeb found. Also, I was reminded of the FixMBR option in XP Recovery Console and I decided to take the plunge.

I took your initial advice and allowed DrWeb to fix/remove BackDoor.Maos.Boot.

Guess what?

PC is now running PERFECTLY...Left it on overnight, woke up today and PC is fine.

Also, research into this BackDoor.Maos.Boot revealed that it affects Broadcom NICs as well. So, after fixing the problem, my NIC Diagnostics are working perfectly now with no lockups.

This problem was a particularly tough one in my experience. Since there were no typical browser redirects/hijacks/or other obvious virus behavior I could fine on my own, and nothing I did with SOP driver updates/rollbacks/fixes/XP repairs helped, I was nearly to the point of giving up...

I am SO RELIEVED and THANKFUL to you and to Dr Web CureIt. I cannot express my gratitude enough to you and the rest of the kind folks here on this board. What an amazing resource you people are.

THANK YOU AGAIN!!!!

I accidentally deleted the DrWeb log after it cured the BackDoor.Maos.Boot infection, but I ran a complete scan as you suggested and have included the log below. I also have included a fresh HiJack this log as well.

Some cleanup items I want to ask you about please:

- ComboFix has been uninstalled as instructed. Do I need to do anything else with it?

- My proactive protection now includes Avira, SpywareGuard, SpywareBlaster and WinPatrol. Are these enough to help safeguard me?

- My toolkit also includes MalwareBytes, Norman Malware Scanner, MS MRT, HiJackThis, Sophos AntiRootkit, CrapCleaner, TempFileCleaner, MVPS Hosts File and of course DrWeb CureIt. What are your thoughts on these apps?

- Thank you for the intro to Everest Ultimate System Info. Great app! Still not sure why Everest and SpeedFan only reveal HDD temps on my system [even after removal of the MBR infection], but I am not going to worry about it.

Again, thank you so very much for your help Broni. I don't know how to repay your assistance other than to tell you that you and the other folks here at WindowsBBS helping people out of jams guarantees you a free pass to whatever afterlife you may subscribe too.

cheers and if nothing else and you feel my logs indicate a fully cleaned system, I guess you can mark this thread SOLVED!!!
-mariusar


DrWeb Complete Scan log:

E1CC9290d01\gziped.gz;C:\Documents and Settings\Henry\Local Settings\Application Data\Mozilla\Firefox\Profiles\9rp5vw97.default\Cache\E1CC9290d01;Probably SCRIPT.Virus;;

E1CC9290d01;C:\Documents and Settings\Henry\Local Settings\Application Data\Mozilla\Firefox\Profiles\9rp5vw97.default\Cache;Archive contains infected objects;Moved.;

OfotoNow.exe;C:\Program Files\Ofoto\OfotoNow;Probably WIN.WORM.Virus;;

yBookmaker.exe;C:\Program Files\yBook;Modification of Win32.HLLM.Generic.425;Moved.;

A0001013.exe;C:\System Volume Information\_restore{21CDE11B-6BFA-490B-8518-7B46CFC6D026}\RP1;Modification of Win32.HLLM.Generic.425;Moved.;

OfotoNow.scr;C:\WINDOWS\system32;Probably WIN.WORM.Virus;;


Fresh HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:31 AM, on 8/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe
C:\Program Files\SysInternals_ProcessExplorer\procexp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Henry\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [basicsmssmenu] C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175570443593
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6476 bytes

 

Broni:

Yes, PC is running flawlessly, thanks to you!

FileDropper:

- Please try this link...it works now, sorry:

http://www.filedropper.com/drwebeverest


Understand about not running MS MRT, Sophos and Malware in real time. None of them are, but simply as tools when/if needed.

HiJackThis log:

- I made the corrections you specified and rebooted. Follows is the latest HiJackThis log.

Thank you again and await next instructions.

mariusar


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:30 PM, on 8/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [basicsmssmenu] C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175570443593
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4964 bytes

 

Broni, let me thank you again! You saved the day...

I know you must be very busy, both here and whatever else you do, but if you get a chance, I would like to know your thoughts on the BackDoor.Maos.Boot MBR infection I had.

Have you seen this before? Do you have any more info on this bugger?

Have taken your final steps.

So happy to say that THREAD IS SOLVED!

cheers,
-mariusar

 

Broni:

Hope you are well. Not sure if you will see this since the thread is closed, but wanted to pass some info to you.

Remember that Everest Ultimate and SpeedFan both fail to display any temperatures in my Dell PC other than HDD?

Turns out there is a reason for this!

I did some hunting and found this on the Everest/Lavalys site:

http://www.lavalys.com/support.php?category=22&lang=en

See question 21.

Seems Dell PCs use proprietary temp sensors on their machines making readings by apps like Everest and SpeedFan impossible.

This was surprising news to me and makes me wonder a bit at Dell.

Anyway, just thought you might like to know.

cheers and yes, the PC is working PERFECTLY!
-mariusar

 

Yeah, surprised me. I always thought Dell was one of the more "open" PC makers...not sure why they would do this!