Inactive [InActive] Missing Windows Apps - See same title under Window XP forum

I just want to remind you that "Run" is conspicuously absent from my start menu so I presume using Command Prompt from Accessories will do it as was done previously with this type of task and I just paste it there? This has been a long conversation but as I recall when "run" was available, the cmd simply opened Command Prompt but want to be sure that you agree this will accomplish what you advise here.

 

The Command Prompt in Accessories should be fine for noadfears code.

 

Thanks wildfire. As noted, yes, that should be fine. Another method would be using Task Manager>File>New Task (Run) and typing cmd

 

As directed, notifying you that services.zip has been uploaded as requested.

 

Thanks. Will take me some time to analyze. I'll likely get back with you tomorrow evening.

 

Hmmm, still missing something. Lets get another sample using the same method.

Highlight and copy the contents of the code box below.

Code:

cd desktop
reg save HKLM\SYSTEM\CurrentControlSet\Enum\Root root.hiv
exit
cls

Open a command window. Right click in the command window and select paste. The command window will close on it's own.

This should create a file named root.hiv on your desktop.
Please right click that file and select Send To>Compressed (zipped) Folder.
You will now see root.zip on your desktop as well.
Please upload root.zip to my submission channel for analysis. Leave a link back to this topic.


I'd also like to do a registry search. Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in mchInjDrv .......wait for it to complete the search, click ok at the prompt. Then when wordpad opens, copy that back here please.

 

Got it. Thanks!

 

root.zip uploaded

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "mchInjDrv" 11/25/2008 10:18:37 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV\0000]
"Service "= "mchInjDrv "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV\0000]
"DeviceDesc "= "mchInjDrv "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000]
"Service "= "mchInjDrv "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000]
"DeviceDesc "= "mchInjDrv "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000]
"Service "= "mchInjDrv "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000]
"DeviceDesc "= "mchInjDrv "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\LogConf]

 

I've just verified that mchInjDrv.sys is loaded by ThreatFire on your system.
I've also just installed avast! to check some of it's registry keys against some of yours, and it does appear that a number of your avast! service keys are really whacked. Below is an example of parts of just one of the avast! keys.

Code:

[Services\Aavmker4]
 "DisplayName "= "avast! Asynchronous Virus Monitor "
 "ErrorControl "=dword:00000001
 "Type "=dword:00000001
 "Start "=dword:00000001

[Services\Aavmker4\$%&'(]

[Services\Aavmker4\$%&'()]

[Services\Aavmker4\$%&'()*]

[Services\Aavmker4\$%&'()*+]

[Services\Aavmker4\$%&'()*+,]

[Services\Aavmker4\$%&'()*+,-]

[Services\Aavmker4\$%&'()*+,-.]

[Services\Aavmker4\$%&'()*+,-./]

[Services\Aavmker4\$%&'()*+,-./0]

[Services\Aavmker4\$%&'()*+,-./01]

[Services\Aavmker4\$%&'()*+,-./012]

There are literally hundreds of those subkeys, rather than the normal subkey(s) which should be similar to the following.

Code:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Aavmker4
    DisplayName	REG_SZ	avast! Asynchronous Virus Monitor
    ErrorControl	REG_DWORD	0x1
    Type	REG_DWORD	0x1
    Start	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Aavmker4\Enum
    0	REG_SZ	Root\LEGACY_AAVMKER4\0000
    Count	REG_DWORD	0x1
    NextInstance	REG_DWORD	0x1

Recommend you try uninstalling avast! and see if it makes a difference. It could well be corruption causing the problem.

 

For the record, I have also verified that hidedir.sys is a driver for Safebit.

 

So far as I can tell, I have completely removed Avast from my computer using Add\Remove plus a special download program from avast to clear up any items remaining. After reboot, my start menu is still missing run and search and Advanced section of Start up properties is still void of choice to check run or search, so no apparent change that I can see.

Before uninstalling avast I downloaded free version of avg anti virus. Am now without any installed anti virus program.

Next step?

Thanks for all help.

 

Since there's no change, go ahead and re-install avast!, or AVG - whichever you prefer to use.

Lets run another app, which is geared toward the removal of malware, to make sure I'm not missing something. Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click ComboFix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Hi, search and run magically appear now on start menu. I installed AVG. Installed Recovery Console (sp) from the combofix because I read somewhere during this adventure that I could only install it from an XP CD which I don't have because it's an OEM computer. Because I don't know what worked, I am submitting the combofix log.txt, but if still needed will produce hijackthis and submit on new post. A lot of stuff went on while running and rebooting from the combofix and I had no control over a couple of items now on my task bar. Maybe this log will reveal the underlying problem.

ComboFix 08-11-26.03 - me 2008-11-26 14:36:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.541 [GMT -8:00]
Running from: c:\documents and settings\me\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-26 13:40 . 2008-11-26 13:44 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-26 13:40 . 2008-11-26 13:40 <DIR> d-------- c:\program files\AVG
2008-11-26 13:40 . 2008-11-26 13:40 <DIR> d-------- c:\documents and settings\me\Application Data\AVGTOOLBAR
2008-11-26 13:40 . 2008-11-26 13:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-26 13:40 . 2008-11-26 13:40 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-26 13:40 . 2008-11-26 13:40 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-26 13:40 . 2008-11-26 13:40 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-18 11:33 . 2008-11-18 11:34 <DIR> d-------- C:\rsit
2008-11-18 11:33 . 2008-11-18 11:38 <DIR> d-------- c:\program files\trend micro
2008-11-01 13:01 . 2008-11-01 13:07 <DIR> d-------- c:\program files\textBEAST
2008-10-30 05:56 . 2008-10-30 05:56 <DIR> d-------- c:\program files\Secunia
2008-10-27 00:04 . 2008-10-27 00:04 7,808 --a------ c:\windows\system32\drivers\psi_mf.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 22:42 27,342,880 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-26 22:42 --------- d-----w c:\program files\Sandboxie
2008-11-26 22:41 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-26 22:39 324,512 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-26 22:20 --------- d-----w c:\documents and settings\me\Application Data\SiteAdvisor
2008-11-26 21:36 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-26 21:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-26 21:36 --------- d-----w c:\documents and settings\me\Application Data\SUPERAntiSpyware.com
2008-11-26 19:55 --------- d-----w c:\program files\DBXpress
2008-11-26 06:09 --------- d-----w c:\program files\SafeBit
2008-11-26 06:09 --------- d-----w c:\program files\Clipboard Help+Spell
2008-11-24 06:10 --------- d-----w c:\program files\Quicken
2008-11-03 22:39 --------- d-----w c:\program files\iDailyDiary
2008-11-01 14:04 1,304,576 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-10-26 23:49 --------- d-----w c:\program files\DcUpdater
2008-10-23 21:51 --------- d-----w c:\program files\ScreenshotCaptor
2008-10-23 21:49 --------- d-----w c:\program files\CaptureWiz
2008-10-22 22:29 --------- d-----w c:\documents and settings\me\Application Data\PixelMetrics
2008-10-21 21:14 --------- d-----w c:\program files\PrimoPDF
2008-10-21 13:55 2,256,003 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-10-19 17:21 --------- d-----w c:\program files\FindAndRunRobot
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-12 16:38 --------- d-----w c:\program files\NoteTab Light
2008-10-12 16:27 --------- d-----w c:\program files\DocPad
2008-10-10 22:13 --------- d-----w c:\program files\Siber Systems
2008-10-10 22:12 --------- d-----w c:\documents and settings\me\Application Data\GoodSync
2008-10-09 03:16 --------- d-----w c:\program files\Karen's Power Tools
2008-10-09 03:16 --------- d-----w c:\documents and settings\All Users\Application Data\Karen's Power Tools
2008-10-07 00:16 --------- d-----w c:\program files\Titan Backup
2008-10-04 19:15 --------- d-----w c:\program files\Google
2008-10-04 19:10 --------- d-----w c:\program files\ZipItFree
2008-10-04 18:45 --------- d-----w c:\program files\Mythicsoft
2008-10-03 22:33 --------- d-----w c:\program files\Common Files\System-G
2008-10-03 00:32 --------- d-----w c:\program files\2nd Story Software
2008-09-27 00:44 --------- d-----w c:\program files\Opera
2008-09-22 22:29 82 ----a-w c:\documents and settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2008-03-09 19:55 11 ----a-w c:\documents and settings\me\Application Data\Microsoft.Office.Print.dll
2007-02-23 00:40 439,296 -c--a-w c:\documents and settings\me\GoToAssist_phone__317_en.exe
2006-05-21 05:57 5 --sha-w c:\windows\system32\dafabdee_s.dll
2006-06-04 23:52 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-05-13 22:16 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-05-13 22:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-05-13 22:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051320080514\index.dat
2008-05-13 22:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedStartup "= "c:\program files\Speed Startup\speedstartup.exe" [2007-02-22 2236160]
"EasyLinkAdvisor "= "c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Task Catcher "= "c:\progra~1\BILLPS~1\TASKCA~1\tasktrap.exe" [2005-11-14 136760]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-26 1234712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpeedStartup "= "c:\program files\Speed Startup\speedstartup.exe" [2007-02-22 2236160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SpeedStartup "= "c:\program files\Speed Startup\speedstartup.exe" [2007-02-22 2236160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SAFE8 "= "c:\program files\Steganos Safe 8\SAFE8.exe" [2006-06-14 2736128]

c:\documents and settings\me\Start Menu\Programs\Startup\
HDDlife.lnk - c:\program files\BinarySense\HDDlife 3\HDDlifePro.exe [2008-02-15 2278648]
Secunia PSI (RC4).lnk - c:\program files\Secunia\PSI (RC4)\psi.exe [2008-10-29 695656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\IEPro\\MiniDM.exe "=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Home XII.SP2c\\RpcAgentSrv.exe "=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Home XII.SP2c\\WNt500x86\\RpcSandraSrv.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP "= 67:UDPHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest "= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-26 97928]
R1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];\??\c:\windows\system32\drivers\SLEE13.sys [2005-10-04 16:42:36 74240]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-26 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-26 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-26 76040]
R2 HDDlife HDD Access service;HDDlife HDD Access service; "c:\program files\Common Files\BinarySense\hldasvc.exe" [2008-02-15 832760]
R2 hidedir;hidedir;\??\c:\windows\system32\drivers\hidedir.sys [2008-06-14 8704]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe [2008-08-06 98488]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-10-27 7808]
R3 Sandbox;Sandbox;\??\c:\program files\Sandboxie\Sandbox.sys [2006-10-14 124032]
R3 vdisk;Virtual Disk Driver;c:\windows\system32\DRIVERS\vdisk.sys [2008-06-14 23152]
.
Contents of the 'Scheduled Tasks' folder

2008-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-19 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\yc1mtiuf.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npagent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsabffx.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Virtual Earth 3D\npVE3D.dll
FF -: plugin - c:\program files\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\windows\system32\SuperAdBlocker.com\npsabffx.dll
.
.
------- File Associations -------
.
txtfile= "c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1 "
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 14:40:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1004)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Executive Software\DiskeeperLite\DKService.exe
c:\windows\system32\GEARSEC.EXE
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Sandboxie\SandboxieServer.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Pure Networks\Network Magic\nmsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
c:\progra~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
c:\program files\AcceleRun\ACCELE~2.EXE
c:\program files\WordWeb\wweb32.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-11-26 14:45:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-26 22:45:42

Pre-Run: 3,658,838,016 bytes free
Post-Run: 3,537,764,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /FASTDETECT

207 --- E O F --- 2008-07-09 13:33:20

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:17 PM, on 11/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\GEARSEC.EXE
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\Program Files\Common Files\BinarySense\hldasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\PROGRA~1\BILLPS~1\TASKCA~1\tasktrap.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe
C:\Program Files\Secunia\PSI (RC4)\psi.exe
C:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
C:\Program Files\BillP Studios\WinPatrol\WINPAT~1.EXE
C:\Program Files\AcceleRun\ACCELE~2.EXE
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\trend micro\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Task Catcher] C:\PROGRA~1\BILLPS~1\TASKCA~1\tasktrap.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [SpeedStartup] C:\Program Files\Speed Startup\speedstartup.exe runonce
O4 - HKCU\..\Run: [SpeedStartup] C:\Program Files\Speed Startup\speedstartup.exe bootup
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [SpeedStartup] C:\Program Files\Speed Startup\speedstartup.exe bootup (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SAFE8] "C:\Program Files\Steganos Safe 8\SAFE8.exe" -firstboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SpeedStartup] C:\Program Files\Speed Startup\speedstartup.exe bootup (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SAFE8] "C:\Program Files\Steganos Safe 8\SAFE8.exe" -firstboot (User 'Default user')
O4 - Startup: HDDlife.lnk = C:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe
O4 - Startup: Secunia PSI (RC4).lnk = C:\Program Files\Secunia\PSI (RC4)\psi.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Answers... - file://C:\Program Files\1-Click Answers\Html\atiemenu.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download1.answers.com/pub/AnswersSetup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152315866578
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\Common Files\BinarySense\hlAPP.dll" (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\GEARSEC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\Common Files\BinarySense\hldasvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XII.SP2c\RpcAgentSrv.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12361 bytes

 

That's great news! The log unfortunately does not show what the underlying problem was. All I can say is that ComboFix has many many features built into it, and does correct a lot of things, both major and minor, that are the cause of various oddities. Again, your logs look clean. Do any other issues remain?

 

No other issues that I'm aware of except for expressing my gratitude for all your help and from a couple others on the forum. In appreciation and some self serving motives I'm going to contribute as a life time member. I have been a self educated (?) computer nut for some time and have two other computers with the same aches and pains I have as a senior retiree and now have a place to maybe fix some things that have needed fixing for a long time. This seems like a good place to get some answers.

Finally, of the various programs you had me download to the desktop, should I leave them or delete? Can I run ComboFix periodically, or only on some authorization?

Final thanks for all your very super attitude and support.

 

You can delete the files we created on the desktop. You may also want to delete the safe.txt file in your userprofile folder (Documents and Settings\yourusername).
Remove RSIT and the C:\rsit folder.
ComboFix is not for general usage, and is updated regularly. It needs to be uninstalled. System Restore points should be removed as well, lest you return at some point to the same state. The following will do both in one fell swoop.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.
You can delete any other logs that were created/saved too.

Post back if you have any other issues, or with your success, and I will help you sort it out or mark the topic resolved, whichever applies.

 

All done except this, and I don't know if it requires any action:

Folder C:\32788R22FWJFW has a file in it called C.bat, 616KB an MS-DOS Batch File created 11/26/2008. None of the other files in that folder have anything of recent vintage. However, I did download and install a bunch of Windows patches today.

If not part of today's forum stuff then my problem has been solved and this thread can be closed as far as I'm concerned

 

You can delete that folder.

I'm traveling and should be home tomorrow. I will look back through this topic again then and close or instruct further as needed.

 

OK, but want to be clear on last post. OK to delete entire folder or just the file, the DOS batch file I mentioned? There are many other files in that folder and I have no idea of the origin of that folder.

Travel safe.