This message(below) recurs at seemingly random intervals for the last three days. Have scanned with Avast(both full scan and boot scan) with no result. Likewise with Microsoft Security Essentials, which I have since deleted. Judging by the message itself, my machine is safe and Avast AV is doing it’s job but I sure would like to figure out just what, inside my computer, is compelling this continuous assault by whatever the heck “77.74.48.111/pldr/test.jpg?suid=b422fa…” is. Will download MBAM and scan with it in the interim but any assistance would be greatly appreciated.

Gordon

http://farm3.static.flickr.com/2690/4507447040_eefea94f8f_o.jpg

Hi

What the link malware ?

Thanks

Malwarebytes’ Anti-Malware 1.45
www.malwarebytes.org

Database version: 3973

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/10/2010 7:26:03 AM
mbam-log-2010-04-10 (07-26-03).txt

Scan type: Full scan (C:|)
Objects scanned: 169474
Time elapsed: 1 hour(s), 43 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{981111eb-4770-4c06-a9b4-6cacf126f5fa} (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{981111eb-4770-4c06-a9b4-6cacf126f5fa} (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8} (Adware.180Solutions) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remekulobe (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c445201 (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm1f77619d (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\noqmqx.dll (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Brown\My Documents\ACSA\Adobe.CS3.Web.Premium.Keygen_Activation\Adobe.Web.Premium.CS3.Keygen+Activation.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Brown\My Documents\ACSA\NYU Adobe CS3 Keygens\Adobe Web Premium CS3 Keygen + Activation.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Brown\My Documents\ACSA\NYU Adobe CS3 Keygens\InDesign CS3 Keygen VLK.exe (Trojan.Agent.CK) → Quarantined and deleted successfully.
C:\update.exe (Trojan.Agent) → Quarantined and deleted successfully.

If you scan again (do the quick scan) does it come up clean ? problems gone ?

Also run Superantispyware www.superantispyware.com

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

Is it possible to give the internet address name (using hXXp:// rather than http://) so that we can check out the page?

by using hXXp the link will not be able to be activated.

It is in the original post, image and text, it is an IP address rather than a domain name.

There really is no page to check as the origin is on the users system trying to connect to that page, so what is on it is rather immaterial. We have to try and find what is using svchost.exe to connect to the malicious site, that is why started the ball rolling on that with MBAM and SAS is a good start.

oh okay David, sorry I rushed through the page. I will leave them to it. In good hands.

No problem, it may have been vundo trying to get out, but it may not be that simple.

Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook.

http://farm3.static.flickr.com/2078/4507546049_9bbb998f1e.jpg

Okay, I’m actually on another tower entirely- which the keyboard from my main machine
works just fine on. Any suggestions? Is it possible, somewhere on that computer to block the
URL in question entirely- in the internet security maybe? I’ll have to take any advice and assemble it all together to try out on the machine when I hook it back up- and I suppose I could email any necessary links to myself to get around the nonfunctioning keyboard. Thanks in advance.

Gordon

Incidentally, the full URL that Avast keeps blocking and reporting is:

“77.74.48.111/pldr/test.jpg?suid=b422fa140378de814a177850fffffcuid=caba63b92ff1f44abbe14211373fef6affid=200327tid=nka10067cver=2li=1bi=Onc=1”

I certainly haven’t heard of a virus that targets your keyboard, though I guess it wouldn’t be impossible if a keyboard driver was killed/damaged.

Whilst this would be a pain (OK for short tasks), but it is still possible by using the windows on screen keyboard, using your mouse, see mouse actions in, http://www.microsoft.com/windowsxp/using/accessibility/oskturnonuse.mspx.

Have you tried running SAS yet ?

Druidmisanth,

This is a known vundo download site. Re: http://www.bleepingcomputer.com/forums/topic294721.html

polonus

just to add to the info that Pol has posted

• screenshot shows top part of page returned from search of site address of suspect domain
• I can capture and post the whole page in segments if anyone thinks will help

I’m not sure if the info is much use, and I’m a bit busy to follow up myself at the moment

• info gathered through putting into practice v5 sandbox in IS AV

I made sure to access the info from a safe distance, and would advise anyone unpractised in doing should steer well clear of this domain

Edit - well some of the domain is okay, so caveat perhaps - viewer beware

I’m back- typing with the abovementioned onscreen keyboard. In the interim, have run rkill, vundofix, virtumundobegone, with nothing found in the latter two.

Then, I ran hijackthis, producing this:

Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 1:30:49 AM, on 4/15/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoomtown.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [dscactivate] “C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe”
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [DellSupportCenter] “C:\Program Files\Dell Support Center\bin\sprtcmd.exe” /P DellSupportCenter
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\DellSupport\DSAgnt.exe” /startup
O4 - HKUS\S-1-5-19..\Run: [remekulobe] Rundll32.exe “C:\WINDOWS\system32\wirahahe.dll”,s (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [remekulobe] Rundll32.exe “C:\WINDOWS\system32\wirahahe.dll”,s (User ‘NETWORK SERVICE’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\piyuzuju.dll noqmqx.dll c:\windows\system32\ruvaluno.dll
O21 - SSODL: Autapbi - {950F4790-CDED-424D-8C4C-6C5B6EA25D15} - C:\WINDOWS\system32\exewebro.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O24 - Desktop Component 0: (no name) - http://www.kindgirls.com/graf/fondo2.png

–
End of file - 8304 bytes

But I haven’t the slightest idea what it means. Running Malwarebytes again as we speak.

Other than the keyboard not working, all that really remains is that initial notice that Avast is blocking access to that same old URL.

Here’s the VitumundoBeGoneLog:

[04/15/2010, 1:26:56] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Gordon Brown\My Documents\Downloads\VirtumundoBeGone.exe" ) [04/15/2010, 1:27:00] - Detected System Information: [04/15/2010, 1:27:00] - Windows Version: 5.1.2600, Service Pack 3 [04/15/2010, 1:27:00] - Current Username: Gordon Brown (Admin) [04/15/2010, 1:27:00] - Windows is in NORMAL mode. [04/15/2010, 1:27:00] - Searching for Browser Helper Objects: [04/15/2010, 1:27:00] - BHO 1: {0347C33E-8762-4905-BF09-768834316C61} (HP Print Enhancer) [04/15/2010, 1:27:00] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper) [04/15/2010, 1:27:00] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess) [04/15/2010, 1:27:00] - BHO 4: {DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper) [04/15/2010, 1:27:00] - BHO 5: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl Class) [04/15/2010, 1:27:00] - BHO 6: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} (HP Smart BHO Class) [04/15/2010, 1:27:00] - Finished Searching Browser Helper Objects [04/15/2010, 1:27:00] - Finishing up... [04/15/2010, 1:27:00] - Nothing found! Exiting...

I don’t know if this is helps or not, but I’m seeing exactly the same behavior. Investigating the network shield log gives a PID for a slew of services hosted by svchost.exe (Process Explorer). Nothing looks odd. I’ve tried numerous scanners (malwarebytes, superantispyware, hijackthis, housecall, rootkitbuster, ad-aware, and aVast of course) and none have yet found anything. The topic on bleepingcomputer is of little help (suggesting that this in an aVast false-positive). A reverse-lookup gives a domain hosted from the British VI and I’m completely sure I’ve got nothing to do with them.

I’m sorry if there’s not a lot of new info in this post, but I think there’s something really nasty in this and it’s able to hide itself really well.

In addition to whatever service it is that’s doing this, I’m seeing a DNS redirection on search hits from a search-results page (google, yahoo, you name it). I believe that the problems are linked in my case.

Hi Druidsmith

Like Jeffc says, there’s something really nasty in this.
Lets do a preliminary anyway. But you may be needing more help

Fix this entry - relatively straightforward
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
To fix the entry - put checkmark in box next to the entry and click Fix Checked in bottom left hand corner of the screen

• after fixed checked, you need to run Scan to bring up a new log - I prefer to fix one entry at a time

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
Are these on demand for online scanner? - if you can try and disable these in yr browser under Manage add-ons - It would be good to have them out of way for the time being - but wait for second opinion if you want

You may need to fix these others by running a HjT scan in Safe Mode - even then may be very difficult to delete
Perhaps do everything in Safe mode - so copy this post as a file to yr hard drive first so you have a reference

O4 - HKUS\S-1-5-19..\Run: [remekulobe] Rundll32.exe “C:\WINDOWS\system32\wirahahe.dll”,s (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [remekulobe] Rundll32.exe “C:\WINDOWS\system32\wirahahe.dll”,s (User ‘NETWORK SERVICE’)
Fix checked both of these - wirahe.dll is suspect trojan and appears to have locked yr system

• see screenshot (edited)

Edit - on second thoughts, wait for second opinion on this - you may need more in depth help for these.
Since we are talking pretty much the whole system, lets not be hasty.

O20 - AppInit_DLLs: C:\WINDOWS\system32\piyuzuju.dll noqmqx.dll c:\windows\system32\ruvaluno.dll
This is suspect
http://www.techspot.com/vb/topic119190.html

O21 - SSODL: Autapbi - {950F4790-CDED-424D-8C4C-6C5B6EA25D15} - C:\WINDOWS\system32\exewebro.dll
This is suspect but have no information on it - second opinion perhaps

As for your keyboard I can only suggest go into bios - as computer first starts, you need to start tapping should be either F1, F2, or DEL to take the computer into Setup and look for which F Key will allow you to load setup defaults (or optimal failsafe defaults) and press that, then go to Save and Exit - if keyboard port is working then things should be okay.

Usually before you go into setup, if the keyboard is not working then you will get the error message and thats about it - you wont be able to use it. try a USB keyboard and see if that works.

Well, for the moment, the keyboard is working. Seems to be an on again off again phenomenon without any discernible pattern that I can see- restarts and uninstall/reinstalls seem to eventually remedy the situation at least until the next conniption my machine throws.

mkis, being nothing if not hasty, I went ahead and jettisoned everything you listed. I am now going to reboot and see what happens. If I’m not back in an hour, I may be at the store buying something with Ubuntu preinstalled. ; ) Thanks for your help. Oh, here’s the latest hijack log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 4:24:55 PM, on 4/15/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [dscactivate] “C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe”
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [DellSupportCenter] “C:\Program Files\Dell Support Center\bin\sprtcmd.exe” /P DellSupportCenter
O4 - HKLM..\Run: [LVCOMSX] “C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe”
O4 - HKLM..\Run: [LogitechCommunicationsManager] “C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe”
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\DellSupport\DSAgnt.exe” /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

–
End of file - 6594 bytes

you appear to have jettisoned a bit more than that

what happened to Internet Explorer / Internet connection?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoomtown.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

I think I failed at the elementary copy and paste function because I didn’t delete those things. Let me scan again. Hmm, not there and, yet, I didn’t… Anyway, the notification is still there- though everything else seems to be working properly. Maybe I should just be happy with the way things are?