TechSpot

Google redirect and computer slowdown, can't run GMER

By tapersteve
Dec 4, 2010
  1. Hi there and thank you in advance for the work that you do. I posted once a few weeks back, but I have been gone, but am now back and need to fix this problem.

    I definitely have what appears to be a browser re-direct infection, as most, but not all of the time, my google searches are re-directed to either Bing or some other end page. No porn, just ads of different types. I have Norton running in the background, and use Spybot S&D from time to time to clean up anything else.

    I have read the eight step instructions.

    I have run TFC.

    I have run the Malawarebytes and have attached the log below.

    I have tried to run GMER at least a dozen times. I have tried it in regular mode, with and without the "devices" box checked. In either case, it froze up almost immediately after starting the scan. I then tried running it in safe mode, both with the "devices" box checked, and unchecked. The only progress that I ever got, was in safe mode, with the "devices" unchecked, and the scan ran for quite a while, started printing a lot of info in the box, and then went to the BSOD. The error message was uglcrfob.sys Page Fault In Non Paged Area. I have all the technical numbers, if it will be of any use. I uninstalled and re-downloaded GMER, and tried the safe mode again, and it did the same thing, program ran, then action, then BSOD. I have rebooted my computer more today than in the last year. I don't know what else to do.

    So, I also ran DDS, and am attaching the logs below as well.

    Your help is greatly appreciated. Steve

    Malabytes Log:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5077

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    12/4/2010 2:32:35 AM
    mbam-log-2010-12-04 (02-32-35).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 281270
    Time elapsed: 4 hour(s), 53 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    **********************************************************
    DDS Log:


    DDS (Ver_10-11-09.01) - NTFSx86
    Run by Steve Kwartin at 4:52:30.32 on Sat 12/04/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2570 [GMT -5:00]

    AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DeltaIITray.exe
    C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
    C:\Documents and Settings\Steve Kwartin\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.cnn.com/
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.3.0.5\IPSBHO.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
    TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [M-Audio Taskbar Icon] c:\windows\system32\DeltaIITray.exe
    mRun: [DeltaIITaskbarApp] c:\windows\system32\DeltaIITray.exe
    mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216653561431
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - c:\program files\sharp\sharpdesk\ExplorerExtensions.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\stevek~1\applic~1\mozilla\firefox\profiles\5l5wp0pq.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1908.5032\npCIDetect14.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-8 218592]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-11-10 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-11-10 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-22 691248]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-11-10 501888]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-11-10 116784]
    R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.3.0.5\ccsvchst.exe [2010-11-10 126392]
    R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [2008-11-23 302728]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-11-10 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20101130.001\IDSXpx86.sys [2010-10-19 341880]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20101203.032\NAVENG.SYS [2010-12-3 86064]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20101203.032\NAVEX15.SYS [2010-12-3 1371184]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-11 136176]
    S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11010.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11010.sys [?]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-11-8 366840]
    S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-11-8 1142224]

    =============== Created Last 30 ================

    2010-11-16 07:50:58 -------- d-----w- c:\docume~1\stevek~1\applic~1\SUPERAntiSpyware.com
    2010-11-16 07:50:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-11-16 07:50:32 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-11-10 18:39:12 -------- d-----w- c:\windows\system32\XPSViewer
    2010-11-10 18:38:01 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2010-11-10 18:37:24 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2010-11-10 18:37:24 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2010-11-10 18:37:24 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2010-11-10 18:37:24 117760 ------w- c:\windows\system32\prntvpt.dll
    2010-11-10 18:37:23 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2010-11-10 18:37:23 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2010-11-10 18:37:22 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2010-11-10 18:37:22 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2010-11-10 18:37:18 -------- d-----w- C:\855d0ab8392c5309ac0ce3f70e9b
    2010-11-10 10:16:45 339504 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys
    2010-11-10 10:16:44 361904 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdi.sys
    2010-11-10 10:16:43 328752 ----a-r- c:\windows\system32\drivers\n360\0403000.005\symds.sys
    2010-11-10 10:16:43 173104 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symefa.sys
    2010-11-10 10:16:41 43696 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtspx.sys
    2010-11-10 10:16:41 325680 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtsp.sys
    2010-11-10 10:16:40 501888 ----a-w- c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys
    2010-11-10 10:16:40 116784 ----a-w- c:\windows\system32\drivers\n360\0403000.005\ironx86.sys
    2010-11-10 10:09:10 -------- d-----w- c:\windows\system32\drivers\n360\0403000.005
    2010-11-10 08:30:38 -------- d-----w- c:\docume~1\stevek~1\applic~1\Tific
    2010-11-10 05:29:22 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-11-10 05:29:22 107368 ----a-r- c:\windows\system32\GEARAspi.dll
    2010-11-10 05:29:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-11-10 05:29:08 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-11-10 05:29:07 -------- d-----w- c:\program files\Symantec
    2010-11-10 05:28:02 -------- d-----w- c:\windows\system32\drivers\N360
    2010-11-10 05:28:00 -------- d-----w- c:\program files\Norton Security Suite
    2010-11-10 05:27:50 -------- d-----w- c:\program files\NortonInstaller
    2010-11-10 05:02:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
    2010-11-10 04:59:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
    2010-11-08 20:09:13 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2010-11-08 20:09:09 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2010-11-08 20:09:09 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2010-11-08 20:09:05 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2010-11-08 20:08:41 -------- d-----w- c:\program files\Spyware Doctor
    2010-11-08 20:08:41 -------- d-----w- c:\program files\common files\PC Tools
    2010-11-08 20:08:41 -------- d-----w- c:\docume~1\stevek~1\applic~1\PC Tools
    2010-11-08 20:08:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
    2010-11-08 18:49:27 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-11-08 18:49:27 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-11-08 18:49:14 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-11-08 18:48:08 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-11-08 18:40:58 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2010-11-06 23:17:58 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-11-06 23:17:58 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-11-06 23:11:11 -------- d-----w- c:\program files\Quick Web Player
    2010-11-06 22:30:28 105984 --sha-r- c:\windows\system32\WMSPDMOEQ.dll
    2010-11-05 23:46:45 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

    ==================== Find3M ====================

    2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 08:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-15 06:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll

    ============= FINISH: 4:53:56.34 ===============

    *********************************************************************************

    Attach Log:

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-09.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/21/2008 9:35:28 AM
    System Uptime: 12/4/2010 4:43:52 AM (0 hours ago)

    Motherboard: Dell Inc. | | 0FM586
    Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2394/266mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 233 GiB total, 4.275 GiB free.
    D: is CDROM ()
    E: is FIXED (NTFS) - 37 GiB total, 1.918 GiB free.
    G: is FIXED (NTFS) - 699 GiB total, 607.38 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
    Description: PCI standard PCI-to-PCI bridge
    Device ID: PCI\VEN_8086&DEV_29C1&SUBSYS_00000000&REV_02\3&2411E6FE&0&08
    Manufacturer: (Standard system devices)
    Name: PCI standard PCI-to-PCI bridge
    PNP Device ID: PCI\VEN_8086&DEV_29C1&SUBSYS_00000000&REV_02\3&2411E6FE&0&08
    Service: pci

    Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
    Description: Realtek High Definition Audio
    Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028020D&REV_1000\4&18CA5B6A&0&0201
    Manufacturer: Realtek
    Name: Realtek High Definition Audio
    PNP Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028020D&REV_1000\4&18CA5B6A&0&0201
    Service: IntcAzAudAddService

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: SM Bus Controller
    Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_020D1028&REV_02\3&2411E6FE&0&FB
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_020D1028&REV_02\3&2411E6FE&0&FB
    Service:

    ==== System Restore Points ===================

    RP734: 11/10/2010 1:29:00 PM - Software Distribution Service 3.0
    RP735: 11/16/2010 2:46:30 AM - Norton Security Suite Registry
    RP736: 11/16/2010 3:41:21 AM - Installed Windows Media Player 11
    RP737: 11/17/2010 3:52:36 AM - System Checkpoint
    RP738: 11/18/2010 4:52:16 AM - System Checkpoint
    RP739: 11/19/2010 5:52:15 AM - System Checkpoint
    RP740: 11/20/2010 6:03:55 AM - System Checkpoint
    RP741: 11/21/2010 6:52:14 AM - System Checkpoint
    RP742: 11/22/2010 7:52:16 AM - System Checkpoint
    RP743: 11/23/2010 2:29:05 AM - Norton Security Suite Registry
    RP744: 11/24/2010 3:02:05 AM - System Checkpoint
    RP745: 11/25/2010 4:02:07 AM - System Checkpoint
    RP746: 11/26/2010 5:02:04 AM - System Checkpoint
    RP747: 11/27/2010 6:02:03 AM - System Checkpoint
    RP748: 11/28/2010 7:02:04 AM - System Checkpoint
    RP749: 11/29/2010 8:02:08 AM - System Checkpoint
    RP750: 11/30/2010 9:02:12 AM - System Checkpoint
    RP751: 12/1/2010 10:02:13 AM - System Checkpoint
    RP752: 12/2/2010 11:02:13 AM - System Checkpoint
    RP753: 12/3/2010 12:02:13 PM - System Checkpoint

    ==== Installed Programs ======================

    µTorrent
    Acrobat.com
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.2
    America Online (Choose which version to remove)
    AOL Coach Version 2.0(Build:20041026.5 en)
    AOL Connectivity Services
    AOL Spyware Protection
    Audacity 1.3.12 (Unicode)
    Audacity Recovery Utility
    BTeasy 0.2.1.5
    CD Wave Editor version 1.97
    CKRename
    Compatibility Pack for the 2007 Office system
    Conexant D850 56K V.9x DFVc Modem
    Critical Update for Windows Media Player 11 (KB959772)
    CutePDF Writer 2.7
    Delta
    E-Transcript Bundle Viewer
    Exact Audio Copy 0.99pb4
    FLAC 1.2.1b (remove only)
    foobar2000 v0.9.5.4
    GIMP 2.6.6
    Google Earth
    Google Update Helper
    Google Updater
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections 12.1.12.0
    Java Auto Updater
    Java(TM) 6 Update 22
    Malwarebytes' Anti-Malware
    Maxtor Manager
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Excel Viewer 2003
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla Firefox (3.5.15)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Norton Security Suite
    Octoshape add-in for Adobe Flash Player
    PandoraRecovery (Remove Only)
    Pure Networks Port Magic
    QuickTime
    r8brain 1.9
    Realtek High Definition Audio Driver
    Recuva
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler
    Roxio MyDVD DE
    Roxio Update Manager
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    SHARP AM-900 Series MFP Driver
    Sharpdesk
    Sonic Activation Module
    Sony Sound Forge 8.0d
    Sound Forge Pro 10.0
    Spybot - Search & Destroy
    Spyware Doctor 7.0
    SUPERAntiSpyware
    Symantec Technical Support Web Controls
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Viewpoint Media Player
    VLC media player 0.9.2
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows XP Service Pack 3
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    12/4/2010 4:47:29 AM, error: Dhcp [1002] - The IP address lease 192.168.100.2 for the Network Card with network address 001D097F523C has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
    12/4/2010 4:47:07 AM, error: Dhcp [1002] - The IP address lease 65.34.193.123 for the Network Card with network address 001D097F523C has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
    12/4/2010 4:24:37 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    12/4/2010 4:14:41 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    12/4/2010 3:24:55 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ccHP eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SRTSPX SymIRON SYMTDI Tcpip
    12/4/2010 3:24:55 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    12/4/2010 3:24:55 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/4/2010 3:24:55 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/4/2010 3:24:55 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    12/4/2010 3:24:10 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/4/2010 3:02:21 AM, error: Service Control Manager [7000] - The PfModNT service failed to start due to the following error: The system cannot find the file specified.
    12/4/2010 2:54:59 AM, error: Service Control Manager [7034] - The Maxtor Service service terminated unexpectedly. It has done this 1 time(s).
    12/4/2010 2:54:59 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

    ==== End Of File ===========================

    I will patiently await your response. Thank you again. Steve
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome back! I'll help you get to where you want to go. But first, some housekeeping.

    1. You have multiple antivirus programs running: AV: Spyware Doctor with AntiVirus and
    Norton Security Suite
    Even if you no longer use one of these, you still need to uninstall it. Multiple AV programs make the system more vulnerable. Here's a tool to help if you decide to remove Norton: Norton Removal Tool
    Spyware Doctor is through PCTools I think- so you'll have to check for that uninstall Please reboot the computer after you have handled the AV.

    2. There are 5 old versions of Java still on the system. The current is v6u22 which you have. To remove all of the old Java, please run this program:

    Please download JavaRa and unzip it to your desktop.
    Important!
    ***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.

    Then download and install then most current version and update of Java Runtime
    Environment (JRE)
    HERE. (This remove all Java so please update again from the site).
    ==============================================
    3. P2P Warning!
    You are using a program named BTeasy. This is TorrentSpy - BitTorrent MetaInfo Handler
    You also have uTorrent installed.
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall both TorrentSpy and uTorrent for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    IF you choose not to uninstall either or both of these programs, please disable any startups or activity from both while I'm helping you.
    =======================================
    4. When the above is complete, Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===================================================
    See next reply for Combofix instructions.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    When you have finished the housekeeping and online virus scan in my first reply, please follow with this:

    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  4. tapersteve

    tapersteve TS Rookie Topic Starter Posts: 52

    Results of Your Second Post

    Bobby,

    Thank you for getting back to me so quickly. Here is what I have and have not done so far.

    I have removed AV Spyware Doctor and Super Anti-Spyware. I am keeping Norton, as it is the program provided by my ISP and I am pretty comfortable with it, unless you tell me that it has real problems, or that there is a better free option, as its cost is included in my monthly fees.

    I removed all the old versions of Java, and followed the instructions and reinstalled the latest Java version.

    I use BTEasy and utorrent, as I am a live music recorder, and it is me who uses these programs to put shows that I record up on the internet. The websites that I use are very well run, and I don't use any other P2P programs or websites to download any other torrent files, other than the music files coming from known individuals. So, I am keeping these programs.

    Here is the JavRa log file:

    JavaRa 1.16 Removal Log.

    Report follows after line.

    ------------------------------------

    The JavaRa removal process was started on Sat Dec 04 16:09:39 2010

    Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_11

    Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_12

    Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_13

    Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_14

    Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_15

    Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_17

    Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_18

    Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_19

    Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_20

    Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

    Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

    JavaRa 1.16 Removal Log.

    Report follows after line.

    ------------------------------------

    The JavaRa removal process was started on Sat Dec 04 16:10:17 2010

    ------------------------------------

    Finished reporting.

    ***********************************************************
    Here is the Eset log:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=0135ba3de98fb14492964e155324466f
    # end=stopped
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-05 12:26:07
    # local_time=2010-12-05 07:26:07 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=3589 16777213 80 86 1226132 54830260 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=23
    # found=0
    # cleaned=0
    # scan_time=2
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=0135ba3de98fb14492964e155324466f
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-05 03:06:21
    # local_time=2010-12-05 10:06:21 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=3589 16777213 80 86 1228688 54832816 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=138757
    # found=8
    # cleaned=0
    # scan_time=7060
    C:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application 00000000000000000000000000000000 I
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
    C:\Documents and Settings\Steve Kwartin\exe.js probably a variant of VBS/TrojanDownloader.Agent.NRMWBAE trojan 00000000000000000000000000000000 I
    C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\eac-0.99pb4.exe a variant of Win32/Adware.ADON application 00000000000000000000000000000000 I
    C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\Soundforge 10\Keygen.exe a variant of Win32/Keygen.AR application 00000000000000000000000000000000 I
    C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\Soundforge 10\SONY_SOUND_FORGE_PRO_10_WITH_KEYGEN_.part1.rar a variant of Win32/Keygen.AR application 00000000000000000000000000000000 I


    QUESTIONS: What do I do about the items quarantined by ESET? Do I leave them there, have the program delete them, or otherwise remove them from my system?

    NEXT: I will start running the combofix now.

    Thank you again for your assistance. Steve
     
  5. tapersteve

    tapersteve TS Rookie Topic Starter Posts: 52

    Bobby,

    [PLEASE NOTE UPDATED EDIT BELOW]

    Thank you for getting back to me so quickly. Here is what I have and have not done so far.

    I have removed AV Spyware Doctor and Super Anti-Spyware. I am keeping Norton, as it is the program provided by my ISP and I am pretty comfortable with it, unless you tell me that it has real problems, or that there is a better free option, as its cost is included in my monthly fees.

    I removed all the old versions of Java, and followed the instructions and reinstalled the latest Java version.

    I use BTEasy and utorrent, as I am a live music recorder, and it is me who uses these programs to put shows that I record up on the internet. The websites that I use are very well run, and I don't use any other P2P programs or websites to download any other torrent files, other than the music files coming from known individuals. So, I am keeping these programs.

    I was able to run Eset, and here is the log:
    EDIT: Duplicate Eset log has been deleted by Bobbye- member advised.
    EOSSerial=0135ba3de98fb14492964e155324466f
    EOSSerial=0135ba3de98fb14492964e155324466f
    ****************************************************
    [NEW UPDATE]
    Please ignore the paragraph below, as I was finally able to run Combo Fix. I don't know why I even tried again, but it actually loaded, updated, and ran. The log is posted below. Should I re-run Eset, now that Combo Fix ran, or is it okay the way that it is? Let me know. I will even try to re-run GMER now, and will report back.

    The Combo Fix Log:

    ComboFix 10-12-06.03 - Steve Kwartin 12/07/2010 4:04.1.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2686 [GMT -5:00]
    Running from: c:\documents and settings\Steve Kwartin\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Steve Kwartin\Application Data\AD ON Multimedia
    c:\program files\INSTALL.LOG

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-07 to 2010-12-07 )))))))))))))))))))))))))))))))
    .

    2010-12-07 08:54 . 2010-12-03 09:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-12-07 08:00 . 2010-12-07 08:00 -------- d-----w- c:\documents and settings\Steve Kwartin\Local Settings\Application Data\Sunbelt Software
    2010-12-07 07:59 . 2010-12-07 07:59 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
    2010-12-07 07:57 . 2010-12-07 08:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-12-07 07:57 . 2010-12-07 07:57 -------- d-----w- c:\program files\Lavasoft
    2010-12-06 09:27 . 2010-12-06 09:27 -------- d-----w- C:\32788R22FWJFW.2.tmp
    2010-12-05 19:36 . 2010-12-05 19:38 -------- d-----w- C:\32788R22FWJFW.1.tmp
    2010-12-04 21:32 . 2010-12-04 21:32 -------- d-----w- c:\program files\ESET
    2010-12-04 21:18 . 2010-12-04 21:18 -------- d-----w- c:\program files\Common Files\Java
    2010-12-04 21:18 . 2010-12-04 21:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-16 07:50 . 2010-11-16 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-11-10 18:39 . 2010-11-10 18:39 -------- d-----w- c:\windows\system32\XPSViewer
    2010-11-10 18:38 . 2010-11-10 18:38 -------- d-----w- c:\program files\MSBuild
    2010-11-10 18:38 . 2010-11-10 18:38 -------- d-----w- c:\program files\Reference Assemblies
    2010-11-10 18:38 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2010-11-10 18:37 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2010-11-10 18:37 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2010-11-10 18:37 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2010-11-10 18:37 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2010-11-10 18:37 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2010-11-10 18:37 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2010-11-10 18:37 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2010-11-10 18:37 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2010-11-10 18:37 . 2010-11-10 18:38 -------- d-----w- C:\855d0ab8392c5309ac0ce3f70e9b
    2010-11-10 08:30 . 2010-11-10 08:30 -------- d-----w- c:\documents and settings\Steve Kwartin\Application Data\Tific
    2010-11-10 05:29 . 2009-05-18 22:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-11-10 05:29 . 2008-04-17 21:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll
    2010-11-10 05:29 . 2010-11-10 05:29 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-11-10 05:29 . 2010-11-10 05:29 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-11-10 05:29 . 2010-11-10 05:29 -------- d-----w- c:\program files\Symantec
    2010-11-10 05:28 . 2010-11-10 16:50 -------- d-----w- c:\windows\system32\drivers\N360
    2010-11-10 05:28 . 2010-11-10 05:28 -------- d-----w- c:\program files\Norton Security Suite
    2010-11-10 05:28 . 2010-11-10 05:28 -------- d-----w- c:\program files\Windows Sidebar
    2010-11-10 05:27 . 2010-11-10 05:27 -------- d-----w- c:\program files\NortonInstaller
    2010-11-10 04:59 . 2010-11-10 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-11-08 18:49 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-11-08 18:49 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-11-08 18:49 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-11-08 18:48 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-11-08 18:40 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-04 21:17 . 2010-06-13 05:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-18 17:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-09 13:38 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 13:38 . 2004-08-04 10:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-09 13:38 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-09 13:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "M-Audio Taskbar Icon"="c:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
    "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^Steve Kwartin^Start Menu^Programs^Startup^DING!.lnk]
    path=c:\documents and settings\Steve Kwartin\Start Menu\Programs\Startup\DING!.lnk
    backup=c:\windows\pss\DING!.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
    2005-07-12 10:17 50776 ----a-w- c:\program files\America Online 9.0\aol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
    2004-10-18 21:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    2004-10-20 14:40 34904 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltaIITaskbarApp]
    2008-03-03 15:13 236040 ----a-w- c:\windows\system32\DeltaIITray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1224800307\EE\AOLHostManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Indexer]
    2005-02-08 00:40 184320 ----a-w- c:\program files\Sharp\Sharpdesk\Indexer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexTray]
    2005-02-08 00:38 106496 ----a-w- c:\program files\Sharp\Sharpdesk\IndexTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
    2004-04-05 21:33 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-10-23 22:24 98304 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SharpTray]
    2005-02-08 00:47 32768 ----a-w- c:\program files\Sharp\Sharpdesk\SharpTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2010-05-05 21:15 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TypeRegChecker]
    2005-02-08 00:40 57344 ----a-w- c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "Symantec AntiVirus"=2 (0x2)
    "stllssvr"=3 (0x3)
    "SPBBCSvc"=3 (0x3)
    "SNDSrvc"=2 (0x2)
    "SavRoam"=3 (0x3)
    "RoxWatch9"=2 (0x2)
    "RoxMediaDB9"=3 (0x3)
    "ose"=3 (0x3)
    "MDM"=2 (0x2)
    "McciCMService"=2 (0x2)
    "IDriverT"=3 (0x3)
    "gusvc"=2 (0x2)
    "DefWatch"=2 (0x2)
    "ccSetMgr"=2 (0x2)
    "ccPwdSvc"=2 (0x2)
    "ccEvtMgr"=2 (0x2)
    "AOL TopSpeedMonitor"=2 (0x2)
    "AOL ACS"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\att-nap\\McciBrowser.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1224800307\\EE\\AOLServiceHost.exe"=
    "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
    "c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
    "c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
    "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [11/10/2010 5:16 AM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [11/10/2010 5:16 AM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [11/22/2010 9:20 PM 691248]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [11/10/2010 5:16 AM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [11/10/2010 5:16 AM 116784]
    R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [11/10/2010 5:11 AM 126392]
    R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [11/23/2008 1:32 AM 302728]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/10/2010 2:15 AM 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101201.001\IDSXpx86.sys [12/7/2010 3:26 AM 341944]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/11/2010 11:54 PM 136176]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 4:05 AM 1389400]
    S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - LAVASOFT_AD-AWARE_SERVICE
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]

    2010-12-07 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-05-05 21:15]

    2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 04:53]

    2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 04:53]

    2010-11-19 c:\windows\Tasks\Rescue Reminder for 2HAA48PR.job
    - c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2007-09-06 18:52]

    2010-12-07 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.cnn.com/
    FF - ProfilePath - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Extension: Check4Change: check4change-owner@mozdev.org - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\extensions\check4change-owner@mozdev.org
    FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-NavLogon - (no file)
    MSConfigStartUp-DeltTray - DeltTray.exe
    AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
    AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Steve Kwartin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-07 04:12
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
    "ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
    .
    Completion time: 2010-12-07 04:15:24
    ComboFix-quarantined-files.txt 2010-12-07 09:15

    Pre-Run: 2,764,435,456 bytes free
    Post-Run: 3,806,785,536 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 86E624F5BA375D1B09E6653973D154F3


    Thank you again. Steve


    ************************************
    IGNORE BELOW
    I have tried and failed at downloading and running the combo fix program. I am able to download it, and I get the icon on my desktop. I have disabled Norton and the Windows firewall, and shut i.e., but what happens every time that I click on the icon is a small gray window opens, with a blue bar that fills in as combo fix is loading, and then nothing, like it tries to load and fails. I have deleted and downloaded it at least three times, with the same lack of result. So, thus far, I have been completely unable to get GMER or Combo Fix to run.

    I will await your next response. Thanks again. Steve
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think you must have lost track of where you were! Eset is in twice- I will edit the post with the second log as it is the same an remove the duplicate, leaving the Combofix log. then I will try to sort through your 'Update', Ignore', 'New update' and so on.

    For the Eset entries:
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      :Files  
      C:\AOL Instant Messenger\AIM.exe 
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip 
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip 
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip 
      C:\Documents and Settings\Steve Kwartin\exe.js 
      C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\eac-0.99pb4.exe 
      C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\Soundforge 10\Keygen.exe 
      C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\Soundforge 10\[B][COLOR="Red"]SONY_SOUND_FORGE_PRO_10_WITH_KEYGEN[/COLOR][/B]_.part1.rar 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===========================================
    The entry in red above indicates the program may have been pirated using a license key or crack code from a torrent site. The program will have to be removed.
    ==========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    
    Folder::
    c:\documents and settings\Steve Kwartin\Local Settings\Application Data\Sunbelt Software
    C:\32788R22FWJFW.2.tmp
    C:\32788R22FWJFW.1.tmp
    C:\855d0ab8392c5309ac0ce3f70e9b
    c:\documents and settings\Steve Kwartin\Application Data\Tific
    
    Extra::
    File::
    c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    Firefox::
    Firefox-:- Profile - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Regarding GMER: I don't see any indication in Combofix of a rootkit, so unless the problems persist, okay to skip that.

    Regarding Java: Update are almost always to address a security problem. So keeping an old version of Jav installed cuses a vulnerability. You had 5 or 6 old versions. So update regularly, but it doesn't overwrite so you will need to uninstall the old version in Add/Remove Programs in the Control Panel. That is done for now, so remember to uninstall everything Java is updated.

    Regarding Norton: I am not a fan of this program. I don't care for any 'suites' as they are usually bloated with processes that use the system resources needlessly- Norton is certainly guilty of this. And it cost money. You can get free and good protection. When we have finished, I'll leave you with a list of tips to improve security. It will have links for free programs.

    Regarding Computer 'slowdown': Please describe.
     
  7. tapersteve

    tapersteve TS Rookie Topic Starter Posts: 52

    Bobbye,

    I downloaded and ran OTMoveit. It did its thing, and asked to reboot, which I did. I have Spybot S&D running in the background, and when the computer rebooted, Spybot popped up with a number of registry changes being requested, as well as certain browser changes, a few of which had "redirect" in their title. I allowed a few, and refused to allow the others.

    It then occurred to me that this could either be due to OTMoveit repairing something, or the spy/malware trying to reinstall itself. So, I am attaching the OTMoveit Log below, but I did not want to proceed further, until I hear from you about the registry changes, as I may need to run OTMoveit again, before I do anything else.

    Please let me know how to respond to the registry change requests, and whether I should re-run OTMoveit.

    Lastly, with respect to my computer running slow, this is a Pentium Quad Core, and used to run extrememely fast. Now, it seems to take forever for files to process in audio programs. The other day, when I was working on one of the fixes in this thread, I was at a poing where I had rebooted, and there were NO applications running in Task Manager; however, the window was showing that the processors were running "system" and using between 25-40% of CPU capacity.

    I don't know if this is part of the malware issue, but I have never seen anything like that when I have looked at the Task Manager prior to my current issue.

    Thank you once again for your ongoing assistance. Steve

    OTMoveit Log:

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\AOL Instant Messenger\AIM.exe moved successfully.
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip moved successfully.
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip moved successfully.
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip moved successfully.
    C:\Documents and Settings\Steve Kwartin\exe.js moved successfully.
    C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\eac-0.99pb4.exe moved successfully.
    C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\Soundforge 10\Keygen.exe moved successfully.
    C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\Soundforge 10\SONY_SOUND_FORGE_PRO_10_WITH_KEYGEN_.part1.rar moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Steve Kwartin
    ->Temp folder emptied: 358 bytes
    ->Temporary Internet Files folder emptied: 348804542 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 86008520 bytes
    ->Flash cache emptied: 9825 bytes

    %systemdrive% .tmp files removed: 10807286 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16867 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 669 bytes

    Total Files Cleaned = 425.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 12082010_163528

    Files moved on Reboot...
    File C:\WINDOWS\temp\Perflib_Perfdata_494.dat not found!

    Registry entries deleted on Reboot...
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    OTMoveIt ran fine.

    There is still evidence of piracy. We do not support piracy. To contunue support, this will have to be removed:
    Audio Programs\Soundforge 10\SONY_SOUND_FORGE_PRO_10_WITH_KEYGEN_.part1.rar
     
  9. tapersteve

    tapersteve TS Rookie Topic Starter Posts: 52

    Bobbye,

    I have deleted the Soundforge file. When I rebooted the computer, Spybot again noted registry changes, which I allowed. I then created the ComboFix.txt wordpad document, dragged it into ComboFix, and was then able to run ComboFix.

    Here is the log of the second ComboFix run, after creating the ComboFix.txt. document:

    ComboFix 10-12-09.02 - Steve Kwartin 12/10/2010 4:28.2.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2654 [GMT -5:00]
    Running from: c:\documents and settings\Steve Kwartin\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Steve Kwartin\Desktop\CFScript.txt
    AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    FILE ::
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}"
    "c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\855d0ab8392c5309ac0ce3f70e9b
    c:\855d0ab8392c5309ac0ce3f70e9b\amd64\filterpipelineprintproc.dll
    c:\855d0ab8392c5309ac0ce3f70e9b\amd64\msxpsdrv.cat
    c:\855d0ab8392c5309ac0ce3f70e9b\amd64\msxpsdrv.inf
    c:\855d0ab8392c5309ac0ce3f70e9b\amd64\msxpsinc.gpd
    c:\855d0ab8392c5309ac0ce3f70e9b\amd64\msxpsinc.ppd
    c:\855d0ab8392c5309ac0ce3f70e9b\amd64\mxdwdrv.dll
    c:\855d0ab8392c5309ac0ce3f70e9b\amd64\xpssvcs.dll
    c:\855d0ab8392c5309ac0ce3f70e9b\i386\filterpipelineprintproc.dll
    c:\855d0ab8392c5309ac0ce3f70e9b\i386\msxpsdrv.cat
    c:\855d0ab8392c5309ac0ce3f70e9b\i386\msxpsdrv.inf
    c:\855d0ab8392c5309ac0ce3f70e9b\i386\msxpsinc.gpd
    c:\855d0ab8392c5309ac0ce3f70e9b\i386\msxpsinc.ppd
    c:\855d0ab8392c5309ac0ce3f70e9b\i386\mxdwdrv.dll
    c:\855d0ab8392c5309ac0ce3f70e9b\i386\xpssvcs.dll
    c:\documents and settings\Steve Kwartin\Application Data\Tific
    c:\documents and settings\Steve Kwartin\Application Data\Tific\Environment.tfc
    c:\documents and settings\Steve Kwartin\Application Data\Tific\tificocs.symantec.com.tfc
    c:\documents and settings\Steve Kwartin\Local Settings\Application Data\Sunbelt Software
    c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    G:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))
    .

    2010-12-08 22:57 . 2010-12-08 22:57 1409 ----a-w- c:\windows\QTFont.for
    2010-12-08 21:35 . 2010-12-08 21:35 -------- d-----w- C:\_OTM
    2010-12-07 07:57 . 2010-12-09 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-12-04 21:32 . 2010-12-04 21:32 -------- d-----w- c:\program files\ESET
    2010-12-04 21:18 . 2010-12-04 21:18 -------- d-----w- c:\program files\Common Files\Java
    2010-12-04 21:18 . 2010-12-04 21:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-16 07:50 . 2010-11-16 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-11-10 18:39 . 2010-11-10 18:39 -------- d-----w- c:\windows\system32\XPSViewer
    2010-11-10 18:38 . 2010-11-10 18:38 -------- d-----w- c:\program files\MSBuild
    2010-11-10 18:38 . 2010-11-10 18:38 -------- d-----w- c:\program files\Reference Assemblies
    2010-11-10 18:38 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2010-11-10 18:37 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2010-11-10 18:37 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2010-11-10 18:37 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2010-11-10 18:37 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2010-11-10 18:37 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2010-11-10 18:37 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2010-11-10 18:37 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2010-11-10 18:37 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2010-11-10 10:09 . 2010-11-10 16:49 -------- d-----w- c:\windows\system32\drivers\N360\0403000.005

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-04 21:17 . 2010-06-13 05:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-10 05:29 . 2010-11-10 05:29 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-11-10 05:29 . 2010-11-10 05:29 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-09-18 17:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-07_09.12.54 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-10 08:09 . 2010-12-10 08:09 16384 c:\windows\Temp\Perflib_Perfdata_b4.dat
    + 2010-12-10 08:07 . 2010-12-10 08:07 16384 c:\windows\Temp\Perflib_Perfdata_730.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "M-Audio Taskbar Icon"="c:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
    "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-10-23 98304]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
    [BU]

    [HKLM\~\startupfolder\C:^Documents and Settings^Steve Kwartin^Start Menu^Programs^Startup^DING!.lnk]
    path=c:\documents and settings\Steve Kwartin\Start Menu\Programs\Startup\DING!.lnk
    backup=c:\windows\pss\DING!.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
    2005-07-12 10:17 50776 ----a-w- c:\program files\America Online 9.0\aol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
    2004-10-18 21:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    2004-10-20 14:40 34904 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltaIITaskbarApp]
    2008-03-03 15:13 236040 ----a-w- c:\windows\system32\DeltaIITray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1224800307\EE\AOLHostManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Indexer]
    2005-02-08 00:40 184320 ----a-w- c:\program files\Sharp\Sharpdesk\Indexer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexTray]
    2005-02-08 00:38 106496 ----a-w- c:\program files\Sharp\Sharpdesk\IndexTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
    2004-04-05 21:33 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-10-23 22:24 98304 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SharpTray]
    2005-02-08 00:47 32768 ----a-w- c:\program files\Sharp\Sharpdesk\SharpTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2010-05-05 21:15 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TypeRegChecker]
    2005-02-08 00:40 57344 ----a-w- c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "Symantec AntiVirus"=2 (0x2)
    "stllssvr"=3 (0x3)
    "SPBBCSvc"=3 (0x3)
    "SNDSrvc"=2 (0x2)
    "SavRoam"=3 (0x3)
    "RoxWatch9"=2 (0x2)
    "RoxMediaDB9"=3 (0x3)
    "ose"=3 (0x3)
    "MDM"=2 (0x2)
    "McciCMService"=2 (0x2)
    "IDriverT"=3 (0x3)
    "gusvc"=2 (0x2)
    "DefWatch"=2 (0x2)
    "ccSetMgr"=2 (0x2)
    "ccPwdSvc"=2 (0x2)
    "ccEvtMgr"=2 (0x2)
    "AOL TopSpeedMonitor"=2 (0x2)
    "AOL ACS"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\att-nap\\McciBrowser.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1224800307\\EE\\AOLServiceHost.exe"=
    "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
    "c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
    "c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
    "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [11/10/2010 5:16 AM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [11/10/2010 5:16 AM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [11/22/2010 9:20 PM 691248]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [11/10/2010 5:16 AM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [11/10/2010 5:16 AM 116784]
    R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [11/10/2010 5:11 AM 126392]
    R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [11/23/2008 1:32 AM 302728]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/10/2010 2:15 AM 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101208.002\IDSXpx86.sys [12/9/2010 7:04 PM 341944]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/11/2010 11:54 PM 136176]
    S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-10 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-05-05 21:15]

    2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 04:53]

    2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 04:53]

    2010-11-19 c:\windows\Tasks\Rescue Reminder for 2HAA48PR.job
    - c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2007-09-06 18:52]

    2010-12-10 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.cnn.com/
    FF - ProfilePath - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Extension: Check4Change: check4change-owner@mozdev.org - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\extensions\check4change-owner@mozdev.org
    FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-10 04:37
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
    "ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
    .
    Completion time: 2010-12-10 04:40:18
    ComboFix-quarantined-files.txt 2010-12-10 09:40
    ComboFix2.txt 2010-12-07 09:15

    Pre-Run: 50,266,292,224 bytes free
    Post-Run: 50,932,293,632 bytes free

    - - End Of File - - 548D90AE87A624493879343080B6B7B6

    *****************************************
    Please let me know what to do next. I am still not sure what I should do about the items previously quarantined, but not purged from Eset. Thank you again. Steve
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Steve, regarding this:
    The only way to troubleshoot this is to find what processes are using the CPU. For instance, you may have auto-updates scheduled or set. It could be that program contacting the internet, looking for updates. Here's how I look for culprit:
    • Prepare the system for shutdown> Close any active Windows> shut down the email> but don't shut down yet:
    • Open the Task Manager (right click on Taskbar> Task Manager)> Processes tab> click twice on the frame over the CPU column. This will sort the processes.
    • The only activity in the CPU column should be in System, System Idle & taskmgr. These 3 should add up to 100% of the CPU. There might be some fluctuation for 1-2 in the CPU, but ignore that.
    • Any process other than these 3, over 1-2 CPU is what you need to chase down and identify.

    OTM shows Total Files Cleaned = 425.00 mb> that is a huge number of files! Simple math tells me that you have a lot of processes set to Start on boot. Those processes will continue to run in the background using the system resources. As you play games or listen to audio which are resource-intensive, they are competing for the available RAM. As that gets used up, you slow down: ergo: the more processes running, the slower the system will be. And additionally, a system that is not well maintained using disc cleanup, defrag and the likes, is not going to give you good performance.

    I think it would help you if you tried to be patient:
    Entries found by the Eset scan have been handled in OTM.

    I'm going to set up some script- a small one- to stop some of the processes you have starting up.
     
  11. tapersteve

    tapersteve TS Rookie Topic Starter Posts: 52

    Bobbye,

    If I sounded impatient for any reason, that was not my intention. I just wanted to make sure that I had not missed anything with respect to the prior quarantined items.

    But, more importantly, it seems like the browser hijacking is no longer occurring. When I Google something now, and click on a link, I no longer get redirected. THANK YOU. It also seems that some of what we have done already has freed up some system resources, as things seem to be moving more quickly, there is less CPU usage showing up in Task Manager, and less processes running in the background.

    I am not sure what that last ComboFix did, or how 425 files (and what type of files they were) had such an effect on my system, but if that scan cleaned them up, then we are making major progress. Once again, thank you. It seems that my major problem may now be resolved, but I will look forward to any further suggestions regarding clean-up and optimization of my computer.

    Steve
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    OTMoveIt cleans temporary internet files also. The number 425 was megabytes. That is a hugh number of temo files. For instance, the entire Corel Paintshop Pro programs only uses 325MB of space on the hard drive!
    ======================================
    One of the deletions in Combofix indicates you may have used an infected flash drive. If you used one to download programs, then we need to disinfect it. Please let me know.
    ===============================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    
    Extra::
    File::
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    Firefox::
    Firefox-: - Profile - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\
    Folder::
    C:\32788R22FWJFW.2.tmp
    C:\32788R22FWJFW.1.tmp
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=-
    "stllssvr"=- 
    "RoxWatch9"=-
    "RoxMediaDB9"=-
    "IDriverT"=- 
    "gusvc"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    I've removed extensions in Firefox for 5 outdate versions of Java. The current version is there. Make sure all but Java v6u22 have been removed in Add/Remove Programs. Maybe JavaRa doesn't remove FF addons.
    ===================
    I'd like you to run this. It's quick and I can make sure there are no bad entries remaining. After I check the log, I'll have you remve the cleaning tools and all their logs.
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Almost there!
     
  13. tapersteve

    tapersteve TS Rookie Topic Starter Posts: 52

    Bobbye,

    First of all, thank you for all of your ongoing assistance, including on the weekends. You rule. It seems as if the browser hijacking has come to an end, but I want to follow whatever other instructions that you want to give me, to both make sure everything is gone, and to then optimize and protect my computer against any further need for your help. If you think that I should use another anti-virus program, other than Norton, which is supplied by Comcast, my wonderful ISP, let me know what it is.

    In your last post, you mentioned a possible infected flash drive, but I don't own a flash drive. I have a number of external harddrives that I use to store my many large music files, but no flash or jump drives.

    I have re-run ComboFix, with the latest script that you supplied, and here is the log:

    ComboFix 10-12-11.03 - Steve Kwartin 12/11/2010 22:20:13.4.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2717 [GMT -5:00]
    Running from: c:\documents and settings\Steve Kwartin\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Steve Kwartin\Desktop\CFScript.txt.txt
    AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    FILE ::
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}"
    "c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}"
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
    .

    2010-12-12 02:40 . 2010-12-12 02:41 -------- d-----w- C:\HijackThis
    2010-12-11 20:06 . 2010-12-03 19:35 25048 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
    2010-12-11 20:06 . 2010-12-03 19:35 140248 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
    2010-12-11 20:06 . 2010-12-03 19:35 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2010-12-11 20:06 . 2010-12-03 19:35 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2010-12-08 22:57 . 2010-12-08 22:57 1409 ----a-w- c:\windows\QTFont.for
    2010-12-08 21:35 . 2010-12-08 21:35 -------- d-----w- C:\_OTM
    2010-12-07 07:57 . 2010-12-09 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-12-04 21:32 . 2010-12-04 21:32 -------- d-----w- c:\program files\ESET
    2010-12-04 21:18 . 2010-12-04 21:18 -------- d-----w- c:\program files\Common Files\Java
    2010-12-04 21:18 . 2010-12-04 21:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-16 07:50 . 2010-11-16 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-04 21:17 . 2010-06-13 05:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-10 05:29 . 2010-11-10 05:29 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-11-10 05:29 . 2010-11-10 05:29 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-09-18 17:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    .

    ((((((((((((((((((((((((((((( SnapShot_2010-12-12_02.29.24 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-12 03:08 . 2010-12-12 03:08 16384 c:\windows\Temp\Perflib_Perfdata_670.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "M-Audio Taskbar Icon"="c:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
    "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
    [BU]

    [HKLM\~\startupfolder\C:^Documents and Settings^Steve Kwartin^Start Menu^Programs^Startup^DING!.lnk]
    path=c:\documents and settings\Steve Kwartin\Start Menu\Programs\Startup\DING!.lnk
    backup=c:\windows\pss\DING!.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
    2005-07-12 10:17 50776 ----a-w- c:\program files\America Online 9.0\aol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
    2004-10-18 21:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    2004-10-20 14:40 34904 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltaIITaskbarApp]
    2008-03-03 15:13 236040 ----a-w- c:\windows\system32\DeltaIITray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1224800307\EE\AOLHostManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Indexer]
    2005-02-08 00:40 184320 ----a-w- c:\program files\Sharp\Sharpdesk\Indexer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexTray]
    2005-02-08 00:38 106496 ----a-w- c:\program files\Sharp\Sharpdesk\IndexTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
    2004-04-05 21:33 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-10-23 22:24 98304 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SharpTray]
    2005-02-08 00:47 32768 ----a-w- c:\program files\Sharp\Sharpdesk\SharpTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2010-05-05 21:15 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TypeRegChecker]
    2005-02-08 00:40 57344 ----a-w- c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Symantec AntiVirus"=2 (0x2)
    "SPBBCSvc"=3 (0x3)
    "SNDSrvc"=2 (0x2)
    "SavRoam"=3 (0x3)
    "ose"=3 (0x3)
    "MDM"=2 (0x2)
    "McciCMService"=2 (0x2)
    "gusvc"=2 (0x2)
    "DefWatch"=2 (0x2)
    "ccSetMgr"=2 (0x2)
    "ccPwdSvc"=2 (0x2)
    "ccEvtMgr"=2 (0x2)
    "AOL TopSpeedMonitor"=2 (0x2)
    "AOL ACS"=2 (0x2)
    "WZCSVC"=2 (0x2)
    "VSS"=3 (0x3)
    "UPS"=3 (0x3)
    "Themes"=2 (0x2)
    "TapiSrv"=3 (0x3)
    "Symantec RemoteAssist"=2 (0x2)
    "RemoteRegistry"=2 (0x2)
    "RDSessMgr"=3 (0x3)
    "RasMan"=3 (0x3)
    "RasAuto"=3 (0x3)
    "mnmsrvc"=3 (0x3)
    "Maxtor Sync Service"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "helpsvc"=2 (0x2)
    "gupdate"=2 (0x2)
    "FastUserSwitchingCompatibility"=3 (0x3)
    "Browser"=2 (0x2)
    "AudioSrv"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\att-nap\\McciBrowser.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
    "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1224800307\\EE\\AOLServiceHost.exe"=
    "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
    "c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
    "c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
    "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [11/10/2010 5:16 AM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [11/10/2010 5:16 AM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [11/22/2010 9:20 PM 691248]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [11/10/2010 5:16 AM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [11/10/2010 5:16 AM 116784]
    R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [11/10/2010 5:11 AM 126392]
    R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [11/23/2008 1:32 AM 302728]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/10/2010 2:15 AM 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101210.001\IDSXpx86.sys [12/11/2010 6:28 AM 341944]
    S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]
    S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/11/2010 11:54 PM 136176]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-11 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-05-05 21:15]

    2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 04:53]

    2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 04:53]

    2010-11-19 c:\windows\Tasks\Rescue Reminder for 2HAA48PR.job
    - c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2007-09-06 18:52]

    2010-12-12 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.cnn.com/
    FF - ProfilePath - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Extension: Check4Change: check4change-owner@mozdev.org - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\extensions\check4change-owner@mozdev.org
    FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Extension: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-11 22:27
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
    "ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2640)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2010-12-11 22:30:10
    ComboFix-quarantined-files.txt 2010-12-12 03:30
    ComboFix2.txt 2010-12-12 02:31
    ComboFix3.txt 2010-12-10 09:40
    ComboFix4.txt 2010-12-07 09:15

    Pre-Run: 43,670,540,288 bytes free
    Post-Run: 43,662,114,816 bytes free

    - - End Of File - - 15990A58CDEC48640CE02E738D929C8E

    ************************************************************************************
    I also ran HijackThis, and here is the log:


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:03:46 PM, on 12/11/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17091)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\System32\DeltaIITray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\IPSBHO.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\DeltaIITray.exe
    O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1216653561431
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe

    --
    End of file - 4365 bytes

    I did not have HijackThis fix anything, per your instructions. I will wait to hear back from you. Thank you again. Steve
     
  14. tapersteve

    tapersteve TS Rookie Topic Starter Posts: 52

    Bobbye,

    I had a little scare late last night, when no sounds were coming out of my computer. I have a high end soundcard, which showed up in Device Manager, was "working properly," but no sound could be streamed from the internet, but I could play music on my computer. A little research on this board led me to the way to fix the problem. Is this something that one of the programs that you had me run may have caused? If so, I am just letting you know of this, in case it comes up in the future. But I must add, in all of the Googling to find a fix, there was not one re-direct. Thank you. Steve
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Steve, I didn't have you do anything that specifically should have affected the sound card. But anytime malware is involved, settings can get changes or file can get corrupt. Even without malware a setting can change. I once had one of the audio devices just disappear from the dialog box where it was set. Took me a while to realize what it was and I had a clean, well maintaned machine. There is also a gremlin who presses the Mute button without asking! Have you met that one yet?

    The Combofix header shows this:
    AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}


    and running processes also shows this twice:
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe


    If indeed you do have two Norton Suites running, that would slows you down significantly! Use Windows Explorer> Windows key + E> My Computer> Local Drive> Programs> do you have 2 Norton Suite folders there? One may have (2) with it.

    Please look in Add/Remove Programs in the Control Panel and make sure the only Java is v6u22. The outdated extensions are still in Firefox.

    HijackThis is fine. No more script needed in Combofix. System is clean!
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    Let me know if you have any more questions.

    Have a Happy and Peaceful Holiday![​IMG]
     
  16. tapersteve

    tapersteve TS Rookie Topic Starter Posts: 52

    Bobbye,

    If I forgot to mention it, I had already looked in Add/Remove Programs, and the only version of Java is the one you wanted me to leave there. Is there a way to remove other versions that you still seem to see in Firefox?

    I went into Explorer, and I have one Norton Security Suite file folder, and one NortonInstaller folder. When I look at Task Manager, I never see any version of Norton running, even though it is present in the system tray. Is there some way to determine if more than one version is running, as that might explain the extreme slowdown, but as noted above, there is nothing indicating that Norton is running at all in the Task Manager.

    I will wait to uninstall everything until I hear back from you. Should I also uninstall Eset, DDS, GMER and TFC as well? If so, do I use the Control Panel method, find an uninstaller in their program files, or use another method?

    Early on in this process, you indicated that you would suggest alternative programs to Norton, and based upon your stellar performance here, I would follow any advice that you want to give on that topic, as I hope to never need your awesome abilities ever again.

    I truly cannot thank you enough. You are a complete stranger, and have most generously given your time, knowledge and assistance to a complete stranger, and solved a very critical problem. I hope that you have a wonderful happy, healthy, peaceful and amazing holiday season. Steve
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You are most welcome for the help.

    Regarding cleaning the tools and logs:
    OTCleanIt and the Combofix uninstaller should remove most of the tools we used. If you find any of the programs still in Add/Remove, you can uninstall them. But run OTCleanIt first. You can keep TFC if you want and also the Eset Online scanner. If you want to remove Eset: open IE> Tools> Manage Add-ons> find Eset> highlight> Remove. It won't conflict with Norton because it is 'on demand'.

    I have successfully used the Windows Installer Cleanup Utility to delete left-overs.

    Regarding outdated Java files in Firefox:
    To remove outdated Java files from the Firefox browser plugins folder
    1. Starting in Firefox 3 ,disabling a plugin via "Tools -> Add-ons (or Add-on Manager) -> Plugins" will remove it from the about:plugins list; re-enabling a disabled plugin will add it back to the list.
    2. To check if removed: Type about:plugins in the Location Bar (address bar) and press Enter key.
      There is an image of the Installed Plugin screen here:http://kb.mozillazine.org/About:plugins
    3. All Java plugins listed should be followed by the version number of the JRE that is currently installed and not any earlier versions. For example, if JRE 6.0 Update 22 is currently installed, each Java plugin listed should be identified as "Java Plug-in 1.6.0_022.
    4. If disabling through Tools> Add-ons worked, you should now see only v6u22.

    Note: Important: It is recommended that you do not place any Java plugins in the Firefox installation directory plugins folder (typically, C:\Program Files\Mozillla Firefox\plugins as having Java files from previous versions in the browser plugins folder can prevent the current Java version from working.
    Courtesy mozillazine.org

    Regarding Norton Security Suite
    The Norton entries in Combofix header are puzzling: It clearly shows the CLSID for 2 Norton AV and 1 Norton FW. But you comment about not seeing the entries in the Task Manager could be because one of the AV entries shows 'disabled' and the other shows 'enabled.' When you run Combofix, both the AV & FW should be disabled, so I don't know if you did that. It clearly shows AV twice, with FW(firewall) separate
    Go back to the Norton Security Suite file folder and double click on it to open. Do this in Windows Explorer because you don't want to launch it, just look at the files. Look on the right screen after the double click. Do you see any duplicate executable files? Do you see savscan.exe?

    "Savscan.exe" is a Norton Antivirus executable file which stands for Symantec AntiVirus Scanner. The "savscan.exe" file is automatically added in the task manager. By default, the file runs automatically after the computer has booted up. The "savscan.exe" process is responsible for actively protecting computers in real time. Without the "savscan.exe" running, a computer is vulnerable to viruses.

    The "savscan.exe" may be terminated or corrupted. To verify that the file is valid, the file properties must indicate that the company is Symantec. Known file sizes are 194,272 bytes, 198,368 bytes, 193,816 bytes, 198,416 bytes, and 197,864 bytes. If you can't determine this with a right click> Properties on the savscan.exe file, we will need to check it out.

    Leaving tips in next reply for your convenience.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    As promised: (Note> links are blue, headings are purple)

    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...