Solved Google redirect and computer slowdown, can't run GMER

Status
Not open for further replies.
T

tapersteve

Posts: 52   +0
Hi there and thank you in advance for the work that you do. I posted once a few weeks back, but I have been gone, but am now back and need to fix this problem.

I definitely have what appears to be a browser re-direct infection, as most, but not all of the time, my google searches are re-directed to either Bing or some other end page. No porn, just ads of different types. I have Norton running in the background, and use Spybot S&D from time to time to clean up anything else.

I have read the eight step instructions.

I have run TFC.

I have run the Malawarebytes and have attached the log below.

I have tried to run GMER at least a dozen times. I have tried it in regular mode, with and without the "devices" box checked. In either case, it froze up almost immediately after starting the scan. I then tried running it in safe mode, both with the "devices" box checked, and unchecked. The only progress that I ever got, was in safe mode, with the "devices" unchecked, and the scan ran for quite a while, started printing a lot of info in the box, and then went to the BSOD. The error message was uglcrfob.sys Page Fault In Non Paged Area. I have all the technical numbers, if it will be of any use. I uninstalled and re-downloaded GMER, and tried the safe mode again, and it did the same thing, program ran, then action, then BSOD. I have rebooted my computer more today than in the last year. I don't know what else to do.

So, I also ran DDS, and am attaching the logs below as well.

Your help is greatly appreciated. Steve

Malabytes Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5077

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/4/2010 2:32:35 AM
mbam-log-2010-12-04 (02-32-35).txt

Scan type: Full scan (C:\|)
Objects scanned: 281270
Time elapsed: 4 hour(s), 53 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**********************************************************
DDS Log:


DDS (Ver_10-11-09.01) - NTFSx86
Run by Steve Kwartin at 4:52:30.32 on Sat 12/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2570 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DeltaIITray.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Steve Kwartin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.3.0.5\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [M-Audio Taskbar Icon] c:\windows\system32\DeltaIITray.exe
mRun: [DeltaIITaskbarApp] c:\windows\system32\DeltaIITray.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216653561431
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - c:\program files\sharp\sharpdesk\ExplorerExtensions.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stevek~1\applic~1\mozilla\firefox\profiles\5l5wp0pq.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1908.5032\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-8 218592]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-11-10 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-11-10 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-22 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-11-10 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-11-10 116784]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.3.0.5\ccsvchst.exe [2010-11-10 126392]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [2008-11-23 302728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-11-10 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20101130.001\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20101203.032\NAVENG.SYS [2010-12-3 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20101203.032\NAVEX15.SYS [2010-12-3 1371184]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-11 136176]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11010.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11010.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-11-8 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-11-8 1142224]

=============== Created Last 30 ================

2010-11-16 07:50:58 -------- d-----w- c:\docume~1\stevek~1\applic~1\SUPERAntiSpyware.com
2010-11-16 07:50:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-16 07:50:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-10 18:39:12 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-10 18:38:01 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-10 18:37:24 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-11-10 18:37:24 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-11-10 18:37:24 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-11-10 18:37:24 117760 ------w- c:\windows\system32\prntvpt.dll
2010-11-10 18:37:23 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-11-10 18:37:23 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-11-10 18:37:22 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-11-10 18:37:22 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-11-10 18:37:18 -------- d-----w- C:\855d0ab8392c5309ac0ce3f70e9b
2010-11-10 10:16:45 339504 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys
2010-11-10 10:16:44 361904 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdi.sys
2010-11-10 10:16:43 328752 ----a-r- c:\windows\system32\drivers\n360\0403000.005\symds.sys
2010-11-10 10:16:43 173104 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symefa.sys
2010-11-10 10:16:41 43696 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtspx.sys
2010-11-10 10:16:41 325680 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtsp.sys
2010-11-10 10:16:40 501888 ----a-w- c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys
2010-11-10 10:16:40 116784 ----a-w- c:\windows\system32\drivers\n360\0403000.005\ironx86.sys
2010-11-10 10:09:10 -------- d-----w- c:\windows\system32\drivers\n360\0403000.005
2010-11-10 08:30:38 -------- d-----w- c:\docume~1\stevek~1\applic~1\Tific
2010-11-10 05:29:22 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-11-10 05:29:22 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-11-10 05:29:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-10 05:29:08 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-10 05:29:07 -------- d-----w- c:\program files\Symantec
2010-11-10 05:28:02 -------- d-----w- c:\windows\system32\drivers\N360
2010-11-10 05:28:00 -------- d-----w- c:\program files\Norton Security Suite
2010-11-10 05:27:50 -------- d-----w- c:\program files\NortonInstaller
2010-11-10 05:02:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-11-10 04:59:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-11-08 20:09:13 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-11-08 20:09:09 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-11-08 20:09:09 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-11-08 20:09:05 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-11-08 20:08:41 -------- d-----w- c:\program files\Spyware Doctor
2010-11-08 20:08:41 -------- d-----w- c:\program files\common files\PC Tools
2010-11-08 20:08:41 -------- d-----w- c:\docume~1\stevek~1\applic~1\PC Tools
2010-11-08 20:08:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-11-08 18:49:27 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-11-08 18:49:27 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-08 18:49:14 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-11-08 18:48:08 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-11-08 18:40:58 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-11-06 23:17:58 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-06 23:17:58 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-06 23:11:11 -------- d-----w- c:\program files\Quick Web Player
2010-11-06 22:30:28 105984 --sha-r- c:\windows\system32\WMSPDMOEQ.dll
2010-11-05 23:46:45 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 08:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 06:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll

============= FINISH: 4:53:56.34 ===============

*********************************************************************************

Attach Log:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-09.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/21/2008 9:35:28 AM
System Uptime: 12/4/2010 4:43:52 AM (0 hours ago)

Motherboard: Dell Inc. | | 0FM586
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2394/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 4.275 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 37 GiB total, 1.918 GiB free.
G: is FIXED (NTFS) - 699 GiB total, 607.38 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: PCI standard PCI-to-PCI bridge
Device ID: PCI\VEN_8086&DEV_29C1&SUBSYS_00000000&REV_02\3&2411E6FE&0&08
Manufacturer: (Standard system devices)
Name: PCI standard PCI-to-PCI bridge
PNP Device ID: PCI\VEN_8086&DEV_29C1&SUBSYS_00000000&REV_02\3&2411E6FE&0&08
Service: pci

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Realtek High Definition Audio
Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028020D&REV_1000\4&18CA5B6A&0&0201
Manufacturer: Realtek
Name: Realtek High Definition Audio
PNP Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028020D&REV_1000\4&18CA5B6A&0&0201
Service: IntcAzAudAddService

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_020D1028&REV_02\3&2411E6FE&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_020D1028&REV_02\3&2411E6FE&0&FB
Service:

==== System Restore Points ===================

RP734: 11/10/2010 1:29:00 PM - Software Distribution Service 3.0
RP735: 11/16/2010 2:46:30 AM - Norton Security Suite Registry
RP736: 11/16/2010 3:41:21 AM - Installed Windows Media Player 11
RP737: 11/17/2010 3:52:36 AM - System Checkpoint
RP738: 11/18/2010 4:52:16 AM - System Checkpoint
RP739: 11/19/2010 5:52:15 AM - System Checkpoint
RP740: 11/20/2010 6:03:55 AM - System Checkpoint
RP741: 11/21/2010 6:52:14 AM - System Checkpoint
RP742: 11/22/2010 7:52:16 AM - System Checkpoint
RP743: 11/23/2010 2:29:05 AM - Norton Security Suite Registry
RP744: 11/24/2010 3:02:05 AM - System Checkpoint
RP745: 11/25/2010 4:02:07 AM - System Checkpoint
RP746: 11/26/2010 5:02:04 AM - System Checkpoint
RP747: 11/27/2010 6:02:03 AM - System Checkpoint
RP748: 11/28/2010 7:02:04 AM - System Checkpoint
RP749: 11/29/2010 8:02:08 AM - System Checkpoint
RP750: 11/30/2010 9:02:12 AM - System Checkpoint
RP751: 12/1/2010 10:02:13 AM - System Checkpoint
RP752: 12/2/2010 11:02:13 AM - System Checkpoint
RP753: 12/3/2010 12:02:13 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
Acrobat.com
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
America Online (Choose which version to remove)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Spyware Protection
Audacity 1.3.12 (Unicode)
Audacity Recovery Utility
BTeasy 0.2.1.5
CD Wave Editor version 1.97
CKRename
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.7
Delta
E-Transcript Bundle Viewer
Exact Audio Copy 0.99pb4
FLAC 1.2.1b (remove only)
foobar2000 v0.9.5.4
GIMP 2.6.6
Google Earth
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 12.1.12.0
Java Auto Updater
Java(TM) 6 Update 22
Malwarebytes' Anti-Malware
Maxtor Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.15)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Security Suite
Octoshape add-in for Adobe Flash Player
PandoraRecovery (Remove Only)
Pure Networks Port Magic
QuickTime
r8brain 1.9
Realtek High Definition Audio Driver
Recuva
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SHARP AM-900 Series MFP Driver
Sharpdesk
Sonic Activation Module
Sony Sound Forge 8.0d
Sound Forge Pro 10.0
Spybot - Search & Destroy
Spyware Doctor 7.0
SUPERAntiSpyware
Symantec Technical Support Web Controls
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
VLC media player 0.9.2
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

12/4/2010 4:47:29 AM, error: Dhcp [1002] - The IP address lease 192.168.100.2 for the Network Card with network address 001D097F523C has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
12/4/2010 4:47:07 AM, error: Dhcp [1002] - The IP address lease 65.34.193.123 for the Network Card with network address 001D097F523C has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
12/4/2010 4:24:37 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
12/4/2010 4:14:41 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/4/2010 3:24:55 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ccHP eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SRTSPX SymIRON SYMTDI Tcpip
12/4/2010 3:24:55 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/4/2010 3:24:55 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/4/2010 3:24:55 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/4/2010 3:24:55 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/4/2010 3:24:10 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/4/2010 3:02:21 AM, error: Service Control Manager [7000] - The PfModNT service failed to start due to the following error: The system cannot find the file specified.
12/4/2010 2:54:59 AM, error: Service Control Manager [7034] - The Maxtor Service service terminated unexpectedly. It has done this 1 time(s).
12/4/2010 2:54:59 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

I will patiently await your response. Thank you again. Steve
 
Welcome back! I'll help you get to where you want to go. But first, some housekeeping.

1. You have multiple antivirus programs running: AV: Spyware Doctor with AntiVirus and
Norton Security Suite Even if you no longer use one of these, you still need to uninstall it. Multiple AV programs make the system more vulnerable. Here's a tool to help if you decide to remove Norton: Norton Removal Tool
Spyware Doctor is through PCTools I think- so you'll have to check for that uninstall Please reboot the computer after you have handled the AV.

2. There are 5 old versions of Java still on the system. The current is v6u22 which you have. To remove all of the old Java, please run this program:

Please download JavaRa and unzip it to your desktop.
Important!
***Please close any instances of Internet Explorer before continuing!***
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that
    a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install then most current version and update of Java Runtime
Environment (JRE) HERE. (This remove all Java so please update again from the site).
==============================================
3. P2P Warning!
You are using a program named BTeasy. This is TorrentSpy - BitTorrent MetaInfo Handler
The intent behind TorrentSpy is to give the BitTorrent power-user all the information they can get in one place. The primary motivating feature is the ability to see in real time the current number of complete/incomplete users on a torrent.
Click to expand...
You also have uTorrent installed.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall both TorrentSpy and uTorrent for the following reasons:
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

IF you choose not to uninstall either or both of these programs, please disable any startups or activity from both while I'm helping you.
=======================================
4. When the above is complete, Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
===================================================
See next reply for Combofix instructions.
 
When you have finished the housekeeping and online virus scan in my first reply, please follow with this:

Download Combofix to your desktop from one of these locations:
Link 1
Link 2
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    Click to expand...
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Results of Your Second Post

Bobby,

Thank you for getting back to me so quickly. Here is what I have and have not done so far.

I have removed AV Spyware Doctor and Super Anti-Spyware. I am keeping Norton, as it is the program provided by my ISP and I am pretty comfortable with it, unless you tell me that it has real problems, or that there is a better free option, as its cost is included in my monthly fees.

I removed all the old versions of Java, and followed the instructions and reinstalled the latest Java version.

I use BTEasy and utorrent, as I am a live music recorder, and it is me who uses these programs to put shows that I record up on the internet. The websites that I use are very well run, and I don't use any other P2P programs or websites to download any other torrent files, other than the music files coming from known individuals. So, I am keeping these programs.

Here is the JavRa log file:

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sat Dec 04 16:09:39 2010

Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_11

Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_12

Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_13

Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_14

Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_15

Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_17

Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_18

Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_19

Found and removed: C:\Documents and Settings\Steve Kwartin\Application Data\Sun\Java\jre1.6.0_20

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sat Dec 04 16:10:17 2010

------------------------------------

Finished reporting.

***********************************************************
Here is the Eset log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0135ba3de98fb14492964e155324466f
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-05 12:26:07
# local_time=2010-12-05 07:26:07 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3589 16777213 80 86 1226132 54830260 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=23
# found=0
# cleaned=0
# scan_time=2
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0135ba3de98fb14492964e155324466f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-05 03:06:21
# local_time=2010-12-05 10:06:21 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3589 16777213 80 86 1228688 54832816 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=138757
# found=8
# cleaned=0
# scan_time=7060
C:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\Steve Kwartin\exe.js probably a variant of VBS/TrojanDownloader.Agent.NRMWBAE trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\eac-0.99pb4.exe a variant of Win32/Adware.ADON application 00000000000000000000000000000000 I
C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\Soundforge 10\Keygen.exe a variant of Win32/Keygen.AR application 00000000000000000000000000000000 I
C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\Soundforge 10\SONY_SOUND_FORGE_PRO_10_WITH_KEYGEN_.part1.rar a variant of Win32/Keygen.AR application 00000000000000000000000000000000 I


QUESTIONS: What do I do about the items quarantined by ESET? Do I leave them there, have the program delete them, or otherwise remove them from my system?

NEXT: I will start running the combofix now.

Thank you again for your assistance. Steve
 
Bobby,

[PLEASE NOTE UPDATED EDIT BELOW]

Thank you for getting back to me so quickly. Here is what I have and have not done so far.

I have removed AV Spyware Doctor and Super Anti-Spyware. I am keeping Norton, as it is the program provided by my ISP and I am pretty comfortable with it, unless you tell me that it has real problems, or that there is a better free option, as its cost is included in my monthly fees.

I removed all the old versions of Java, and followed the instructions and reinstalled the latest Java version.

I use BTEasy and utorrent, as I am a live music recorder, and it is me who uses these programs to put shows that I record up on the internet. The websites that I use are very well run, and I don't use any other P2P programs or websites to download any other torrent files, other than the music files coming from known individuals. So, I am keeping these programs.

I was able to run Eset, and here is the log:
EDIT: Duplicate Eset log has been deleted by Bobbye- member advised.
EOSSerial=0135ba3de98fb14492964e155324466f
EOSSerial=0135ba3de98fb14492964e155324466f
****************************************************
[NEW UPDATE]
Please ignore the paragraph below, as I was finally able to run Combo Fix. I don't know why I even tried again, but it actually loaded, updated, and ran. The log is posted below. Should I re-run Eset, now that Combo Fix ran, or is it okay the way that it is? Let me know. I will even try to re-run GMER now, and will report back.

The Combo Fix Log:

ComboFix 10-12-06.03 - Steve Kwartin 12/07/2010 4:04.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2686 [GMT -5:00]
Running from: c:\documents and settings\Steve Kwartin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Steve Kwartin\Application Data\AD ON Multimedia
c:\program files\INSTALL.LOG

.
((((((((((((((((((((((((( Files Created from 2010-11-07 to 2010-12-07 )))))))))))))))))))))))))))))))
.

2010-12-07 08:54 . 2010-12-03 09:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-07 08:00 . 2010-12-07 08:00 -------- d-----w- c:\documents and settings\Steve Kwartin\Local Settings\Application Data\Sunbelt Software
2010-12-07 07:59 . 2010-12-07 07:59 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-07 07:57 . 2010-12-07 08:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-12-07 07:57 . 2010-12-07 07:57 -------- d-----w- c:\program files\Lavasoft
2010-12-06 09:27 . 2010-12-06 09:27 -------- d-----w- C:\32788R22FWJFW.2.tmp
2010-12-05 19:36 . 2010-12-05 19:38 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-12-04 21:32 . 2010-12-04 21:32 -------- d-----w- c:\program files\ESET
2010-12-04 21:18 . 2010-12-04 21:18 -------- d-----w- c:\program files\Common Files\Java
2010-12-04 21:18 . 2010-12-04 21:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-16 07:50 . 2010-11-16 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-10 18:39 . 2010-11-10 18:39 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-10 18:38 . 2010-11-10 18:38 -------- d-----w- c:\program files\MSBuild
2010-11-10 18:38 . 2010-11-10 18:38 -------- d-----w- c:\program files\Reference Assemblies
2010-11-10 18:38 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-10 18:37 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-11-10 18:37 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-11-10 18:37 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-11-10 18:37 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-11-10 18:37 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-11-10 18:37 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-11-10 18:37 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-11-10 18:37 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-11-10 18:37 . 2010-11-10 18:38 -------- d-----w- C:\855d0ab8392c5309ac0ce3f70e9b
2010-11-10 08:30 . 2010-11-10 08:30 -------- d-----w- c:\documents and settings\Steve Kwartin\Application Data\Tific
2010-11-10 05:29 . 2009-05-18 22:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-11-10 05:29 . 2008-04-17 21:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-11-10 05:29 . 2010-11-10 05:29 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-10 05:29 . 2010-11-10 05:29 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-10 05:29 . 2010-11-10 05:29 -------- d-----w- c:\program files\Symantec
2010-11-10 05:28 . 2010-11-10 16:50 -------- d-----w- c:\windows\system32\drivers\N360
2010-11-10 05:28 . 2010-11-10 05:28 -------- d-----w- c:\program files\Norton Security Suite
2010-11-10 05:28 . 2010-11-10 05:28 -------- d-----w- c:\program files\Windows Sidebar
2010-11-10 05:27 . 2010-11-10 05:27 -------- d-----w- c:\program files\NortonInstaller
2010-11-10 04:59 . 2010-11-10 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-11-08 18:49 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-11-08 18:49 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-08 18:49 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-11-08 18:48 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-11-08 18:40 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-04 21:17 . 2010-06-13 05:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 17:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2004-08-04 10:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M-Audio Taskbar Icon"="c:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Steve Kwartin^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Steve Kwartin\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2005-07-12 10:17 50776 ----a-w- c:\program files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-18 21:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-10-20 14:40 34904 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltaIITaskbarApp]
2008-03-03 15:13 236040 ----a-w- c:\windows\system32\DeltaIITray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1224800307\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Indexer]
2005-02-08 00:40 184320 ----a-w- c:\program files\Sharp\Sharpdesk\Indexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexTray]
2005-02-08 00:38 106496 ----a-w- c:\program files\Sharp\Sharpdesk\IndexTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
2004-04-05 21:33 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-10-23 22:24 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SharpTray]
2005-02-08 00:47 32768 ----a-w- c:\program files\Sharp\Sharpdesk\SharpTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-05-05 21:15 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TypeRegChecker]
2005-02-08 00:40 57344 ----a-w- c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)
"stllssvr"=3 (0x3)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=2 (0x2)
"SavRoam"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"McciCMService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1224800307\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [11/10/2010 5:16 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [11/10/2010 5:16 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [11/22/2010 9:20 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [11/10/2010 5:16 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [11/10/2010 5:16 AM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [11/10/2010 5:11 AM 126392]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [11/23/2008 1:32 AM 302728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/10/2010 2:15 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101201.001\IDSXpx86.sys [12/7/2010 3:26 AM 341944]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/11/2010 11:54 PM 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 4:05 AM 1389400]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - LAVASOFT_AD-AWARE_SERVICE
.
Contents of the 'Scheduled Tasks' folder

2010-12-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]

2010-12-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-05-05 21:15]

2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 04:53]

2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 04:53]

2010-11-19 c:\windows\Tasks\Rescue Reminder for 2HAA48PR.job
- c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2007-09-06 18:52]

2010-12-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
FF - ProfilePath - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Check4Change: check4change-owner@mozdev.org - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\extensions\check4change-owner@mozdev.org
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-DeltTray - DeltTray.exe
AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Steve Kwartin\Application Data\Macromedia\Flash Player\



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-07 04:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-12-07 04:15:24
ComboFix-quarantined-files.txt 2010-12-07 09:15

Pre-Run: 2,764,435,456 bytes free
Post-Run: 3,806,785,536 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 86E624F5BA375D1B09E6653973D154F3


Thank you again. Steve


************************************
IGNORE BELOW
I have tried and failed at downloading and running the combo fix program. I am able to download it, and I get the icon on my desktop. I have disabled Norton and the Windows firewall, and shut i.e., but what happens every time that I click on the icon is a small gray window opens, with a blue bar that fills in as combo fix is loading, and then nothing, like it tries to load and fails. I have deleted and downloaded it at least three times, with the same lack of result. So, thus far, I have been completely unable to get GMER or Combo Fix to run.

I will await your next response. Thanks again. Steve
 
I think you must have lost track of where you were! Eset is in twice- I will edit the post with the second log as it is the same an remove the duplicate, leaving the Combofix log. then I will try to sort through your 'Update', Ignore', 'New update' and so on.

For the Eset entries:
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :Processes	
:Files  
C:\AOL Instant Messenger\AIM.exe 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip 
C:\Documents and Settings\Steve Kwartin\exe.js 
C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\eac-0.99pb4.exe 
C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\Soundforge 10\Keygen.exe 
C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\Soundforge 10\[B][COLOR="Red"]SONY_SOUND_FORGE_PRO_10_WITH_KEYGEN[/COLOR][/B]_.part1.rar 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===========================================
The entry in red above indicates the program may have been pirated using a license key or crack code from a torrent site. The program will have to be removed.
==========================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
Code: 
File::

Folder::
c:\documents and settings\Steve Kwartin\Local Settings\Application Data\Sunbelt Software
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp
C:\855d0ab8392c5309ac0ce3f70e9b
c:\documents and settings\Steve Kwartin\Application Data\Tific

Extra::
File::
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
Firefox::
Firefox-:- Profile - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Regarding GMER: I don't see any indication in Combofix of a rootkit, so unless the problems persist, okay to skip that.

Regarding Java: Update are almost always to address a security problem. So keeping an old version of Jav installed cuses a vulnerability. You had 5 or 6 old versions. So update regularly, but it doesn't overwrite so you will need to uninstall the old version in Add/Remove Programs in the Control Panel. That is done for now, so remember to uninstall everything Java is updated.

Regarding Norton: I am not a fan of this program. I don't care for any 'suites' as they are usually bloated with processes that use the system resources needlessly- Norton is certainly guilty of this. And it cost money. You can get free and good protection. When we have finished, I'll leave you with a list of tips to improve security. It will have links for free programs.

Regarding Computer 'slowdown': Please describe.
 
Bobbye,

I downloaded and ran OTMoveit. It did its thing, and asked to reboot, which I did. I have Spybot S&D running in the background, and when the computer rebooted, Spybot popped up with a number of registry changes being requested, as well as certain browser changes, a few of which had "redirect" in their title. I allowed a few, and refused to allow the others.

It then occurred to me that this could either be due to OTMoveit repairing something, or the spy/malware trying to reinstall itself. So, I am attaching the OTMoveit Log below, but I did not want to proceed further, until I hear from you about the registry changes, as I may need to run OTMoveit again, before I do anything else.

Please let me know how to respond to the registry change requests, and whether I should re-run OTMoveit.

Lastly, with respect to my computer running slow, this is a Pentium Quad Core, and used to run extrememely fast. Now, it seems to take forever for files to process in audio programs. The other day, when I was working on one of the fixes in this thread, I was at a poing where I had rebooted, and there were NO applications running in Task Manager; however, the window was showing that the processors were running "system" and using between 25-40% of CPU capacity.

I don't know if this is part of the malware issue, but I have never seen anything like that when I have looked at the Task Manager prior to my current issue.

Thank you once again for your ongoing assistance. Steve

OTMoveit Log:

All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\AOL Instant Messenger\AIM.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip moved successfully.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip moved successfully.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip moved successfully.
C:\Documents and Settings\Steve Kwartin\exe.js moved successfully.
C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\eac-0.99pb4.exe moved successfully.
C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\Soundforge 10\Keygen.exe moved successfully.
C:\Documents and Settings\Steve Kwartin\Desktop\Audio Programs\Soundforge 10\SONY_SOUND_FORGE_PRO_10_WITH_KEYGEN_.part1.rar moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Steve Kwartin
->Temp folder emptied: 358 bytes
->Temporary Internet Files folder emptied: 348804542 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 86008520 bytes
->Flash cache emptied: 9825 bytes

%systemdrive% .tmp files removed: 10807286 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 669 bytes

Total Files Cleaned = 425.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 12082010_163528

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_494.dat not found!

Registry entries deleted on Reboot...
 
OTMoveIt ran fine.

There is still evidence of piracy. We do not support piracy. To contunue support, this will have to be removed:
Audio Programs\Soundforge 10\SONY_SOUND_FORGE_PRO_10_WITH_KEYGEN_.part1.rar
 
Bobbye,

I have deleted the Soundforge file. When I rebooted the computer, Spybot again noted registry changes, which I allowed. I then created the ComboFix.txt wordpad document, dragged it into ComboFix, and was then able to run ComboFix.

Here is the log of the second ComboFix run, after creating the ComboFix.txt. document:

ComboFix 10-12-09.02 - Steve Kwartin 12/10/2010 4:28.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2654 [GMT -5:00]
Running from: c:\documents and settings\Steve Kwartin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve Kwartin\Desktop\CFScript.txt
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}"
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}"
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}"
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}"
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}"
"c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\855d0ab8392c5309ac0ce3f70e9b
c:\855d0ab8392c5309ac0ce3f70e9b\amd64\filterpipelineprintproc.dll
c:\855d0ab8392c5309ac0ce3f70e9b\amd64\msxpsdrv.cat
c:\855d0ab8392c5309ac0ce3f70e9b\amd64\msxpsdrv.inf
c:\855d0ab8392c5309ac0ce3f70e9b\amd64\msxpsinc.gpd
c:\855d0ab8392c5309ac0ce3f70e9b\amd64\msxpsinc.ppd
c:\855d0ab8392c5309ac0ce3f70e9b\amd64\mxdwdrv.dll
c:\855d0ab8392c5309ac0ce3f70e9b\amd64\xpssvcs.dll
c:\855d0ab8392c5309ac0ce3f70e9b\i386\filterpipelineprintproc.dll
c:\855d0ab8392c5309ac0ce3f70e9b\i386\msxpsdrv.cat
c:\855d0ab8392c5309ac0ce3f70e9b\i386\msxpsdrv.inf
c:\855d0ab8392c5309ac0ce3f70e9b\i386\msxpsinc.gpd
c:\855d0ab8392c5309ac0ce3f70e9b\i386\msxpsinc.ppd
c:\855d0ab8392c5309ac0ce3f70e9b\i386\mxdwdrv.dll
c:\855d0ab8392c5309ac0ce3f70e9b\i386\xpssvcs.dll
c:\documents and settings\Steve Kwartin\Application Data\Tific
c:\documents and settings\Steve Kwartin\Application Data\Tific\Environment.tfc
c:\documents and settings\Steve Kwartin\Application Data\Tific\tificocs.symantec.com.tfc
c:\documents and settings\Steve Kwartin\Local Settings\Application Data\Sunbelt Software
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))
.

2010-12-08 22:57 . 2010-12-08 22:57 1409 ----a-w- c:\windows\QTFont.for
2010-12-08 21:35 . 2010-12-08 21:35 -------- d-----w- C:\_OTM
2010-12-07 07:57 . 2010-12-09 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-12-04 21:32 . 2010-12-04 21:32 -------- d-----w- c:\program files\ESET
2010-12-04 21:18 . 2010-12-04 21:18 -------- d-----w- c:\program files\Common Files\Java
2010-12-04 21:18 . 2010-12-04 21:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-16 07:50 . 2010-11-16 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-10 18:39 . 2010-11-10 18:39 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-10 18:38 . 2010-11-10 18:38 -------- d-----w- c:\program files\MSBuild
2010-11-10 18:38 . 2010-11-10 18:38 -------- d-----w- c:\program files\Reference Assemblies
2010-11-10 18:38 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-10 18:37 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-11-10 18:37 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-11-10 18:37 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-11-10 18:37 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-11-10 18:37 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-11-10 18:37 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-11-10 18:37 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-11-10 18:37 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-11-10 10:09 . 2010-11-10 16:49 -------- d-----w- c:\windows\system32\drivers\N360\0403000.005

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-04 21:17 . 2010-06-13 05:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-10 05:29 . 2010-11-10 05:29 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-10 05:29 . 2010-11-10 05:29 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-09-18 17:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-12-07_09.12.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-10 08:09 . 2010-12-10 08:09 16384 c:\windows\Temp\Perflib_Perfdata_b4.dat
+ 2010-12-10 08:07 . 2010-12-10 08:07 16384 c:\windows\Temp\Perflib_Perfdata_730.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M-Audio Taskbar Icon"="c:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-10-23 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^Steve Kwartin^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Steve Kwartin\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2005-07-12 10:17 50776 ----a-w- c:\program files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-18 21:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-10-20 14:40 34904 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltaIITaskbarApp]
2008-03-03 15:13 236040 ----a-w- c:\windows\system32\DeltaIITray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1224800307\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Indexer]
2005-02-08 00:40 184320 ----a-w- c:\program files\Sharp\Sharpdesk\Indexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexTray]
2005-02-08 00:38 106496 ----a-w- c:\program files\Sharp\Sharpdesk\IndexTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
2004-04-05 21:33 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-10-23 22:24 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SharpTray]
2005-02-08 00:47 32768 ----a-w- c:\program files\Sharp\Sharpdesk\SharpTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-05-05 21:15 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TypeRegChecker]
2005-02-08 00:40 57344 ----a-w- c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)
"stllssvr"=3 (0x3)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=2 (0x2)
"SavRoam"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"McciCMService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1224800307\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [11/10/2010 5:16 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [11/10/2010 5:16 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [11/22/2010 9:20 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [11/10/2010 5:16 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [11/10/2010 5:16 AM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [11/10/2010 5:11 AM 126392]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [11/23/2008 1:32 AM 302728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/10/2010 2:15 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101208.002\IDSXpx86.sys [12/9/2010 7:04 PM 341944]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/11/2010 11:54 PM 136176]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-12-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-05-05 21:15]

2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 04:53]

2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 04:53]

2010-11-19 c:\windows\Tasks\Rescue Reminder for 2HAA48PR.job
- c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2007-09-06 18:52]

2010-12-10 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
FF - ProfilePath - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Check4Change: check4change-owner@mozdev.org - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\extensions\check4change-owner@mozdev.org
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-10 04:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-12-10 04:40:18
ComboFix-quarantined-files.txt 2010-12-10 09:40
ComboFix2.txt 2010-12-07 09:15

Pre-Run: 50,266,292,224 bytes free
Post-Run: 50,932,293,632 bytes free

- - End Of File - - 548D90AE87A624493879343080B6B7B6

*****************************************
Please let me know what to do next. I am still not sure what I should do about the items previously quarantined, but not purged from Eset. Thank you again. Steve
 
Steve, regarding this:
window was showing that the processors were running "system" and using between 25-40% of CPU capacity.
Click to expand...

The only way to troubleshoot this is to find what processes are using the CPU. For instance, you may have auto-updates scheduled or set. It could be that program contacting the internet, looking for updates. Here's how I look for culprit:
  • Prepare the system for shutdown> Close any active Windows> shut down the email> but don't shut down yet:
  • Open the Task Manager (right click on Taskbar> Task Manager)> Processes tab> click twice on the frame over the CPU column. This will sort the processes.
  • The only activity in the CPU column should be in System, System Idle & taskmgr. These 3 should add up to 100% of the CPU. There might be some fluctuation for 1-2 in the CPU, but ignore that.
  • Any process other than these 3, over 1-2 CPU is what you need to chase down and identify.

OTM shows Total Files Cleaned = 425.00 mb> that is a huge number of files! Simple math tells me that you have a lot of processes set to Start on boot. Those processes will continue to run in the background using the system resources. As you play games or listen to audio which are resource-intensive, they are competing for the available RAM. As that gets used up, you slow down: ergo: the more processes running, the slower the system will be. And additionally, a system that is not well maintained using disc cleanup, defrag and the likes, is not going to give you good performance.

I think it would help you if you tried to be patient:
I am still not sure what I should do about the items previously quarantined, but not purged from Eset.
Click to expand...
Entries found by the Eset scan have been handled in OTM.

I'm going to set up some script- a small one- to stop some of the processes you have starting up.
 
Bobbye,

If I sounded impatient for any reason, that was not my intention. I just wanted to make sure that I had not missed anything with respect to the prior quarantined items.

But, more importantly, it seems like the browser hijacking is no longer occurring. When I Google something now, and click on a link, I no longer get redirected. THANK YOU. It also seems that some of what we have done already has freed up some system resources, as things seem to be moving more quickly, there is less CPU usage showing up in Task Manager, and less processes running in the background.

I am not sure what that last ComboFix did, or how 425 files (and what type of files they were) had such an effect on my system, but if that scan cleaned them up, then we are making major progress. Once again, thank you. It seems that my major problem may now be resolved, but I will look forward to any further suggestions regarding clean-up and optimization of my computer.

Steve
 
OTMoveIt cleans temporary internet files also. The number 425 was megabytes. That is a hugh number of temo files. For instance, the entire Corel Paintshop Pro programs only uses 325MB of space on the hard drive!
======================================
One of the deletions in Combofix indicates you may have used an infected flash drive. If you used one to download programs, then we need to disinfect it. Please let me know.
===============================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
Code: 
File::

Extra::
File::
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
Firefox::
Firefox-: - Profile - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\
Folder::
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=-
"stllssvr"=- 
"RoxWatch9"=-
"RoxMediaDB9"=-
"IDriverT"=- 
"gusvc"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
I've removed extensions in Firefox for 5 outdate versions of Java. The current version is there. Make sure all but Java v6u22 have been removed in Add/Remove Programs. Maybe JavaRa doesn't remove FF addons.
===================
I'd like you to run this. It's quick and I can make sure there are no bad entries remaining. After I check the log, I'll have you remve the cleaning tools and all their logs.
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Almost there!
 
Bobbye,

First of all, thank you for all of your ongoing assistance, including on the weekends. You rule. It seems as if the browser hijacking has come to an end, but I want to follow whatever other instructions that you want to give me, to both make sure everything is gone, and to then optimize and protect my computer against any further need for your help. If you think that I should use another anti-virus program, other than Norton, which is supplied by Comcast, my wonderful ISP, let me know what it is.

In your last post, you mentioned a possible infected flash drive, but I don't own a flash drive. I have a number of external harddrives that I use to store my many large music files, but no flash or jump drives.

I have re-run ComboFix, with the latest script that you supplied, and here is the log:

ComboFix 10-12-11.03 - Steve Kwartin 12/11/2010 22:20:13.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2717 [GMT -5:00]
Running from: c:\documents and settings\Steve Kwartin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve Kwartin\Desktop\CFScript.txt.txt
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}"
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}"
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}"
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}"
"c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}"
.

((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.

2010-12-12 02:40 . 2010-12-12 02:41 -------- d-----w- C:\HijackThis
2010-12-11 20:06 . 2010-12-03 19:35 25048 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-12-11 20:06 . 2010-12-03 19:35 140248 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-12-11 20:06 . 2010-12-03 19:35 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2010-12-11 20:06 . 2010-12-03 19:35 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2010-12-08 22:57 . 2010-12-08 22:57 1409 ----a-w- c:\windows\QTFont.for
2010-12-08 21:35 . 2010-12-08 21:35 -------- d-----w- C:\_OTM
2010-12-07 07:57 . 2010-12-09 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-12-04 21:32 . 2010-12-04 21:32 -------- d-----w- c:\program files\ESET
2010-12-04 21:18 . 2010-12-04 21:18 -------- d-----w- c:\program files\Common Files\Java
2010-12-04 21:18 . 2010-12-04 21:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-16 07:50 . 2010-11-16 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-04 21:17 . 2010-06-13 05:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-10 05:29 . 2010-11-10 05:29 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-10 05:29 . 2010-11-10 05:29 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-09-18 17:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-12-12_02.29.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-12 03:08 . 2010-12-12 03:08 16384 c:\windows\Temp\Perflib_Perfdata_670.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M-Audio Taskbar Icon"="c:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^Steve Kwartin^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Steve Kwartin\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2005-07-12 10:17 50776 ----a-w- c:\program files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-18 21:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-10-20 14:40 34904 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltaIITaskbarApp]
2008-03-03 15:13 236040 ----a-w- c:\windows\system32\DeltaIITray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1224800307\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Indexer]
2005-02-08 00:40 184320 ----a-w- c:\program files\Sharp\Sharpdesk\Indexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexTray]
2005-02-08 00:38 106496 ----a-w- c:\program files\Sharp\Sharpdesk\IndexTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
2004-04-05 21:33 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-10-23 22:24 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SharpTray]
2005-02-08 00:47 32768 ----a-w- c:\program files\Sharp\Sharpdesk\SharpTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-05-05 21:15 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TypeRegChecker]
2005-02-08 00:40 57344 ----a-w- c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=2 (0x2)
"SavRoam"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"McciCMService"=2 (0x2)
"gusvc"=2 (0x2)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"WZCSVC"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"Themes"=2 (0x2)
"TapiSrv"=3 (0x3)
"Symantec RemoteAssist"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Maxtor Sync Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"helpsvc"=2 (0x2)
"gupdate"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"Browser"=2 (0x2)
"AudioSrv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1224800307\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [11/10/2010 5:16 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [11/10/2010 5:16 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [11/22/2010 9:20 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [11/10/2010 5:16 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [11/10/2010 5:16 AM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [11/10/2010 5:11 AM 126392]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [11/23/2008 1:32 AM 302728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/10/2010 2:15 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101210.001\IDSXpx86.sys [12/11/2010 6:28 AM 341944]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/11/2010 11:54 PM 136176]
.
Contents of the 'Scheduled Tasks' folder

2010-12-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-05-05 21:15]

2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 04:53]

2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 04:53]

2010-11-19 c:\windows\Tasks\Rescue Reminder for 2HAA48PR.job
- c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2007-09-06 18:52]

2010-12-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
FF - ProfilePath - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Check4Change: check4change-owner@mozdev.org - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\extensions\check4change-owner@mozdev.org
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 22:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2640)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-12-11 22:30:10
ComboFix-quarantined-files.txt 2010-12-12 03:30
ComboFix2.txt 2010-12-12 02:31
ComboFix3.txt 2010-12-10 09:40
ComboFix4.txt 2010-12-07 09:15

Pre-Run: 43,670,540,288 bytes free
Post-Run: 43,662,114,816 bytes free

- - End Of File - - 15990A58CDEC48640CE02E738D929C8E

************************************************************************************
I also ran HijackThis, and here is the log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:03:46 PM, on 12/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\DeltaIITray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1216653561431
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe

--
End of file - 4365 bytes

I did not have HijackThis fix anything, per your instructions. I will wait to hear back from you. Thank you again. Steve
 
Bobbye,

I had a little scare late last night, when no sounds were coming out of my computer. I have a high end soundcard, which showed up in Device Manager, was "working properly," but no sound could be streamed from the internet, but I could play music on my computer. A little research on this board led me to the way to fix the problem. Is this something that one of the programs that you had me run may have caused? If so, I am just letting you know of this, in case it comes up in the future. But I must add, in all of the Googling to find a fix, there was not one re-direct. Thank you. Steve
 
Steve, I didn't have you do anything that specifically should have affected the sound card. But anytime malware is involved, settings can get changes or file can get corrupt. Even without malware a setting can change. I once had one of the audio devices just disappear from the dialog box where it was set. Took me a while to realize what it was and I had a clean, well maintaned machine. There is also a gremlin who presses the Mute button without asking! Have you met that one yet?

The Combofix header shows this:
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

and running processes also shows this twice:
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe

If indeed you do have two Norton Suites running, that would slows you down significantly! Use Windows Explorer> Windows key + E> My Computer> Local Drive> Programs> do you have 2 Norton Suite folders there? One may have (2) with it.

Please look in Add/Remove Programs in the Control Panel and make sure the only Java is v6u22. The outdated extensions are still in Firefox.

HijackThis is fine. No more script needed in Combofix. System is clean!
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
Let me know if you have any more questions.

Have a Happy and Peaceful Holiday!
peace_dove_bigger_normal.jpg
 
Bobbye,

If I forgot to mention it, I had already looked in Add/Remove Programs, and the only version of Java is the one you wanted me to leave there. Is there a way to remove other versions that you still seem to see in Firefox?

I went into Explorer, and I have one Norton Security Suite file folder, and one NortonInstaller folder. When I look at Task Manager, I never see any version of Norton running, even though it is present in the system tray. Is there some way to determine if more than one version is running, as that might explain the extreme slowdown, but as noted above, there is nothing indicating that Norton is running at all in the Task Manager.

I will wait to uninstall everything until I hear back from you. Should I also uninstall Eset, DDS, GMER and TFC as well? If so, do I use the Control Panel method, find an uninstaller in their program files, or use another method?

Early on in this process, you indicated that you would suggest alternative programs to Norton, and based upon your stellar performance here, I would follow any advice that you want to give on that topic, as I hope to never need your awesome abilities ever again.

I truly cannot thank you enough. You are a complete stranger, and have most generously given your time, knowledge and assistance to a complete stranger, and solved a very critical problem. I hope that you have a wonderful happy, healthy, peaceful and amazing holiday season. Steve
 
You are most welcome for the help.

Regarding cleaning the tools and logs:
OTCleanIt and the Combofix uninstaller should remove most of the tools we used. If you find any of the programs still in Add/Remove, you can uninstall them. But run OTCleanIt first. You can keep TFC if you want and also the Eset Online scanner. If you want to remove Eset: open IE> Tools> Manage Add-ons> find Eset> highlight> Remove. It won't conflict with Norton because it is 'on demand'.

I have successfully used the Windows Installer Cleanup Utility to delete left-overs.

Regarding outdated Java files in Firefox:
To remove outdated Java files from the Firefox browser plugins folder
  1. Starting in Firefox 3 ,disabling a plugin via "Tools -> Add-ons (or Add-on Manager) -> Plugins" will remove it from the about:plugins list; re-enabling a disabled plugin will add it back to the list.
  2. To check if removed: Type about:plugins in the Location Bar (address bar) and press Enter key.
    There is an image of the Installed Plugin screen here:http://kb.mozillazine.org/About:plugins
  3. All Java plugins listed should be followed by the version number of the JRE that is currently installed and not any earlier versions. For example, if JRE 6.0 Update 22 is currently installed, each Java plugin listed should be identified as "Java Plug-in 1.6.0_022.
  4. If disabling through Tools> Add-ons worked, you should now see only v6u22.

Note: Important: It is recommended that you do not place any Java plugins in the Firefox installation directory plugins folder (typically, C:\Program Files\Mozillla Firefox\plugins as having Java files from previous versions in the browser plugins folder can prevent the current Java version from working.
Courtesy mozillazine.org

Regarding Norton Security Suite
The Norton entries in Combofix header are puzzling: It clearly shows the CLSID for 2 Norton AV and 1 Norton FW. But you comment about not seeing the entries in the Task Manager could be because one of the AV entries shows 'disabled' and the other shows 'enabled.' When you run Combofix, both the AV & FW should be disabled, so I don't know if you did that. It clearly shows AV twice, with FW(firewall) separate
Go back to the Norton Security Suite file folder and double click on it to open. Do this in Windows Explorer because you don't want to launch it, just look at the files. Look on the right screen after the double click. Do you see any duplicate executable files? Do you see savscan.exe?

"Savscan.exe" is a Norton Antivirus executable file which stands for Symantec AntiVirus Scanner. The "savscan.exe" file is automatically added in the task manager. By default, the file runs automatically after the computer has booted up. The "savscan.exe" process is responsible for actively protecting computers in real time. Without the "savscan.exe" running, a computer is vulnerable to viruses.

The "savscan.exe" may be terminated or corrupted. To verify that the file is valid, the file properties must indicate that the company is Symantec. Known file sizes are 194,272 bytes, 198,368 bytes, 193,816 bytes, 198,416 bytes, and 197,864 bytes. If you can't determine this with a right click> Properties on the savscan.exe file, we will need to check it out.

Leaving tips in next reply for your convenience.
 
As promised: (Note> links are blue, headings are purple)

Tips for added security and safer browsing:
  1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
  2. Have layered Security:
    • Antivirus Software(only one):Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
    IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
    Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
    [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
  3. Stay current on updates:
    [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
    [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
  4. Reset Cookies to prevent Tracking Cookies:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
  5. Do regular Maintenance
    Remove Temporary Internet Files regularly:
    [o]ATF Cleaner by Atribune
    OR
    [o]TFC
    Disable and Enable System Restore:
    [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
  6. Practice Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
794
uber_beetle
uber_beetle
A
Microsoft breaks users' PCs again with latest Windows 11 update
Replies
19
Views
396
trparky
T
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back