irritated2011

I expect that the Fourth of July isn't a big deal in Romania. Thank you very much for your extensive help. There do seem to be some excessive delays in response and loading in IE, but everything else seems to be clean. Doug

I only use IE, but I have Mozella installed. I did install some security updates yesterday and the Microsoft update site found that I had disabled active-x controls. I seemed to have less problems after that. Avira guard apparently found a virus trying to activate itself (or maybe it was activated by Malwarebytes scanning). Anyway I got this message from Avira but Malwarebytes didn't find anything on the over-night scan: Virus or unwanted program 'JAVA/Tharra.A [virus]' detected in file 'C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\33\7d358f61-76b4954a. Action performed: Deny access It is now in quarantine. What part of the World are you in? I'm in California. - Doug

Thank you for taking the time to address all my concerns. My virus scans are coming out clean and things seem okay, but there are a lot of uneplained delays and failures to load in Internet Explorer. I "reset" the options which might have been a mistake...

Okay. That was easy. The Red Swoosh Icon is gone from my control panel. Should I be worried about the other artifacts from it? I see that it, and a bunch of games, and some other p2p programs are listed in the 'exceptions' section of firewall security. Should I worry? Thank you for all of your help. Doug

I did already - it delivered the same three hits as the RSSoft search. Happy Fourth!

Found lots: "Red Swoosh" SystemLook 04.09.10 by jpshortstuff Log created at 23:11 on 02/07/2011 by Owner Administrator - Elevation successful ========== regfind ========== Searching for "red swoosh" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "9420:TCP"="9420:TCP:*:Disabled:Red Swoosh" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "5000:UDP"="5000:UDP:*:Disabled:Red Swoosh" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "9420:TCP"="9420:TCP:*:Disabled:Red Swoosh" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "5000:UDP"="5000:UDP:*:Disabled:Red Swoosh" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "9420:TCP"="9420:TCP:*:Enabled:Red Swoosh" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "5000:UDP"="5000:UDP:*:Enabled:Red Swoosh" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "9420:TCP"="9420:TCP:*:Disabled:Red Swoosh" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "5000:UDP"="5000:UDP:*:Disabled:Red Swoosh" -= EOF =- "RSSoft" SystemLook 04.09.10 by jpshortstuff Log created at 23:12 on 02/07/2011 by Owner Administrator - Elevation successful ========== regfind ========== Searching for "RSSoft" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\RSSoft\RSEDNClient.exe"="C:\Program Files\RSSoft\RSEDNClient.exe:*:Enabled:RSEDNClient" [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache] "C:\Program Files\RSSoft\RSEDNClient.exe"="RSEDNClient" [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache] "C:\Program Files\RSSoft\RSEDNClient.exe"="RSEDNClient" -= EOF =-

Hmmm. Everything went smoothly, but Red Swoosh is still in the Control panel. I rebooted and had a message that it was unable to completely delete the registry backup file dated today???? I don't know why it would have tried to do that, unless it only allows one registry backup per date (I did select the option to backup on every boot.) Have a fun Fourth weekend! Doug

Looks like it worked this time. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls] "Speech"="C:\\Program Files\\Common Files\\Microsoft Shared\\Speech\\sapi.cpl" "AlarmClock"="c:\\Program Files\\Microsoft Plus! Digital Media Edition\\Alarm Clock\\AlarmClockPlugin.dll" "Internet Connection Firewall"="Firewall.cpl" "NetSetupWizard"="NetSetup.cpl" "QuickTime"="C:\\Program Files\\QuickTime\\QTSystem\\QuickTime.cpl" "Avira AntiVir Personal - Free Antivirus "="C:\\PROGRA~1\\Avira\\ANTIVI~1\\avconfig.cpl" "Avira AntiVir Personal"="C:\\PROGRA~1\\Avira\\ANTIVI~1\\avconfig.cpl" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\inetcpl.cpl] "RunLevel"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes] "Windows Default"="\",,,,,,,,,,,,,\"" "Windows Animated"="\"C:\\WINDOWS\\Cursors\\rainbow.ani,,C:\\WINDOWS\\Cursors\\appstart.ani,C:\\WINDOWS\\Cursors\\hourglas.ani,C:\\WINDOWS\\Cursors\\cross.cur,,,,C:\\WINDOWS\\Cursors\\sizens.ani,C:\\WINDOWS\\Cursors\\sizewe.ani,C:\\WINDOWS\\Cursors\\sizenwse.ani,C:\\WINDOWS\\Cursors\\sizenesw.ani,,\"" "3D-White"="\"C:\\WINDOWS\\Cursors\\3dwarro.cur,,C:\\WINDOWS\\Cursors\\appstar3.ani,C:\\WINDOWS\\Cursors\\hourgla3.ani,C:\\WINDOWS\\Cursors\\cross.cur,,,C:\\WINDOWS\\Cursors\\3dwno.cur,C:\\WINDOWS\\Cursors\\3dwns.cur,C:\\WINDOWS\\Cursors\\3dwwe.cur,C:\\WINDOWS\\Cursors\\3dwnwse.cur,C:\\WINDOWS\\Cursors\\3dwnesw.cur,C:\\WINDOWS\\Cursors\\3dwmove.cur,\"" "Hands 1"="\"C:\\WINDOWS\\Cursors\\harrow.cur,,C:\\WINDOWS\\Cursors\\handapst.ani,C:\\WINDOWS\\Cursors\\hand.ani,C:\\WINDOWS\\Cursors\\hcross.cur,C:\\WINDOWS\\Cursors\\hibeam.cur,,C:\\WINDOWS\\Cursors\\hnodrop.cur,C:\\WINDOWS\\Cursors\\hns.cur,C:\\WINDOWS\\Cursors\\hwe.cur,C:\\WINDOWS\\Cursors\\hnwse.cur,C:\\WINDOWS\\Cursors\\hnesw.cur,C:\\WINDOWS\\Cursors\\hmove.cur,\"" "Hands 2"="\"C:\\WINDOWS\\Cursors\\harrow.cur,,C:\\WINDOWS\\Cursors\\handapst.ani,C:\\WINDOWS\\Cursors\\handwait.ani,C:\\WINDOWS\\Cursors\\hcross.cur,C:\\WINDOWS\\Cursors\\hibeam.cur,,C:\\WINDOWS\\Cursors\\handno.ani,C:\\WINDOWS\\Cursors\\handns.ani,C:\\WINDOWS\\Cursors\\handwe.ani,C:\\WINDOWS\\Cursors\\handnwse.ani,C:\\WINDOWS\\Cursors\\handnesw.ani,C:\\WINDOWS\\Cursors\\hmove.cur,\"" "Dinosaur"="\"C:\\WINDOWS\\Cursors\\3dgarro.cur,,C:\\WINDOWS\\Cursors\\dinosaur.ani,C:\\WINDOWS\\Cursors\\dinosau2.ani,C:\\WINDOWS\\Cursors\\cross.cur,,,C:\\WINDOWS\\Cursors\\banana.ani,C:\\WINDOWS\\Cursors\\3dsns.cur,C:\\WINDOWS\\Cursors\\3dgwe.cur,C:\\WINDOWS\\Cursors\\3dsnwse.cur,C:\\WINDOWS\\Cursors\\3dgnesw.cur,C:\\WINDOWS\\Cursors\\3dsmove.cur,\"" "Old Fashioned"="\"C:\\WINDOWS\\Cursors\\harrow.cur,,C:\\WINDOWS\\Cursors\\horse.ani,C:\\WINDOWS\\Cursors\\barber.ani,C:\\WINDOWS\\Cursors\\hcross.cur,C:\\WINDOWS\\Cursors\\hibeam.cur,,C:\\WINDOWS\\Cursors\\coin.ani,C:\\WINDOWS\\Cursors\\3dgns.cur,C:\\WINDOWS\\Cursors\\3dgwe.cur,C:\\WINDOWS\\Cursors\\3dgnwse.cur,C:\\WINDOWS\\Cursors\\3dgnesw.cur,C:\\WINDOWS\\Cursors\\3dgmove.cur,\"" "Conductor"="\"C:\\WINDOWS\\Cursors\\harrow.cur,,C:\\WINDOWS\\Cursors\\drum.ani,C:\\WINDOWS\\Cursors\\metronom.ani,C:\\WINDOWS\\Cursors\\hcross.cur,C:\\WINDOWS\\Cursors\\hibeam.cur,,C:\\WINDOWS\\Cursors\\piano.ani,C:\\WINDOWS\\Cursors\\hns.cur,C:\\WINDOWS\\Cursors\\hwe.cur,C:\\WINDOWS\\Cursors\\hnwse.cur,C:\\WINDOWS\\Cursors\\hnesw.cur,C:\\WINDOWS\\Cursors\\hmove.cur,\"" "Magnified"="\"C:\\WINDOWS\\Cursors\\larrow.cur,,C:\\WINDOWS\\Cursors\\lappstrt.cur,C:\\WINDOWS\\Cursors\\lwait.cur,C:\\WINDOWS\\Cursors\\lcross.cur,C:\\WINDOWS\\Cursors\\libeam.cur,,C:\\WINDOWS\\Cursors\\lnodrop.cur,C:\\WINDOWS\\Cursors\\lns.cur,C:\\WINDOWS\\Cursors\\lwe.cur,C:\\WINDOWS\\Cursors\\lnwse.cur,C:\\WINDOWS\\Cursors\\lnesw.cur,C:\\WINDOWS\\Cursors\\lmove.cur,\"" "Variations"="\"C:\\WINDOWS\\Cursors\\fillitup.ani,,C:\\WINDOWS\\Cursors\\raindrop.ani,C:\\WINDOWS\\Cursors\\counter.ani,C:\\WINDOWS\\Cursors\\cross.cur,,,C:\\WINDOWS\\Cursors\\wagtail.ani,C:\\WINDOWS\\Cursors\\sizens.ani,C:\\WINDOWS\\Cursors\\sizewe.ani,C:\\WINDOWS\\Cursors\\sizenwse.ani,C:\\WINDOWS\\Cursors\\sizenesw.ani,\"" "3D-Bronze"="\"C:\\WINDOWS\\Cursors\\3dgarro.cur,,C:\\WINDOWS\\Cursors\\appstar2.ani,C:\\WINDOWS\\Cursors\\hourgla2.ani,C:\\WINDOWS\\Cursors\\cross.cur,,,C:\\WINDOWS\\Cursors\\3dgno.cur,C:\\WINDOWS\\Cursors\\3dgns.cur,C:\\WINDOWS\\Cursors\\3dgwe.cur,C:\\WINDOWS\\Cursors\\3dgnwse.cur,C:\\WINDOWS\\Cursors\\3dgnesw.cur,C:\\WINDOWS\\Cursors\\3dgmove.cur,\"" "Windows Black "="C:\\WINDOWS\\cursors\\arrow_r.cur,C:\\WINDOWS\\cursors\\help_r.cur,C:\\WINDOWS\\cursors\\wait_r.cur,C:\\WINDOWS\\cursors\\busy_r.cur,C:\\WINDOWS\\cursors\\cross_r.cur,C:\\WINDOWS\\cursors\\beam_r.cur,C:\\WINDOWS\\cursors\\pen_r.cur,C:\\WINDOWS\\cursors\\no_r.cur,C:\\WINDOWS\\cursors\\size4_r.cur,C:\\WINDOWS\\cursors\\size3_r.cur,C:\\WINDOWS\\cursors\\size2_r.cur,C:\\WINDOWS\\cursors\\size1_r.cur,C:\\WINDOWS\\cursors\\move_r.cur,C:\\WINDOWS\\cursors\\up_r.cur" "Windows Black (large)"="C:\\WINDOWS\\cursors\\arrow_rm.cur,C:\\WINDOWS\\cursors\\help_rm.cur,C:\\WINDOWS\\cursors\\wait_rm.cur,C:\\WINDOWS\\cursors\\busy_rm.cur,C:\\WINDOWS\\cursors\\cross_rm.cur,C:\\WINDOWS\\cursors\\beam_rm.cur,C:\\WINDOWS\\cursors\\pen_rm.cur,C:\\WINDOWS\\cursors\\no_rm.cur,C:\\WINDOWS\\cursors\\size4_rm.cur,C:\\WINDOWS\\cursors\\size3_rm.cur,C:\\WINDOWS\\cursors\\size2_rm.cur,C:\\WINDOWS\\cursors\\size1_rm.cur,C:\\WINDOWS\\cursors\\move_rm.cur,C:\\WINDOWS\\cursors\\up_rm.cur" "Windows Black (extra large)"="C:\\WINDOWS\\cursors\\arrow_rl.cur,C:\\WINDOWS\\cursors\\help_rl.cur,C:\\WINDOWS\\cursors\\wait_rl.cur,C:\\WINDOWS\\cursors\\busy_rl.cur,C:\\WINDOWS\\cursors\\cross_rl.cur,C:\\WINDOWS\\cursors\\beam_rl.cur,C:\\WINDOWS\\cursors\\pen_rl.cur,C:\\WINDOWS\\cursors\\no_rl.cur,C:\\WINDOWS\\cursors\\size4_rl.cur,C:\\WINDOWS\\cursors\\size3_rl.cur,C:\\WINDOWS\\cursors\\size2_rl.cur,C:\\WINDOWS\\cursors\\size1_rl.cur,C:\\WINDOWS\\cursors\\move_rl.cur,C:\\WINDOWS\\cursors\\up_rl.cur" "Windows Inverted"="C:\\WINDOWS\\cursors\\arrow_i.cur,C:\\WINDOWS\\cursors\\help_i.cur,C:\\WINDOWS\\cursors\\wait_i.cur,C:\\WINDOWS\\cursors\\busy_i.cur,C:\\WINDOWS\\cursors\\cross_i.cur,C:\\WINDOWS\\cursors\\beam_i.cur,C:\\WINDOWS\\cursors\\pen_i.cur,C:\\WINDOWS\\cursors\\no_i.cur,C:\\WINDOWS\\cursors\\size4_i.cur,C:\\WINDOWS\\cursors\\size3_i.cur,C:\\WINDOWS\\cursors\\size2_i.cur,C:\\WINDOWS\\cursors\\size1_i.cur,C:\\WINDOWS\\cursors\\move_i.cur,C:\\WINDOWS\\cursors\\up_i.cur" "Windows Inverted (large)"="C:\\WINDOWS\\cursors\\arrow_im.cur,C:\\WINDOWS\\cursors\\help_im.cur,C:\\WINDOWS\\cursors\\wait_im.cur,C:\\WINDOWS\\cursors\\busy_im.cur,C:\\WINDOWS\\cursors\\cross_im.cur,C:\\WINDOWS\\cursors\\beam_im.cur,C:\\WINDOWS\\cursors\\pen_im.cur,C:\\WINDOWS\\cursors\\no_im.cur,C:\\WINDOWS\\cursors\\size4_im.cur,C:\\WINDOWS\\cursors\\size3_im.cur,C:\\WINDOWS\\cursors\\size2_im.cur,C:\\WINDOWS\\cursors\\size1_im.cur,C:\\WINDOWS\\cursors\\move_im.cur,C:\\WINDOWS\\cursors\\up_im.cur" "Windows Inverted (extra large)"="C:\\WINDOWS\\cursors\\arrow_il.cur,C:\\WINDOWS\\cursors\\help_il.cur,C:\\WINDOWS\\cursors\\wait_il.cur,C:\\WINDOWS\\cursors\\busy_il.cur,C:\\WINDOWS\\cursors\\cross_il.cur,C:\\WINDOWS\\cursors\\beam_il.cur,C:\\WINDOWS\\cursors\\pen_il.cur,C:\\WINDOWS\\cursors\\no_il.cur,C:\\WINDOWS\\cursors\\size4_il.cur,C:\\WINDOWS\\cursors\\size3_il.cur,C:\\WINDOWS\\cursors\\size2_il.cur,C:\\WINDOWS\\cursors\\size1_il.cur,C:\\WINDOWS\\cursors\\move_il.cur,C:\\WINDOWS\\cursors\\up_il.cur" "Windows Standard (large)"="C:\\WINDOWS\\cursors\\arrow_m.cur,C:\\WINDOWS\\cursors\\help_m.cur,C:\\WINDOWS\\cursors\\wait_m.cur,C:\\WINDOWS\\cursors\\busy_m.cur,C:\\WINDOWS\\cursors\\cross_m.cur,C:\\WINDOWS\\cursors\\beam_m.cur,C:\\WINDOWS\\cursors\\pen_m.cur,C:\\WINDOWS\\cursors\\no_m.cur,C:\\WINDOWS\\cursors\\size4_m.cur,C:\\WINDOWS\\cursors\\size3_m.cur,C:\\WINDOWS\\cursors\\size2_m.cur,C:\\WINDOWS\\cursors\\size1_m.cur,C:\\WINDOWS\\cursors\\move_m.cur,C:\\WINDOWS\\cursors\\up_m.cur" "Windows Standard (extra large)"="C:\\WINDOWS\\cursors\\arrow_l.cur,C:\\WINDOWS\\cursors\\help_l.cur,C:\\WINDOWS\\cursors\\wait_l.cur,C:\\WINDOWS\\cursors\\busy_l.cur,C:\\WINDOWS\\cursors\\cross_l.cur,C:\\WINDOWS\\cursors\\beam_l.cur,C:\\WINDOWS\\cursors\\pen_l.cur,C:\\WINDOWS\\cursors\\no_l.cur,C:\\WINDOWS\\cursors\\size4_l.cur,C:\\WINDOWS\\cursors\\size3_l.cur,C:\\WINDOWS\\cursors\\size2_l.cur,C:\\WINDOWS\\cursors\\size1_l.cur,C:\\WINDOWS\\cursors\\move_l.cur,C:\\WINDOWS\\cursors\\up_l.cur" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\don't load] "speech.cpl"="" "igfxcpl.cpl"="" "replaceCPL"="nvtuicpl.cpl" "infocardcpl.cpl"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\{2CA4F306-B280-4ab2-B5E1-1DFA3583F046}] "C:\\WINDOWS\\system32\\FlashPlayerCPLApp.cpl"=dword:0000000a [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\{305CA226-D286-468e-B848-2B2E8E697B74} 2] "C:\\Program Files\\Common Files\\Microsoft Shared\\Speech\\sapi.cpl"=dword:00000004 "%SystemRoot%\\system32\\appwiz.cpl"=dword:00000008 "%SystemRoot%\\system32\\access.cpl"=dword:00000007 "%SystemRoot%\\system32\\desk.cpl"=dword:00000001 "%SystemRoot%\\system32\\hdwwiz.cpl"=dword:ffffffff "%SystemRoot%\\system32\\inetcpl.cpl"="3,10" "%SystemRoot%\\system32\\intl.cpl"=dword:00000006 "%SystemRoot%\\system32\\irprops.cpl"=dword:00000002 "%SystemRoot%\\system32\\joy.cpl"=dword:00000002 "%SystemRoot%\\system32\\main.cpl"=dword:00000002 "%SystemRoot%\\system32\\mmsys.cpl"=dword:00000004 "%SystemRoot%\\system32\\ncpa.cpl"=dword:00000003 "%SystemRoot%\\system32\\nwc.cpl"=dword:00000000 "%SystemRoot%\\system32\\nusrmgr.cpl"=dword:00000009 "%SystemRoot%\\system32\\odbccp32.cpl"=dword:00000000 "%SystemRoot%\\system32\\powercfg.cpl"=dword:00000005 "%SystemRoot%\\system32\\sticpl.cpl"=dword:00000002 "%SystemRoot%\\system32\\sysdm.cpl"="5" "%SystemRoot%\\system32\\telephon.cpl"=dword:00000002 "%SystemRoot%\\system32\\timedate.cpl"=dword:00000006 "c:\\Program Files\\Microsoft Plus! Digital Media Edition\\Alarm Clock\\AlarmClockPlugin.dll"=dword:00000006 "C:\\Program Files\\Common Files\\SYSTEM\\MSMAPI\\1033\\MLCFG32.CPL"=dword:00000009 "%SystemRoot%\\System32\\Firewall.cpl"="3,10" "%SystemRoot%\\System32\\NetSetup.cpl"=dword:00000003 "%SystemRoot%\\System32\\wuaucpl.cpl"=dword:0000000a "%SystemRoot%\\System32\\bthprops.cpl"="2,3" "%SystemRoot%\\System32\\wscui.cpl"=dword:ffffffff "%SystemRoot%\\system32\\RedSwoosh.cpl"=dword:00000003 "C:\\PROGRA~1\\Avira\\ANTIVI~1\\avconfig.cpl"=dword:0000000a [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:Default_Monitor:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0000,0] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:Default_Monitor:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0000,0\1024x768 x 60Hz] "32 bpp"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:Default_Monitor:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0000,0\1280x1024 x 60Hz] "32 bpp"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:Default_Monitor:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0000,0\800x600 x 60Hz] "16 bpp"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:MAG4518:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0001,0] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:MAG4518:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0001,0\1024x768 x 60Hz] "32 bpp"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:MAG4518:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0001,0\800x600 x 60Hz] "16 bpp"=dword:00000001 "32 bpp"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:VSCB01C:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0002,0] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:VSCB01C:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0002,0\1024x768 x 60Hz] "32 bpp"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:VSCB01C:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0002,0\1280x1024 x 60Hz] "32 bpp"=dword:00000001 "16 bpp"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Video\PCI:VEN_1106&DEV_7205&SUBSYS_81181043&REV_01\Monitor:VSCB01C:{4D36E96E-E325-11CE-BFC1-08002BE10318}:0002,0\800x600 x 60Hz] "32 bpp"=dword:00000001 "16 bpp"=dword:00000001

Your previous instructions un-installed combofix just fine - I just didn't follow them the first time and clicked on the desktop icon instead...oops. Below is one of the files you requested. The batch file didn't find the other one. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls] "Speech"="C:\\Program Files\\Common Files\\Microsoft Shared\\Speech\\sapi.cpl" "AlarmClock"="c:\\Program Files\\Microsoft Plus! Digital Media Edition\\Alarm Clock\\AlarmClockPlugin.dll" "Internet Connection Firewall"="Firewall.cpl" "NetSetupWizard"="NetSetup.cpl" "QuickTime"="C:\\Program Files\\QuickTime\\QTSystem\\QuickTime.cpl" "Avira AntiVir Personal - Free Antivirus "="C:\\PROGRA~1\\Avira\\ANTIVI~1\\avconfig.cpl" "Avira AntiVir Personal"="C:\\PROGRA~1\\Avira\\ANTIVI~1\\avconfig.cpl" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\inetcpl.cpl] "RunLevel"=dword:00000000

Thank you very much - I experimented with the buffer settings in Silverlight and found that setting the buffer rate to 512 and then returning the play bar to the beginning will immediatly reset the playback speed and give consistant smooth playback. Before I added RAM the CPU was up around 90-100% trying to page the file buffer and there was very little free RAM. Now the CPU is around 60-80% and there is always 300-400MB free memory. My Uverse download tests at 5MbPS so the bottleneck must be in my computer somewhere. Maybe my graphics card isn't up to the task? I have manually updated all the critical files you mentioned and I update and run either malwarebytes or avira every night. Do you have any comments about the constant I/O activity of lsass? Red Swoosh links to: C:\WINDOWS\system32\RedSwoosh.cpl which doesn't exist anymore. I don't see how to get the icon out of control panel. Other than those two concerns, it looks like a clean computer to me. I mistakenly activated combofix instead of removing it so I'm including the scan below FYI. . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk Trusted Zone: ameritrade.com Trusted Zone: tdameritrade.com TCP: DhcpNameServer = 192.168.1.254 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\ FF - prefs.js: browser.startup.homepage - yahoo.com FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696} FF - Ext: Adblock: {34274bf4-1d97-a289-e984-17e546307e4f} - %profile%\extensions\{34274bf4-1d97-a289-e984-17e546307e4f} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-06-28 12:00 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-788326353-1235890415-2902446982-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(1332) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2011-06-28 12:05:37 ComboFix-quarantined-files.txt 2011-06-28 19:05 ComboFix2.txt 2011-06-25 00:27 ComboFix3.txt 2011-06-24 17:48 ComboFix4.txt 2011-06-23 20:39 ComboFix5.txt 2011-06-28 18:42 . Pre-Run: 51,265,802,240 bytes free Post-Run: 51,326,750,720 bytes free . - - End Of File - - 930B65C8B79D938C78E06E62F295CF92

Although the system generally seems a bit snappier (considerably so since I installed another memory stick today) the problem that led me to turn off avira guard and get infected with a lot of this malware to begin with persists: When I watch Netflix - the image is jumpy and the sound gets out of sync. I've talked to Netflix support and they claim it is because my CPU is running at maximum. They told me that Microsoft Silverwhatever requires a 1.2Mhz processor and 512 RAM. I had one 512 stick in and just put in a second one today (maxes my bios). My CPU runs at 2.2Mhz. Yet the picture and sound is still terrible. I did not used to have this problem - it used to be fine (before Silverwhatever). Clearly my internet connection isn't the bottleneck as the loading always leads the playback considerably. I continue to think that something is consuming resources. Even when the system should be completely quiet - nothing obviously running or loaded there is a constant low level of CPU usage, I/O activity and disk access. When I check processes -lsass, csrss, avgnt and avguard are all clicking away at around 300k I/O every couple of seconds. This doesn't strike me as "normal". Can you help with this?

Wow! I mean: WOW!!! What is this tool and how can it find all these things that the others didn't? I haven't deleted these files yet - just in case there are any false detections. I'm assuming Qoobox is the quarantine files from the previous tool? Should I delete these files? I updated Java and Adobe which is good - I want to get the system as bulletproof as possible. Java installed jqs.exe again and I want to disable it. I want all of the automatic updates disabled so I know what is going on. I'm REALLY tired of unexplained, unidentified activity suddenly taking over the computer. The Adobe updater is as bad as a virus. Avira isn't much better. I have an artifact in the control panel from "Red Swoosh" that I would like to get rid of. The target directory seems to be deleted, but I can't figure out how to remove the icon from control panel. This computer has been used by my kids (they now have their own and are banned). I would like to remove all of their games (particularly the online interactive ones) and any file sharing programs they may have installed. Thank you very much for directing me on this - obviously I was out of my depth with the hidden viruses. C:\Documents and Settings\Owner\My Documents\My Downloads\Gunbound_GIS_WC_518.exe probably a variant of Win32/Agent.GTZDBXT trojan deleted - quarantined C:\Downloads\AgeOfCastles_Setup-dm[1].exe a variant of Win32/Adware.Trymedia application cleaned by deleting - quarantined C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined C:\Program Files\Mozilla Firefox\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined C:\Qoobox\Quarantine\[4]-Submit_2011-06-24_11.19.03.zip a variant of Win32/Kryptik.OKQ trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{25ee2c34-16fb-4cb2-b32e-4dbc1298f127}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{25ee2c34-16fb-4cb2-b32e-4dbc1298f127}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8d61d86d-100c-4b04-83b1-077e18540ae0}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8d61d86d-100c-4b04-83b1-077e18540ae0}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}\chrome\xulcache.jar.vir JS/Agent.NDB trojan deleted - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.bak1.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.bak2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\klnmp.tmp.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP403\A0023571.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP404\A0023645.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP404\A0023788.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP405\A0023929.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP407\A0024330.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP408\A0024358.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP409\A0025382.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP410\A0025390.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP413\A0025978.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP414\A0026070.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP414\A0027089.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP417\A0027121.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP418\A0028113.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP419\A0028161.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028451.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028452.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028453.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028454.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028455.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028456.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028457.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028458.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028459.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028460.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028461.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028462.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0028468.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP422\A0028736.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP426\A0029633.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP426\A0029880.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP426\A0030346.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP426\A0030357.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP427\A0030377.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP427\A0030464.exe probably a variant of Win32/Agent.BWFKHA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP427\A0030481.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP443\A0031625.exe a variant of Win32/Adware.Trymedia application cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP443\A0031626.exe Win32/PrcView application cleaned by deleting - quarantined C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP443\A0031627.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined C:\WINDOWS\pss\PowerReg Scheduler.exeStartup Win32/PowerReg application cleaned by deleting - quarantined

I am somewhat dismayed by this Avira scan - but I may have picked them up from a bad site while testing google. Are "hidden" files automatically bad news? Avira AntiVir Personal Report file date: Saturday, June 25, 2011 01:21 Scanning for 2825893 virus strains and unwanted programs. The program is running as an unrestricted full version. Online services are available: Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : BOYSROOM Version information: BUILD.DAT : 10.0.0.650 31822 Bytes 6/17/2011 15:43:00 AVSCAN.EXE : 10.0.4.2 442024 Bytes 4/2/2011 00:07:43 AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/2/2011 00:07:57 LUKE.DLL : 10.0.3.2 104296 Bytes 4/2/2011 00:07:53 LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 07:40:49 VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:05:36 VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 23:15:47 VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 23:15:47 VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 04:16:22 VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 04:16:30 VBASE005.VDF : 7.11.8.179 2048 Bytes 5/31/2011 04:16:30 VBASE006.VDF : 7.11.8.180 2048 Bytes 5/31/2011 04:16:30 VBASE007.VDF : 7.11.8.181 2048 Bytes 5/31/2011 04:16:31 VBASE008.VDF : 7.11.8.182 2048 Bytes 5/31/2011 04:16:31 VBASE009.VDF : 7.11.8.183 2048 Bytes 5/31/2011 04:16:31 VBASE010.VDF : 7.11.8.184 2048 Bytes 5/31/2011 04:16:32 VBASE011.VDF : 7.11.8.185 2048 Bytes 5/31/2011 04:16:32 VBASE012.VDF : 7.11.8.186 2048 Bytes 5/31/2011 04:16:32 VBASE013.VDF : 7.11.8.222 121856 Bytes 6/2/2011 04:16:32 VBASE014.VDF : 7.11.9.7 134656 Bytes 6/4/2011 04:16:33 VBASE015.VDF : 7.11.9.42 136192 Bytes 6/6/2011 04:16:34 VBASE016.VDF : 7.11.9.72 117248 Bytes 6/7/2011 04:16:34 VBASE017.VDF : 7.11.9.107 130560 Bytes 6/9/2011 04:16:35 VBASE018.VDF : 7.11.9.143 132096 Bytes 6/10/2011 04:16:36 VBASE019.VDF : 7.11.9.172 141824 Bytes 6/14/2011 04:16:37 VBASE020.VDF : 7.11.9.214 144896 Bytes 6/15/2011 04:16:37 VBASE021.VDF : 7.11.9.244 196608 Bytes 6/16/2011 04:16:39 VBASE022.VDF : 7.11.10.28 152576 Bytes 6/20/2011 03:55:58 VBASE023.VDF : 7.11.10.53 210432 Bytes 6/21/2011 03:55:58 VBASE024.VDF : 7.11.10.88 132096 Bytes 6/24/2011 09:16:23 VBASE025.VDF : 7.11.10.89 2048 Bytes 6/24/2011 09:16:23 VBASE026.VDF : 7.11.10.90 2048 Bytes 6/24/2011 09:16:23 VBASE027.VDF : 7.11.10.91 2048 Bytes 6/24/2011 09:16:24 VBASE028.VDF : 7.11.10.92 2048 Bytes 6/24/2011 09:16:24 VBASE029.VDF : 7.11.10.93 2048 Bytes 6/24/2011 09:16:24 VBASE030.VDF : 7.11.10.94 2048 Bytes 6/24/2011 09:16:24 VBASE031.VDF : 7.11.10.104 52224 Bytes 6/24/2011 08:18:40 Engineversion : 8.2.5.24 AEVDF.DLL : 8.1.2.1 106868 Bytes 3/28/2011 23:15:27 AESCRIPT.DLL : 8.1.3.65 1606010 Bytes 6/18/2011 04:16:55 AESCN.DLL : 8.1.7.2 127349 Bytes 3/28/2011 23:15:27 AESBX.DLL : 8.2.1.34 323957 Bytes 6/18/2011 04:16:56 AERDL.DLL : 8.1.9.9 639347 Bytes 3/25/2011 19:21:38 AEPACK.DLL : 8.2.6.9 557429 Bytes 6/18/2011 04:16:53 AEOFFICE.DLL : 8.1.1.25 205178 Bytes 6/18/2011 04:16:52 AEHEUR.DLL : 8.1.2.132 3567992 Bytes 6/24/2011 09:16:30 AEHELP.DLL : 8.1.17.2 246135 Bytes 6/18/2011 04:16:44 AEGEN.DLL : 8.1.5.6 401780 Bytes 6/18/2011 04:16:44 AEEMU.DLL : 8.1.3.0 393589 Bytes 3/28/2011 23:15:19 AECORE.DLL : 8.1.21.1 196983 Bytes 6/18/2011 04:16:43 AEBB.DLL : 8.1.1.0 53618 Bytes 3/28/2011 23:15:19 AVWINLL.DLL : 10.0.0.0 19304 Bytes 3/28/2011 23:15:31 AVPREF.DLL : 10.0.0.0 44904 Bytes 4/2/2011 00:07:42 AVREP.DLL : 10.0.0.10 174120 Bytes 6/18/2011 04:16:58 AVREG.DLL : 10.0.3.2 53096 Bytes 4/2/2011 00:07:42 AVSCPLR.DLL : 10.0.4.2 84840 Bytes 4/2/2011 00:07:43 AVARKT.DLL : 10.0.22.6 231784 Bytes 4/2/2011 00:07:38 AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 4/2/2011 00:07:41 SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 22:27:22 AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/28/2011 23:15:30 NETNT.DLL : 10.0.0.0 11624 Bytes 3/28/2011 23:15:39 RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 4/2/2011 00:07:58 RCTEXT.DLL : 10.0.58.0 97128 Bytes 3/28/2011 23:15:52 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, D:, Process scan........................: on Extended process scan...............: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Start of the scan: Saturday, June 25, 2011 01:21 Starting search for hidden objects. c:\windows\system32\ntmsdata\ntmsjrnl c:\windows\system32\ntmsdata\ntmsjrnl [NOTE] The file is not visible. HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist [NOTE] The registry entry is invisible. The scan of running processes will be started Scan process 'msdtc.exe' - '42' Module(s) have been scanned Scan process 'dllhost.exe' - '63' Module(s) have been scanned Scan process 'dllhost.exe' - '47' Module(s) have been scanned Scan process 'vssvc.exe' - '50' Module(s) have been scanned Scan process 'avscan.exe' - '72' Module(s) have been scanned Scan process 'avcenter.exe' - '64' Module(s) have been scanned Scan process 'svchost.exe' - '41' Module(s) have been scanned Scan process 'ctfmon.exe' - '27' Module(s) have been scanned Scan process 'avgnt.exe' - '47' Module(s) have been scanned Scan process 'AGRSMMSG.exe' - '21' Module(s) have been scanned Scan process 'ALCXMNTR.EXE' - '33' Module(s) have been scanned Scan process 'hpcmpmgr.exe' - '41' Module(s) have been scanned Scan process 'hphmon05.exe' - '25' Module(s) have been scanned Scan process 'hpsysdrv.exe' - '16' Module(s) have been scanned Scan process 'ps2.exe' - '21' Module(s) have been scanned Scan process 'ybrwicon.exe' - '27' Module(s) have been scanned Scan process 'alg.exe' - '33' Module(s) have been scanned Scan process 'avshadow.exe' - '28' Module(s) have been scanned Scan process 'HPZipm12.exe' - '20' Module(s) have been scanned Scan process 'McciCMService.exe' - '29' Module(s) have been scanned Scan process 'SAgent2.exe' - '30' Module(s) have been scanned Scan process 'avguard.exe' - '57' Module(s) have been scanned Scan process 'agrsmsvc.exe' - '13' Module(s) have been scanned Scan process 'svchost.exe' - '37' Module(s) have been scanned Scan process 'sched.exe' - '55' Module(s) have been scanned Scan process 'spoolsv.exe' - '65' Module(s) have been scanned Scan process 'Explorer.EXE' - '117' Module(s) have been scanned Scan process 'svchost.exe' - '39' Module(s) have been scanned Scan process 'svchost.exe' - '34' Module(s) have been scanned Scan process 'svchost.exe' - '32' Module(s) have been scanned Scan process 'svchost.exe' - '172' Module(s) have been scanned Scan process 'svchost.exe' - '42' Module(s) have been scanned Scan process 'svchost.exe' - '53' Module(s) have been scanned Scan process 'lsass.exe' - '60' Module(s) have been scanned Scan process 'services.exe' - '29' Module(s) have been scanned Scan process 'winlogon.exe' - '69' Module(s) have been scanned Scan process 'csrss.exe' - '16' Module(s) have been scanned Scan process 'smss.exe' - '2' Module(s) have been scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Master boot sector HD1 [iNFO] No virus was found! Master boot sector HD2 [iNFO] No virus was found! Master boot sector HD3 [iNFO] No virus was found! Master boot sector HD4 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Boot sector 'D:\' [iNFO] No virus was found! Starting to scan executable files (registry). The registry was scanned ( '2194' files ). Starting the file scan: Begin scan in 'C:\' <HP_PAVILION> C:\Qoobox\Quarantine\C\WINDOWS\system32\Audio3D32.dll.vir [DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP427\A0030554.dll [DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm Begin scan in 'D:\' <HP_RECOVERY> Beginning disinfection: C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP427\A0030554.dll [DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm [NOTE] The file was moved to the quarantine directory under the name '4727ae44.qua'. C:\Qoobox\Quarantine\C\WINDOWS\system32\Audio3D32.dll.vir [DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm [NOTE] The file was moved to the quarantine directory under the name '5fec8038.qua'. End of the scan: Saturday, June 25, 2011 09:19 Used time: 5:06:00 Hour(s) The scan has been done completely. 18480 Scanned directories 820247 Files were scanned 2 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 2 Files were moved to quarantine 0 Files were renamed 0 Files cannot be scanned 820245 Files not concerned 22892 Archives were scanned 0 Warnings 4 Notes 772775 Objects were scanned with rootkit scan 2 Hidden objects were found

After a fair amount of googling - there is no redirect! fsharproj has similarly left the playing field and hasn't re-appeared. I have rebooted and re-scanned to make sure. Thank you for getting rid of these pesky critters. I am somewhat dismayed by this Avira scan - but I may have picked them up from a bad site while testing google. Are "hidden" files automatically bad news? Thanks, Doug

Okay - here is the new combofix log: ComboFix 11-06-24.02 - Owner 06/24/2011 11:19:17.4.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.171 [GMT -7:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . file zipped: c:\windows\system32\Audio3D32.dll file zipped: c:\windows\system32\ialmrnt532.dll . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c5a2036-5464-4fa1-a6b1-969c9b478d42}\install.rdf c:\windows\system32\Audio3D32.dll c:\windows\system32\ialmrnt532.dll . . ((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 ))))))))))))))))))))))))))))))) . . 2011-06-23 02:17 . 2011-06-23 11:24 -------- d-----w- C:\7dea6ba6796f9aaaffcde647872d 2011-06-22 04:46 . 2011-06-22 04:46 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10 2011-06-22 04:40 . 2011-06-22 04:40 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2011-06-22 04:30 . 2011-06-23 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2011-06-22 04:27 . 2011-06-22 04:27 -------- d-----w- c:\program files\AVG 2011-06-22 04:16 . 2011-06-23 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2011-06-18 04:24 . 2011-06-18 04:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira 2011-06-18 04:11 . 2011-04-02 00:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-06-18 04:11 . 2011-04-02 00:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-06-18 04:11 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-06-18 04:11 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-06-18 04:10 . 2011-06-18 04:10 -------- d-----w- c:\program files\Avira 2011-06-18 04:10 . 2011-06-18 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-06-18 03:46 . 2011-06-23 11:24 -------- d-----w- C:\f4ee5476ce7ade7fe1ed707ca5 2011-06-15 04:42 . 2011-06-15 04:42 0 ---ha-w- c:\documents and settings\Owner\ixgketsqzg.tmp 2011-06-14 21:16 . 2011-06-24 14:02 -------- d-----w- c:\windows\system32\NtmsData . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-29 16:11 . 2008-08-10 05:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-29 16:11 . 2008-08-10 05:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-05-02 15:31 . 2003-03-04 06:57 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 16:19 . 2004-04-01 04:49 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 16:11 . 2004-01-22 07:16 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11 . 2004-05-20 17:52 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11 . 2004-05-20 17:52 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec 2011-04-21 13:37 . 2004-05-20 17:31 105472 ----a-w- c:\windows\system32\drivers\mup.sys 1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL 1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL 1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "YBrowser"="c:\program files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 57344] "VTTimer"="VTTimer.exe" [2005-03-08 53248] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-18 118784] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736] "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-11-20 135680] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify] 2004-01-09 09:34 32768 ----a-w- c:\program files\HP\Digital Imaging\bin\BackupNotify.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge] 2006-11-20 20:55 380928 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-05-14 19:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "wuauserv"=2 (0x2) "JavaQuickStarterService"=2 (0x2) "AntiVirService"=2 (0x2) "AntiVirSchedulerService"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"= "c:\\Program Files\\Age Of Empires II\\age2_x1.exe"= "c:\\Program Files\\Apprentice\\Appr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\LieroX\\LieroX v0.56 Pack 1.8\\LieroX.exe"= "c:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe"= "c:\\WINDOWS\\system32\\dplaysvr.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Program Files\\WoS\\Souls.exe"= "c:\\Program Files\\Xfire\\xfire.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9420:TCP"= 9420:TCP:*:Disabled:Red Swoosh "23400:TCP"= 23400:TCP:*:Disabled:LieroX "23400:UDP"= 23400:UDP:*:Disabled:Liero2 "5000:UDP"= 5000:UDP:*:Disabled:Red Swoosh . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) . R1 EPPSCSIx;EPPSCSIx;c:\windows\system32\drivers\EPPSCSI.SYS [12/16/2004 1:58 AM 49628] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/17/2011 9:11 PM 136360] S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [7/1/2002 7:30 PM 95232] S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [11/20/2004 8:24 PM 17976] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/9/2008 10:10 PM 39984] . Contents of the 'Scheduled Tasks' folder . 2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 07:17] . 2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 07:17] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk Trusted Zone: ameritrade.com Trusted Zone: tdameritrade.com TCP: DhcpNameServer = 192.168.1.254 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\ FF - prefs.js: browser.startup.homepage - yahoo.com FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696} FF - Ext: Adblock: {34274bf4-1d97-a289-e984-17e546307e4f} - %profile%\extensions\{34274bf4-1d97-a289-e984-17e546307e4f} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-06-24 11:45 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-788326353-1235890415-2902446982-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(1264) c:\windows\system32\WININET.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\agrsmsvc.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\program files\Common Files\Motive\McciCMService.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\VTTimer.exe c:\windows\ALCXMNTR.EXE c:\windows\AGRSMMSG.exe . ************************************************************************** . Completion time: 2011-06-24 12:05:37 - machine was rebooted ComboFix-quarantined-files.txt 2011-06-24 19:05 ComboFix2.txt 2011-06-24 17:48 ComboFix3.txt 2011-06-23 20:39 ComboFix4.txt 2011-06-23 06:39 . Pre-Run: 45,981,671,424 bytes free Post-Run: 45,966,245,888 bytes free . - - End Of File - - 124AEDDBC1DDA2DFEC88666390E77849 Upload was successful

I tried Google - and it was initially okay, but soon reverted to redirections. I ran a Malwarebytes scan and it still found fsharproj. On the good side, the computer seems to be running a little faster and cleaner than it has recently. Here is the mbam file: Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org Database version: 6932 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/23/2011 11:19:46 PM mbam-log-2011-06-23 (23-19-46).txt Scan type: Quick scan Objects scanned: 167005 Time elapsed: 24 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Elise - I agree - AVG and Avira did not play nicely together. I had hoped to be able to disable AVG's guard function and just use it as another trojan finder - but it (at least the free version) would not allow that. It found two trojans that neither Avira or Malwarebytes found. Combofix refused to run while it was installed so it was actually uninstalled before the first Combofix report. I do have Malware Bytes installed and it plays well with Avira. I won't bother with AVG again. I ran what you requested and the log is below. Combofix upgraded to a newer version before I ran it. Thank you for your help - I was very frustrated. Doug ComboFix 11-06-23.01 - Owner 06/23/2011 13:09:07.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.211 [GMT -7:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt.lnk AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{92ba9379-b78a-45cb-97ac-05432a5dbbca}\install.rdf . . ((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 ))))))))))))))))))))))))))))))) . . 2011-06-23 02:17 . 2011-06-23 11:24 -------- d-----w- C:\7dea6ba6796f9aaaffcde647872d 2011-06-22 04:46 . 2011-06-22 04:46 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10 2011-06-22 04:40 . 2011-06-22 04:40 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2011-06-22 04:30 . 2011-06-23 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2011-06-22 04:27 . 2011-06-22 04:27 -------- d-----w- c:\program files\AVG 2011-06-22 04:16 . 2011-06-23 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2011-06-18 04:24 . 2011-06-18 04:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira 2011-06-18 04:11 . 2011-04-02 00:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-06-18 04:11 . 2011-04-02 00:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-06-18 04:11 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-06-18 04:11 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-06-18 04:10 . 2011-06-18 04:10 -------- d-----w- c:\program files\Avira 2011-06-18 04:10 . 2011-06-18 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-06-18 03:46 . 2011-06-23 11:24 -------- d-----w- C:\f4ee5476ce7ade7fe1ed707ca5 2011-06-15 04:42 . 2011-06-15 04:42 0 ---ha-w- c:\documents and settings\Owner\ixgketsqzg.tmp 2011-06-14 21:16 . 2011-06-23 00:04 -------- d-----w- c:\windows\system32\NtmsData 2011-06-13 09:51 . 2011-06-13 09:51 167936 ----a-w- c:\windows\system32\ialmrnt532.dll 2011-06-13 09:50 . 2011-06-13 09:50 365056 ----a-w- c:\windows\system32\Audio3D32.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-29 16:11 . 2008-08-10 05:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-29 16:11 . 2008-08-10 05:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-05-02 15:31 . 2003-03-04 06:57 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 16:19 . 2004-04-01 04:49 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 16:11 . 2004-01-22 07:16 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11 . 2004-05-20 17:52 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11 . 2004-05-20 17:52 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec 2011-04-21 13:37 . 2004-05-20 17:31 105472 ----a-w- c:\windows\system32\drivers\mup.sys 1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL 1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL 1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{014F2DCA-54A8-4544-8766-9C98A03A343f}] 2011-06-13 09:50 365056 ----a-w- c:\windows\system32\Audio3D32.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D4BE1CF-7EA5-A953-5C94-A43862A54CF4}] 2011-06-13 09:51 167936 ----a-w- c:\windows\system32\ialmrnt532.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "YBrowser"="c:\program files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 57344] "VTTimer"="VTTimer.exe" [2005-03-08 53248] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-18 118784] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736] "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-11-20 135680] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\ialmrnt532.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify] 2004-01-09 09:34 32768 ----a-w- c:\program files\HP\Digital Imaging\bin\BackupNotify.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge] 2006-11-20 20:55 380928 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-05-14 19:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "wuauserv"=2 (0x2) "JavaQuickStarterService"=2 (0x2) "AntiVirService"=2 (0x2) "AntiVirSchedulerService"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"= "c:\\Program Files\\Age Of Empires II\\age2_x1.exe"= "c:\\Program Files\\Apprentice\\Appr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\LieroX\\LieroX v0.56 Pack 1.8\\LieroX.exe"= "c:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe"= "c:\\WINDOWS\\system32\\dplaysvr.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Program Files\\WoS\\Souls.exe"= "c:\\Program Files\\Xfire\\xfire.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9420:TCP"= 9420:TCP:*:Disabled:Red Swoosh "23400:TCP"= 23400:TCP:*:Disabled:LieroX "23400:UDP"= 23400:UDP:*:Disabled:Liero2 "5000:UDP"= 5000:UDP:*:Disabled:Red Swoosh . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) . R1 EPPSCSIx;EPPSCSIx;c:\windows\system32\drivers\EPPSCSI.SYS [12/16/2004 1:58 AM 49628] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/17/2011 9:11 PM 136360] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/13/2010 12:17 AM 136176] S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [7/1/2002 7:30 PM 95232] S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [11/20/2004 8:24 PM 17976] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/13/2010 12:17 AM 136176] . Contents of the 'Scheduled Tasks' folder . 2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 07:17] . 2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 07:17] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk Trusted Zone: ameritrade.com Trusted Zone: tdameritrade.com TCP: DhcpNameServer = 192.168.1.254 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\ FF - prefs.js: browser.startup.homepage - yahoo.com FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696} FF - Ext: Adblock: {34274bf4-1d97-a289-e984-17e546307e4f} - %profile%\extensions\{34274bf4-1d97-a289-e984-17e546307e4f} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff . - - - - ORPHANS REMOVED - - - - . MSConfigStartUp-KBD - c:\hp\KBD\KBD.EXE . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-06-23 13:30 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-788326353-1235890415-2902446982-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . Completion time: 2011-06-23 13:39:19 ComboFix-quarantined-files.txt 2011-06-23 20:39 ComboFix2.txt 2011-06-23 06:39 . Pre-Run: 45,486,866,432 bytes free Post-Run: 45,482,061,824 bytes free . - - End Of File - - 2549C7EA5C004DB62813BE0BA18DA1F9

Thanks, Elise - I was beginning to feel overlooked... I ran combofix - It sure seems to do a lot of stuff. I haven't checked to see if my original problems are gone yet, but Internet Explorer didn't want to open, although Mozella opened right up. IE finally opened on the third try. Thanks for your help - it looks like my computer had a lot of garbage on it, in spite of running two different virus programs. Doug Here is the log: ComboFix 11-06-22.02 - Owner 06/22/2011 22:40:52.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.136 [GMT -7:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\Default User\WINDOWS c:\documents and settings\Owner\Application Data\Microsoft\~DFK1dc1551.tmp c:\documents and settings\Owner\Application Data\Microsoft\1eaadjc.dll c:\documents and settings\Owner\Application Data\Microsoft\bass.dll c:\documents and settings\Owner\Application Data\Microsoft\kfgresk.dll c:\documents and settings\Owner\Application Data\Microsoft\mjcriu.dll c:\documents and settings\Owner\Application Data\Microsoft\peaadje.dll c:\documents and settings\Owner\Application Data\Microsoft\qwadjb.dll c:\documents and settings\Owner\Application Data\Microsoft\rsaadjd.dll c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{1d3ba1a6-5777-49ad-8b95-1dac137eec86}\install.rdf c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9}\install.rdf c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5}\install.rdf c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a}\install.rdf c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca}\install.rdf c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5}\install.rdf c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85}\install.rdf c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8}\install.rdf c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308}\install.rdf c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd}\install.rdf c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe}\install.rdf c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2} c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}\chrome.manifest c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}\chrome\xulcache.jar c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}\defaults\preferences\xulcache.js c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2}\install.rdf c:\documents and settings\Owner\jaudioMp3Win.tar c:\documents and settings\Owner\Local Settings\Temporary Internet Files\mcc3C.tmp c:\documents and settings\Owner\RedSwoosh-2.115-115.dll c:\documents and settings\Owner\WINDOWS c:\program files\CleanUp c:\program files\CleanUp\Help\English.Resident.chm c:\program files\CleanUp\HijackThis\HijackThis.exe c:\program files\CleanUp\Includes\Adware.sbi c:\program files\CleanUp\Includes\AdwareC.sbi c:\program files\CleanUp\Includes\DialerC.sbi c:\program files\CleanUp\Includes\HeavyDuty.sbi c:\program files\CleanUp\Includes\HijackersC.sbi c:\program files\CleanUp\Includes\KeyloggersC.sbi c:\program files\CleanUp\Includes\MalwareC.sbi c:\program files\CleanUp\Includes\PUPS.sbi c:\program files\CleanUp\Includes\PUPSC.sbi c:\program files\CleanUp\Includes\SecurityC.sbi c:\program files\CleanUp\Includes\Services.sbs c:\program files\CleanUp\Includes\SpybotsC.sbi c:\program files\CleanUp\Includes\Spyware.sbi c:\program files\CleanUp\Includes\SpywareC.sbi c:\program files\CleanUp\Includes\TrojansC.sbi c:\program files\CleanUp\Plugins\TCPIPAddress.dll c:\program files\CleanUp\Updates\advcheck.zip c:\program files\CleanUp\Updates\clsid.zip c:\program files\CleanUp\Updates\help.english.zip c:\program files\CleanUp\Updates\helpres.english.zip c:\program files\CleanUp\Updates\includes.zip c:\program files\CleanUp\Updates\lang.english.zip c:\program files\CleanUp\Updates\mainapp160.zip c:\program files\CleanUp\Updates\online.ini c:\program files\CleanUp\Updates\plugtcpip.zip c:\program files\CleanUp\Updates\sbsd160upd.exe c:\program files\CleanUp\Updates\startup.zip c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\klnmp.bak1 c:\windows\system32\klnmp.bak2 c:\windows\system32\klnmp.ini c:\windows\system32\klnmp.tmp D:\Autorun.inf . ----- BITS: Possible infected sites ----- . hxxp://au.downloj+|Cv+@J:NGD_DQ{zcxLJS@5dBt+fj.WU Client DownloadS-1-5-18`HT4?? 6VwoQZCDHMs hxxp://a . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_ZESOFT . . ((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 ))))))))))))))))))))))))))))))) . . 2011-06-23 02:17 . 2011-06-23 02:17 -------- d-----w- C:\7dea6ba6796f9aaaffcde647872d 2011-06-22 04:46 . 2011-06-22 04:46 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10 2011-06-22 04:40 . 2011-06-22 04:40 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2011-06-22 04:30 . 2011-06-23 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2011-06-22 04:27 . 2011-06-22 04:27 -------- d-----w- c:\program files\AVG 2011-06-22 04:16 . 2011-06-23 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2011-06-18 04:24 . 2011-06-18 04:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira 2011-06-18 04:11 . 2011-04-02 00:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-06-18 04:11 . 2011-04-02 00:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-06-18 04:11 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-06-18 04:11 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-06-18 04:10 . 2011-06-18 04:10 -------- d-----w- c:\program files\Avira 2011-06-18 04:10 . 2011-06-18 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-06-18 03:46 . 2011-06-18 03:46 -------- d-----w- C:\f4ee5476ce7ade7fe1ed707ca5 2011-06-15 04:42 . 2011-06-15 04:42 0 ---ha-w- c:\documents and settings\Owner\ixgketsqzg.tmp 2011-06-14 21:16 . 2011-06-23 00:04 -------- d-----w- c:\windows\system32\NtmsData 2011-06-13 09:51 . 2011-06-13 09:51 167936 ----a-w- c:\windows\system32\ialmrnt532.dll 2011-06-13 09:50 . 2011-06-13 09:50 365056 ----a-w- c:\windows\system32\Audio3D32.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-29 16:11 . 2008-08-10 05:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-29 16:11 . 2008-08-10 05:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-05-02 15:31 . 2003-03-04 06:57 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 16:19 . 2004-04-01 04:49 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 16:11 . 2004-01-22 07:16 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11 . 2004-05-20 17:52 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11 . 2004-05-20 17:52 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec 2011-04-21 13:37 . 2004-05-20 17:31 105472 ----a-w- c:\windows\system32\drivers\mup.sys 1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL 1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL 1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{014F2DCA-54A8-4544-8766-9C98A03A343f}] 2011-06-13 09:50 365056 ----a-w- c:\windows\system32\Audio3D32.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D4BE1CF-7EA5-A953-5C94-A43862A54CF4}] 2011-06-13 09:51 167936 ----a-w- c:\windows\system32\ialmrnt532.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "YBrowser"="c:\program files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 57344] "VTTimer"="VTTimer.exe" [2005-03-08 53248] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-18 118784] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736] "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-11-20 135680] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\ialmrnt532.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify] 2004-01-09 09:34 32768 ----a-w- c:\program files\HP\Digital Imaging\bin\BackupNotify.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] 2003-02-12 03:02 61440 ----a-w- c:\hp\KBD\kbd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge] 2006-11-20 20:55 380928 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-05-14 19:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "wuauserv"=2 (0x2) "JavaQuickStarterService"=2 (0x2) "AntiVirService"=2 (0x2) "AntiVirSchedulerService"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\RadLight Company\\RadLight 4.0\\rlkernel.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\ijji\\ENGLISH\\u_gbound.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"= "c:\\Program Files\\Age Of Empires II\\empires2.EXE"= "c:\\Program Files\\Age Of Empires II\\age2_x1.exe"= "c:\\Program Files\\Apprentice\\Appr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Infogrames Interactive\\Civilization III\\Conquests\\Civ3Conquests.exe"= "c:\\Program Files\\Gunbound\\GunboundRV\\Gunbound Revolution\\GunBound.gme"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\LieroX\\LieroX v0.56 Pack 1.8\\LieroX.exe"= "c:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe"= "c:\\WINDOWS\\system32\\dplaysvr.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Dynamix\\Tribes2\\GameData\\Tribes2.exe"= "c:\\Program Files\\WoS\\Souls.exe"= "c:\\Program Files\\Xfire\\xfire.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9420:TCP"= 9420:TCP:*:Disabled:Red Swoosh "23400:TCP"= 23400:TCP:*:Disabled:LieroX "23400:UDP"= 23400:UDP:*:Disabled:Liero2 "5000:UDP"= 5000:UDP:*:Disabled:Red Swoosh . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) . R1 EPPSCSIx;EPPSCSIx;c:\windows\system32\drivers\EPPSCSI.SYS [12/16/2004 1:58 AM 49628] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/17/2011 9:11 PM 136360] S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [7/1/2002 7:30 PM 95232] S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [11/20/2004 8:24 PM 17976] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/9/2008 10:10 PM 39984] . Contents of the 'Scheduled Tasks' folder . 2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 07:17] . 2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-13 07:17] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk Trusted Zone: ameritrade.com Trusted Zone: tdameritrade.com TCP: DhcpNameServer = 192.168.1.254 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ntdc9exx.default\ FF - prefs.js: browser.startup.homepage - yahoo.com FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696} FF - Ext: Adblock: {34274bf4-1d97-a289-e984-17e546307e4f} - %profile%\extensions\{34274bf4-1d97-a289-e984-17e546307e4f} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff . - - - - ORPHANS REMOVED - - - - . WebBrowser-{A057A204-BACC-4D26-9F9D-3BEFCFBE6E86} - (no file) HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe AddRemove-36317AE4-57EC-4F3E-B828-009A3DD96BE8 - c:\program files\WildTangent\Apps\GameChannel\Games\36317AE4-57EC-4F3E-B828-009A3DD96BE8\Uninstall.exe AddRemove-62067F4C-84A9-45B9-8573-B90468B0A3EF - c:\program files\WildTangent\Apps\GameChannel\Games\62067F4C-84A9-45B9-8573-B90468B0A3EF\Uninstall.exe AddRemove-6723E59E-322A-417A-8E03-27A61E18253C - c:\program files\WildTangent\Apps\GameChannel\Games\6723E59E-322A-417A-8E03-27A61E18253C\Uninstall.exe AddRemove-8461-7759-5462-8226 - c:\bluimg\azureus\uninstall.exe AddRemove-8C4E79CC-03E1-43AA-9910-9A5113F24603 - c:\program files\WildTangent\Apps\GameChannel\Games\8C4E79CC-03E1-43AA-9910-9A5113F24603\Uninstall.exe AddRemove-Ant War - c:\progra~1\ANTWAR~1\UNWISE.EXE AddRemove-B8610D19-E576-4F91-8A2F-07898D9CA301 - c:\program files\WildTangent\Apps\GameChannel\Games\B8610D19-E576-4F91-8A2F-07898D9CA301\Uninstall.exe AddRemove-Battle Chess II - Chinese Chess - c:\program files\Interplay Productions\Battle Chess II - Chinese Chess\Uninst.isu AddRemove-Battle for Wesnoth_is1 - c:\program files\Wesnoth developmental\1-5-0\unins000.exe AddRemove-BFBCBAE3-8293-4215-9C4F-C2402C118EDB - c:\program files\WildTangent\Apps\GameChannel\Games\BFBCBAE3-8293-4215-9C4F-C2402C118EDB\Uninstall.exe AddRemove-C2C3C2DB-7D8A-4E20-B527-E3149FAECC3A - c:\program files\WildTangent\Apps\GameChannel\Games\C2C3C2DB-7D8A-4E20-B527-E3149FAECC3A\Uninstall.exe AddRemove-CampGen_is1 - c:\program files\Wesnoth developmental\CampGen\unins000.exe AddRemove-D11F7128-8CBD-408B-8BF8-034604DEDD42 - c:\program files\WildTangent\Apps\GameChannel\Games\D11F7128-8CBD-408B-8BF8-034604DEDD42\Uninstall.exe AddRemove-DA44615A-C243-46A4-8E47-184CFF33CD38 - c:\program files\WildTangent\Apps\GameChannel\Games\DA44615A-C243-46A4-8E47-184CFF33CD38\Uninstall.exe AddRemove-DAE7A92A-BAC7-42FA-AC62-53DEF1DC4292 - c:\program files\WildTangent\Apps\GameChannel\Games\DAE7A92A-BAC7-42FA-AC62-53DEF1DC4292\Uninstall.exe AddRemove-E28167F1-3F42-40C7-9119-1D5A97444F10 - c:\program files\WildTangent\Apps\GameChannel\Games\E28167F1-3F42-40C7-9119-1D5A97444F10\Uninstall.exe AddRemove-F5215F01-DFC0-475D-A910-6F1AF94E807E - c:\program files\WildTangent\Apps\GameChannel\Games\F5215F01-DFC0-475D-A910-6F1AF94E807E\Uninstall.exe AddRemove-Final Fantasy VII - c:\program files\Square Soft AddRemove-FlashBoot_is1 - c:\bluimg\FlashBoot\unins000.exe AddRemove-LSI Soft Modem - c:\windows\agrsmdel AddRemove-PE Builder_is1 - c:\bluimg\pebuilder3110a\unins000.exe AddRemove-SBC Self Support Tool - c:\docume~1\Owner\LOCALS~1\Temp\SST\CustomUninstall.exe AddRemove-Wesnoth_is1 - c:\program files\Wesnoth stable\unins000.exe AddRemove-WinImage - c:\blusentinal image tools\winimage\winimage.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-06-22 23:12 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-788326353-1235890415-2902446982-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(540) c:\windows\system32\WININET.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\agrsmsvc.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\program files\Common Files\Motive\McciCMService.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\SearchIndexer.exe c:\windows\system32\VTTimer.exe c:\windows\ALCXMNTR.EXE c:\windows\AGRSMMSG.exe . ************************************************************************** . Completion time: 2011-06-22 23:39:37 - machine was rebooted ComboFix-quarantined-files.txt 2011-06-23 06:39 . Pre-Run: 42,522,517,504 bytes free Post-Run: 42,564,423,680 bytes free . - - End Of File - - 0A3CFD7AC632D1A968AF945357FA37AE

Last Wednesday I "acquired" a Google redirect virus. This or something else seems to have loaded a lot of nasty stuff onto my computer, including something that blocked Avira from being updated. I normally run Avira constantly and run Malware Bytes frequently when I think I've been exposed. Unfortunately I did the stupid thing of turning Avira off because I thought it was making the computer really slow. I ran defogger on Thursday and have left CD emulation disabled. I have finally been able to update Avira (by removing it with the control panel, running an Avira key cleaner, and doing a fresh install). Since reloading Avira (a newer version) it has been periodically blocking attempts to access file D:\Autorun.inf. My D: partition was created by HP and only contains a copy of the operating system. After running both Malwarebytes and Avira repeatedly and alternately I have finally achieved a clean Avira scan and a nearly clean Malwarebytes scan - it still shows fsharproj and it either fails to remove it, or it gets reloaded right away. I still have the Google redirect problem, but I stopped using it and removed it as my home page. So I need to fix the redirect problem plus whatever is making fsharproj persist. I've attached the requested logs, but after running GMER for many, many hours my computer rebooted itself and ran chkdsk - losing the file. I'm not sure what kind of problem caused that. Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org Database version: 6899 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/20/2011 11:47:14 AM mbam-log-2011-06-20 (11-47-14).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 377754 Time elapsed: 7 hour(s), 44 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) . DDS (Ver_2011-06-12.02) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23 Run by Owner at 12:51:05 on 2011-06-20 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.158 [GMT -7:00] . AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\WINDOWS\system32\agrsmsvc.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\WINDOWS\system32\VTTimer.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe . ============== Pseudo HJT Report =============== . uStart Page = about:blank uSearch Bar = uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll BHO: {014f2dca-54a8-4544-8766-9c98a03a343f} - c:\windows\system32\Audio3D32.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: 3033dba9: {1d4be1cf-7ea5-a953-5c94-a43862a54cf4} - c:\windows\system32\ialmrnt532.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File TB: {A057A204-BACC-4D26-9F9D-3BEFCFBE6E86} - No File TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [YBrowser] c:\program files\yahoo!\browser\ybrwicon.exe mRun: [VTTimer] VTTimer.exe mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [Reminder] "c:\windows\creator\Remind_XP.exe" mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE mRun: [PS2] c:\windows\system32\ps2.exe mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY mRun: [KBD] c:\hp\kbd\KBD.EXE mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe mRun: [HPHmon05] c:\windows\system32\hphmon05.exe mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe" mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [AlcxMonitor] ALCXMNTR.EXE mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL Trusted Zone: ameritrade.com Trusted Zone: tdameritrade.com DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.1.254 TCP: Interfaces\{B2EEDFB1-1EF7-44DD-8F85-306238AD1952} : DhcpNameServer = 192.168.1.254 Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Notify: igfxcui - igfxsrvc.dll Notify: WRNotifier - WRLogonNTF.dll AppInit_DLLs: c:\windows\system32\ialmrnt532.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\ntdc9exx.default\ FF - prefs.js: browser.startup.homepage - yahoo.com FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696} FF - Ext: Adblock: {34274bf4-1d97-a289-e984-17e546307e4f} - %profile%\extensions\{34274bf4-1d97-a289-e984-17e546307e4f} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: XUL Cache: {5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85} - %profile%\extensions\{5dd9dc6d-18cc-4c3f-bbd4-16c8eed5cc85} FF - Ext: XUL Cache: {c975d69b-e210-42b7-8a5f-8608722e8308} - %profile%\extensions\{c975d69b-e210-42b7-8a5f-8608722e8308} FF - Ext: XUL Cache: {d0bcf974-8ea8-4ac6-8023-304c7ed641dd} - %profile%\extensions\{d0bcf974-8ea8-4ac6-8023-304c7ed641dd} FF - Ext: XUL Cache: {ed16464e-0040-4e7a-beb3-bf8b3ddefcf2} - %profile%\extensions\{ed16464e-0040-4e7a-beb3-bf8b3ddefcf2} FF - Ext: XUL Cache: {8c6c368f-56a9-469e-9bb9-998825f424c8} - %profile%\extensions\{8c6c368f-56a9-469e-9bb9-998825f424c8} FF - Ext: XUL Cache: {e447c891-0f34-46b9-9d3f-ba7281df68fe} - %profile%\extensions\{e447c891-0f34-46b9-9d3f-ba7281df68fe} FF - Ext: XUL Cache: {2b747b40-3541-447d-99a1-54a43eb308a9} - %profile%\extensions\{2b747b40-3541-447d-99a1-54a43eb308a9} FF - Ext: XUL Cache: {47e7afaa-e0ac-4478-acbb-357913237b1a} - %profile%\extensions\{47e7afaa-e0ac-4478-acbb-357913237b1a} FF - Ext: XUL Cache: {504a38b5-1a04-41b3-bc96-c53e4f2e37ca} - %profile%\extensions\{504a38b5-1a04-41b3-bc96-c53e4f2e37ca} FF - Ext: XUL Cache: {43467305-1718-458f-9a8c-2dcac370f6d5} - %profile%\extensions\{43467305-1718-458f-9a8c-2dcac370f6d5} FF - Ext: XUL Cache: {5d069a26-f1db-4a26-adb1-094ee03e9ea5} - %profile%\extensions\{5d069a26-f1db-4a26-adb1-094ee03e9ea5} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-6-17 11608] R1 EPPSCSIx;EPPSCSIx;c:\windows\system32\drivers\EPPSCSI.SYS [2004-12-16 49628] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-17 136360] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-17 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-17 61960] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-13 136176] S3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [2002-7-1 95232] S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [2004-11-20 17976] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-13 136176] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-8-9 39984] . =============== File Associations =============== . regfile=regedit.exe "%1" %* . =============== Created Last 30 ================ . 2011-06-18 04:24:37 -------- d-----w- c:\documents and settings\owner\application data\Avira 2011-06-18 04:11:31 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-06-18 04:10:52 -------- d-----w- c:\program files\Avira 2011-06-18 04:10:52 -------- d-----w- c:\documents and settings\all users\application data\Avira 2011-06-18 03:46:00 -------- d-----w- C:\f4ee5476ce7ade7fe1ed707ca5 2011-06-15 04:42:35 0 ---ha-w- c:\documents and settings\owner\ixgketsqzg.tmp 2011-06-14 21:16:15 -------- d-----w- c:\windows\system32\NtmsData 2011-06-13 09:51:26 167936 ----a-w- c:\windows\system32\ialmrnt532.dll 2011-06-13 09:50:35 365056 ----a-w- c:\windows\system32\Audio3D32.dll . ==================== Find3M ==================== . 2011-05-29 16:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-29 16:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec 2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys 1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL 1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL 1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL 1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL 1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL 1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL . ============= FINISH: 12:54:09.01 =============== attach.zip