Maniac Posted May 22, 2010 ID:254128 Share Posted May 22, 2010 Please follow these instructions:http://www.symantec.com/norton/support/kb/...0091202133639EN Link to post Share on other sites More sharing options...
Gaughin Posted May 22, 2010 Author ID:254171 Share Posted May 22, 2010 Please follow these instructions:http://www.symantec.com/norton/support/kb/...0091202133639ENI have completed the Norton removal. CPU usage approximately the same.Thanksgaughin Link to post Share on other sites More sharing options...
Maniac Posted May 22, 2010 ID:254173 Share Posted May 22, 2010 Download DDS and save it to your desktop from here or here or here.Double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt[*]Save both reports to your desktop. Post them back to your topic. Link to post Share on other sites More sharing options...
Gaughin Posted May 23, 2010 Author ID:254450 Share Posted May 23, 2010 Once again, I am grateful for your help. Here are the requested logs.DDS (Ver_09-09-29.01) - NTFSx86 NETWORK Run by David Vinson at 23:25:25.67 on Sat 05/22/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_01Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.639 [GMT -4:00]AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\ctfmon.exeC:\Documents and Settings\David Vinson\Desktop\dds.com============== Pseudo HJT Report ===============uStart Page = about:blankuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = iexploreuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search/?q=%sBHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dllBHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No FileEB: {32683183-48a0-441b-a342-7c2a440a9478} - No FileuRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exeuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startupmRun: [DVDSentry] c:\windows\system32\DSentry.exemRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /minIE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLLDPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cabDPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cabDPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cabDPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabDPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll================= FIREFOX ===================FF - ProfilePath - c:\docume~1\davidv~1\applic~1\mozilla\firefox\profiles\vic99eqj.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.google.comFF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - www.google.comFF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=FF - plugin: c:\documents and settings\david vinson\application data\move networks\plugins\npqmp071504000001.dllFF - plugin: c:\documents and settings\david vinson\application data\move networks\plugins\npqmp071701000002.dllFF - plugin: c:\program files\microsoft research\hdview for firefox\nphdview.dllFF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dllFF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dllFF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dllFF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dllFF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}---- FIREFOX POLICIES ----FF - user.js: browser.cache.memory.capacity - 16000FF - user.js: browser.chrome.favicons - falseFF - user.js: browser.display.show_image_placeholders - trueFF - user.js: browser.turbo.enabled - trueFF - user.js: browser.urlbar.autocomplete.enabled - trueFF - user.js: browser.urlbar.autofill - trueFF - user.js: content.max.tokenizing.time - 3000000FF - user.js: content.maxtextrun - 4095FF - user.js: content.notify.backoffcount - 5FF - user.js: content.notify.interval - 1000000FF - user.js: content.notify.ontimer - trueFF - user.js: content.switch.threshold - 1000000FF - user.js: dom.disable_window_status_change - trueFF - user.js: network.http.max-connections - 48FF - user.js: network.http.max-connections-per-server - 16FF - user.js: network.http.max-persistent-connections-per-proxy - 16FF - user.js: network.http.max-persistent-connections-per-server - 8FF - user.js: network.http.pipelining - trueFF - user.js: network.http.pipelining.firstrequest - trueFF - user.js: network.http.pipelining.maxrequests - 8FF - user.js: network.http.proxy.pipelining - trueFF - user.js: network.http.request.max-start-delay - 0FF - user.js: nglayout.initialpaint.delay - 1000FF - user.js: plugin.expose_full_path - trueFF - user.js: ui.submenuDelay - 0c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);============= SERVICES / DRIVERS ===============S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-17 11608]S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-17 135336]S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-17 267432]S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-17 60936]S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-11-11 30192]S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2008-6-13 68954]S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]=============== Created Last 30 ================2010-05-20 09:45 <DIR> --d----- c:\windows\system32\drivers\N3602010-05-19 00:18 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll2010-05-19 00:18 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll2010-05-19 00:18 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll2010-05-19 00:18 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe2010-05-19 00:18 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe2010-05-19 00:17 99,865 a------- c:\windows\system32\dllcache\xlog.exe2010-05-19 00:17 28,288 a------- c:\windows\system32\dllcache\xjis.nls2010-05-19 00:17 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys2010-05-19 00:17 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys2010-05-19 00:17 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys2010-05-19 00:17 8,192 a------- c:\windows\system32\dllcache\wshirda.dll2010-05-19 00:15 11,775 a------- c:\windows\system32\dllcache\wadv05nt.sys2010-05-19 00:14 26,112 a------- c:\windows\system32\dllcache\usbser.sys2010-05-19 00:13 241,664 a------- c:\windows\system32\dllcache\tosdvd02.sys2010-05-19 00:12 285,760 a------- c:\windows\system32\dllcache\stlnata.sys2010-05-19 00:11 24,576 a------- c:\windows\system32\dllcache\smc8000n.sys2010-05-19 00:10 386,560 a------- c:\windows\system32\dllcache\sgiul50.dll2010-05-19 00:09 79,872 a------- c:\windows\system32\dllcache\rwia430.dll2010-05-19 00:08 6,016 a------- c:\windows\system32\dllcache\qic157.sys2010-05-19 00:07 105,984 a------- c:\windows\system32\dllcache\phdsext.ax2010-05-19 00:06 54,528 a------- c:\windows\system32\dllcache\opl3sax.sys2010-05-19 00:05 39,264 a------- c:\windows\system32\dllcache\neo20xx.sys2010-05-19 00:04 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys2010-05-19 00:04 22,016 a------- c:\windows\system32\dllcache\msircomm.sys2010-05-19 00:04 1,875,968 a------- c:\windows\system32\dllcache\msir3jp.lex2010-05-19 00:04 98,304 a------- c:\windows\system32\dllcache\msir3jp.dll2010-05-19 00:04 35,200 a------- c:\windows\system32\dllcache\msgame.sys2010-05-19 00:04 6,016 a------- c:\windows\system32\dllcache\msfsio.sys2010-05-19 00:04 6,528 a------- c:\windows\system32\dllcache\miniqic.sys2010-05-19 00:04 34,304 a------- c:\windows\system32\dllcache\migisol.exe2010-05-19 00:04 320,384 a------- c:\windows\system32\dllcache\mgaum.sys2010-05-19 00:04 235,648 a------- c:\windows\system32\dllcache\mgaud.dll2010-05-19 00:04 92,416 a------- c:\windows\system32\dllcache\mga.sys2010-05-19 00:02 19,016 a------- c:\windows\system32\dllcache\ktc111.sys2010-05-19 00:02 47,066 a------- c:\windows\system32\dllcache\ksc.nls2010-05-19 00:02 37,376 a------- c:\windows\system32\dllcache\kousd.dll2010-05-19 00:02 1,158,818 a------- c:\windows\system32\dllcache\korwbrkr.lex2010-05-19 00:02 70,656 a------- c:\windows\system32\dllcache\korwbrkr.dll2010-05-19 00:02 253,952 a------- c:\windows\system32\dllcache\kdsusd.dll2010-05-19 00:02 48,640 a------- c:\windows\system32\dllcache\kdsui.dll2010-05-19 00:02 5,632 a------- c:\windows\system32\dllcache\kbdusa.dll2010-05-19 00:02 7,680 a------- c:\windows\system32\dllcache\kbdnecnt.dll2010-05-19 00:02 9,216 a------- c:\windows\system32\dllcache\kbdnecat.dll2010-05-19 00:02 7,168 a------- c:\windows\system32\dllcache\kbdnec95.dll2010-05-19 00:02 8,192 a------- c:\windows\system32\dllcache\kbdkor.dll2010-05-19 00:02 8,704 a------- c:\windows\system32\dllcache\kbdjpn.dll2010-05-19 00:00 311,359 a------- c:\windows\system32\dllcache\imepadsv.exe2010-05-18 23:59 488,383 a------- c:\windows\system32\dllcache\hsf_v124.sys2010-05-18 23:58 8,576 a------- c:\windows\system32\dllcache\hidgame.sys2010-05-18 23:57 71,680 a------- c:\windows\system32\dllcache\fnfilter.dll2010-05-18 23:56 37,120 a------- c:\windows\system32\dllcache\es1370mp.sys2010-05-18 23:55 334,208 a------- c:\windows\system32\dllcache\ds1wdm.sys2010-05-18 23:54 21,606 a------- c:\windows\system32\dllcache\digiisdn.sys2010-05-18 23:53 27,136 a------- c:\windows\system32\dllcache\cyzcoins.dll2010-05-18 23:52 20,736 a------- c:\windows\system32\dllcache\cmbp0wdm.sys2010-05-18 23:52 248,064 a------- c:\windows\system32\dllcache\cl546xm.sys2010-05-18 23:52 170,880 a------- c:\windows\system32\dllcache\cl546x.dll2010-05-18 23:52 111,232 a------- c:\windows\system32\dllcache\cl5465.dll2010-05-18 23:52 45,696 a------- c:\windows\system32\dllcache\cirrus.sys2010-05-18 23:52 91,264 a------- c:\windows\system32\dllcache\cirrus.dll2010-05-18 23:52 272,640 a------- c:\windows\system32\dllcache\cinemclc.sys2010-05-18 23:52 980,034 a------- c:\windows\system32\dllcache\cicap.sys2010-05-18 23:50 13,824 a------- c:\windows\system32\dllcache\bulltlp3.sys2010-05-18 23:16 66,082 a------- c:\windows\system32\dllcache\c_20297.nls2010-05-18 23:15 12,160 a------- c:\windows\system32\dllcache\brfiltlo.sys2010-05-18 23:14 37,376 a------- c:\windows\system32\dllcache\atievxx.exe2010-05-18 23:13 553,984 a------- c:\windows\system32\dllcache\adm8820.sys2010-05-18 23:12 7,168 a------- c:\windows\system32\dllcache\wamregps.dll2010-05-18 23:12 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll2010-05-17 19:55 <DIR> --d----- c:\docume~1\davidv~1\applic~1\Avira2010-05-17 18:58 60,936 a------- c:\windows\system32\drivers\avgntflt.sys2010-05-17 18:58 <DIR> --d----- c:\program files\Avira2010-05-17 18:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira2010-05-17 18:49 69,632 a------- c:\windows\system32\javacpl.cpl2010-05-13 16:01 <DIR> --d----- c:\documents and settings\david vinson\DoctorWeb2010-05-09 20:01 <DIR> a-dshr-- C:\cmdcons2010-05-09 19:30 256,512 a------- c:\windows\PEV.exe2010-05-09 19:30 161,792 a------- c:\windows\SWREG.exe2010-05-09 19:30 98,816 a------- c:\windows\sed.exe2010-05-09 19:30 77,312 a------- c:\windows\MBR.exe2010-05-09 19:26 <DIR> --d----- C:\Combo-Fix2010-05-06 22:22 <DIR> --d----- c:\program files\Trend Micro2010-05-05 21:40 <DIR> --d----- c:\docume~1\davidv~1\applic~1\Malwarebytes2010-05-05 21:40 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys2010-05-05 21:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes2010-05-05 21:40 20,952 a------- c:\windows\system32\drivers\mbam.sys2010-05-05 21:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware2010-05-02 23:03 <DIR> --d----- c:\docume~1\davidv~1\applic~1\Tific2010-05-02 22:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller2010-05-02 22:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton2010-04-29 10:37 <DIR> --d----- c:\program files\iPod2010-04-29 10:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}2010-04-29 10:21 <DIR> --d----- c:\program files\Bonjour==================== Find3M ====================2010-04-16 08:33 3,003,680 a------- c:\windows\system32\usbaaplrc.dll2010-04-16 08:33 41,472 a------- c:\windows\system32\drivers\usbaapl.sys2010-04-08 13:20 107,808 a------- c:\windows\system32\dns-sd.exe2010-04-08 13:20 91,424 a------- c:\windows\system32\dnssd.dll2010-04-03 01:03 96,272 a---h--- c:\windows\system32\mlfcache.dat2010-03-10 02:15 420,352 a------- c:\windows\system32\vbscript.dll2010-03-10 02:15 420,352 a------- c:\windows\system32\dllcache\vbscript.dll2010-02-25 11:54 11,070,976 -------- c:\windows\system32\dllcache\ieframe.dll2010-02-24 09:11 455,680 a------- c:\windows\system32\dllcache\mrxsmb.sys2010-02-24 05:54 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe2008-03-14 16:07 32 -c---r-- c:\documents and settings\all users\hash.dat2006-01-04 18:30 774,144 -c------ c:\program files\RngInterstitial.dll2008-09-27 20:20 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092720080928\index.dat============= FINISH: 23:26:41.43 ===============UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH ITDDS (Ver_09-09-29.01)Microsoft Windows XP ProfessionalBoot Device: \Device\HarddiskVolume2Install Date: 6/30/2004 7:34:54 PMSystem Uptime: 5/22/2010 11:51:58 AM (12 hours ago)Motherboard: Dell Computer Corp. | | 0W2562Processor: Intel Link to post Share on other sites More sharing options...
Maniac Posted May 23, 2010 ID:254526 Share Posted May 23, 2010 Step 1Please manually delete the following folders:c:\windows\system32\drivers\N360c:\docume~1\alluse~1\applic~1\NortonInstallerc:\docume~1\alluse~1\applic~1\NortonStep 2Please add in exclusions of Avira the following things:C:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe Link to post Share on other sites More sharing options...
Gaughin Posted May 23, 2010 Author ID:254733 Share Posted May 23, 2010 Here is the portion of the help that deals with these exclusionsConfiguration :: Scanner :: ScanExceptionsFile objects to be omitted for the scannerThe list in this window contains files and paths that should not be included by the Scanner in the scan for viruses or unwanted programs.Please enter as few exceptions as possible here and really only files that, for whatever reason, should not be included in a normal scan. We recommend that you always scan these files for viruses or unwanted programs before they are included in this list!NoteThe entries on the list must not result in more than 6000 characters in total.WarningThese files are not included in a scan!NoteThe files included in this list are entered in the report file. Please check the report file from time to time for unscanned files, as perhaps the reason you excluded a file here no longer exists. In this case you should remove the name of this file from this list again.Input boxIn this input box you can enter the name of the file object that is not included in the on-demand scan. No file object is entered as the default setting.The button opens a window in which you can select the required file or the required path.When you have entered a file name with its complete path, only this file is not scanned for infection. If you have entered a file name without a path, all files with this name (irrespective of the path or drive) are not scanned.AddWith this button, you can add the file object entered in the input box to the display window.But when I open Avira in safe mode, I can't find an input or an add button. When I open Avira in normal mode, everything freezes up as soon as I try to open any window. Is there some aspect of adding exclusions that I am overlooking? I can not figure it out.Thanks, I will keep looking,gaughin Link to post Share on other sites More sharing options...
Maniac Posted May 23, 2010 ID:254735 Share Posted May 23, 2010 What about step 1? Any change? Link to post Share on other sites More sharing options...
Gaughin Posted May 23, 2010 Author ID:254787 Share Posted May 23, 2010 What about step 1? Any change?No, no change. Link to post Share on other sites More sharing options...
Gaughin Posted May 23, 2010 Author ID:254788 Share Posted May 23, 2010 No, no change.Oh, I just figured out how to enact the exclusions (had to hit the "expert" radio button and go to a different submenu.)Now that they are excluded, should I run another full Avira scan?Thanksgaughin Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 23, 2010 ID:254836 Share Posted May 23, 2010 Hello Gaughin,I will be helping you going forward.Yes, Expert mode in Avira is advised. And as you see, to get to Avira's Exception list.View > ScannerYou Click Scanner > Click + Scan > Exception.Yes, do a full scan with Avira, and nextdo an antirootkit searchIf your Avira AntiVir is not running in an open window already, do a RIGHT-Click on the AntiVir icon in systray. Select Start AntiVir. After the main windows is open, click on "Local protection" icon.Press (select) the Scanner button. A list of predefined scans will be shown on the right.Click the + sign at Rootkit searchCheckmark to select the C drive and all other drives, shown for your system.Next, press the magnifying glass on the toolbar to start the search.Make sure to not run any other apps while this is scanning. (No email usage or internet browsing, especially).When it completes the scan, the results will be displayed. Save those and post back with details.Should you ever need to view a report (later on), press Overview button, then select reports.A list displays at right. Click the one desired. Double click it to fetch the report.P.S. The user manual in PDF format is located at http://www.free-av.com/en/documentation/index.htmlLet me know what Avira finds.P.S.S. ONLY use the ADDReply button when starting a reply. Your topic was shock full of re-quotes and was extremely long to review !! Link to post Share on other sites More sharing options...
Gaughin Posted May 24, 2010 Author ID:254951 Share Posted May 24, 2010 Here's the result of the scan. Thanks for your help.gaughin Link to post Share on other sites More sharing options...
Gaughin Posted May 24, 2010 Author ID:254970 Share Posted May 24, 2010 I am so sorry! Just saw the note about addreply!gaughin Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2010 ID:254988 Share Posted May 24, 2010 What were the results? I do not see a log/report.Step 11. Go >> Here << and download ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)2. Install ERUNT by following the prompts (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)3. Start ERUNT (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)4. Choose a location for the backup (the default location is C:\WINDOWS\ERDNT which is acceptable).5. Make sure that at least the first two check boxes are ticked 6. Press OK7. Press YES to create the folder.Step 2Set Windows to show all files and all folders. On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed. "CHECK" (turn on) Display the contents of system folders. Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders. Next, un-check Hide extensions for known file types. Next un-check Hide protected operating system files. Step 3This is to flush your Windows Automatic Updates download folder.From main Windows Start menu, select RUN, type inCMD <Enter-key> type in net stop wuauserv <Enter-key>Use Windows Explorer. Go to C:\Windows\System32If you have a sub-folder called * Catroot2 * (not Catroot) rename thefolder to CR2OLD. Or delete everything in that folder. Just make sure you do the right one.Still in Windows Explorer.Your Windows folder is C:\Windows. Look at this folder C:\Windows\SoftwareDistribution\Download <<<--- this folderIf you find files in there, delete them. That folder is where files are stored from Windows Updates downloads.Step 4Next: with any of your open programs closed (those that you started)Download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).It will close all programs when run, so make sure you have saved all your work before you begin.Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.IF prompted to Reboot, reply "Yes".Tell me, How is your system now ? Link to post Share on other sites More sharing options...
Gaughin Posted May 24, 2010 Author ID:254991 Share Posted May 24, 2010 Sorry, forgot to paste it in!Avira AntiVir PersonalReport file date: Sunday, May 23, 2010 16:01Scanning for 1990003 virus strains and unwanted programs.The program is running as an unrestricted full version.Online services are available:Licensee : Avira AntiVir Personal - FREE AntivirusSerial number : 0000149996-ADJIE-0000001Platform : Windows XPWindows version : (Service Pack 3) [5.1.2600]Boot mode : Safe mode with networkUsername : David VinsonComputer name : VINSON1Version information:BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 16:29:03VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 16:29:03VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 16:29:03VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 16:29:03VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 16:29:03VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 16:29:03VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 16:29:03VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 16:29:03VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 20:43:21VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 20:24:21VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 22:41:40VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 14:25:53VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 14:39:58VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 18:01:24VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 15:24:56VBASE020.VDF : 7.10.5.164 113152 Bytes 3/22/2010 12:04:23VBASE021.VDF : 7.10.5.182 108032 Bytes 3/23/2010 14:23:02VBASE022.VDF : 7.10.5.199 123904 Bytes 3/24/2010 22:47:50VBASE023.VDF : 7.10.5.217 279552 Bytes 3/25/2010 00:11:22VBASE024.VDF : 7.10.5.234 202240 Bytes 3/26/2010 22:53:48VBASE025.VDF : 7.10.5.254 187904 Bytes 3/30/2010 18:56:47VBASE026.VDF : 7.10.6.18 130560 Bytes 4/1/2010 10:56:20VBASE027.VDF : 7.10.6.34 136192 Bytes 4/6/2010 14:43:55VBASE028.VDF : 7.10.6.44 232448 Bytes 4/7/2010 14:59:22VBASE029.VDF : 7.10.6.60 124416 Bytes 4/12/2010 17:43:17VBASE030.VDF : 7.10.6.61 2048 Bytes 4/12/2010 17:43:17VBASE031.VDF : 7.10.6.62 17408 Bytes 4/12/2010 17:43:17Engineversion : 8.2.1.210 AEVDF.DLL : 8.1.1.3 106868 Bytes 2/13/2010 17:16:21AESCRIPT.DLL : 8.1.3.24 1282425 Bytes 4/1/2010 21:05:26AESCN.DLL : 8.1.5.0 127347 Bytes 2/25/2010 23:38:41AESBX.DLL : 8.1.2.1 254323 Bytes 3/17/2010 16:09:47AERDL.DLL : 8.1.4.3 541043 Bytes 3/17/2010 16:09:47AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 17:34:51AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 16:09:46AEHEUR.DLL : 8.1.1.16 2503031 Bytes 3/26/2010 23:43:13AEHELP.DLL : 8.1.11.3 242039 Bytes 4/1/2010 21:05:25AEGEN.DLL : 8.1.3.6 373108 Bytes 4/1/2010 21:05:25AEEMU.DLL : 8.1.1.0 393587 Bytes 11/10/2009 14:04:22AECORE.DLL : 8.1.13.1 188790 Bytes 4/1/2010 21:05:25AEBB.DLL : 8.1.0.3 53618 Bytes 9/10/2009 17:15:06AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29Configuration settings for the scan:Jobname.............................: Scan for Rootkits and active malwareConfiguration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\rootkit.avpLogging.............................: lowPrimary action......................: interactiveSecondary action....................: ignoreScan master boot sector.............: onScan boot sector....................: onProcess scan........................: onExtended process scan...............: onScan registry.......................: onSearch for rootkits.................: onIntegrity checking of system files..: offScan all files......................: All filesScan archives.......................: onRecursion depth.....................: 20Smart extensions....................: onMacro heuristic.....................: onFile heuristic......................: highSkipped files.......................: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe, C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe, C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe, Start of the scan: Sunday, May 23, 2010 16:01Starting search for hidden objects.The driver could not be initialized.The scan of running processes will be startedScan process 'avscan.exe' - '59' Module(s) have been scannedScan process 'avcenter.exe' - '93' Module(s) have been scannedScan process 'firefox.exe' - '74' Module(s) have been scannedScan process 'Explorer.EXE' - '82' Module(s) have been scannedScan process 'svchost.exe' - '32' Module(s) have been scannedScan process 'svchost.exe' - '106' Module(s) have been scannedScan process 'svchost.exe' - '39' Module(s) have been scannedScan process 'svchost.exe' - '48' Module(s) have been scannedScan process 'lsass.exe' - '48' Module(s) have been scannedScan process 'services.exe' - '27' Module(s) have been scannedScan process 'winlogon.exe' - '62' Module(s) have been scannedScan process 'csrss.exe' - '12' Module(s) have been scannedScan process 'smss.exe' - '2' Module(s) have been scannedStarting to scan executable files (registry).The registry was scanned ( '1175' files ).Starting the file scan:Begin scan in 'C:'C:\Documents and Settings\David Vinson\My Documents\Old computer data files\My Pictures\cabinet maker, jacob lawr[0] Archive type: MacBinary--> cabinet maker, jacob lawr.rsrc [WARNING] The file could not be read! [WARNING] The file could not be read!C:\Documents and Settings\David Vinson\My Documents\Old computer data files\My Pictures\Poppy, O'Keefe[0] Archive type: MacBinary--> Poppy, O'Keefe.rsrc [WARNING] The file could not be read! [WARNING] The file could not be read!C:\Program Files\Musicnotes\uninstsc.exe [DETECTION] Contains HEUR/Malware suspicious codeBeginning disinfection:C:\Program Files\Musicnotes\uninstsc.exe [DETECTION] Contains HEUR/Malware suspicious code [NOTE] The detection was classified as suspicious. [NOTE] The file was moved to the quarantine directory under the name '4ef8609b.qua'.End of the scan: Sunday, May 23, 2010 20:09Used time: 3:56:32 Hour(s)The scan has been done completely. 25760 Scanned directories 555496 Files were scanned 0 Viruses and/or unwanted programs were found 1 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 1 Files were moved to quarantine 0 Files were renamed 0 Files cannot be scanned 555495 Files not concerned 6278 Archives were scanned 4 Warnings 1 NotesI will try your next procedure when Lost is over.gaughin Link to post Share on other sites More sharing options...
Gaughin Posted May 24, 2010 Author ID:255213 Share Posted May 24, 2010 I completed all 4 steps in safe mode. Should I try to run them in normal mode?There seems to be no significant change. Available CPU is still consistently 0-3%. If I am in normal mode, I can open office documents, for instance, but then can not work in the files; everything freezes up. iTunes will open, but then is non-responsive, and in fact, seems to lock up the entire computer. Should I try the 4 steps in normal mode, or does that matter? It seemed like the CMD gave me some sort of error message.Thanksgaughin Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2010 ID:255331 Share Posted May 24, 2010 Unless I specifically guide you to use Safe Mode, I mean for the steps to be run in Normal mode.If you have run # 1, 2, # 4 one time, there's no need to run those again.Step 3 needs to be run in Normal mode. If that is totaly impossible, then in "Safe Mode with Networking".If there is "some sort of error", I need for you to report all details. Link to post Share on other sites More sharing options...
Gaughin Posted May 24, 2010 Author ID:255354 Share Posted May 24, 2010 OK, I went to normal mode. I was able to get the command mode to load. The computer reported back that the automatic service was successfully stopped.Still in normal mode, I attempted to re-check the folders C:\Windows\System32\Catroot2 and C:\Windows\SoftwareDistribution\DownloadThe flashlight/search icon ran continuously for about 15 minutes without ever displaying any folders.I switched to Safe Mode with Networking. I could access the folders from there. I re-named C:\Windows\System32\Catroot2 to C:\Windows\System32\CR3OLD (since I had previously created CR2OLD). C:\Windows\SoftwareDistribution\Download remained empty. I still have approximately 0-5% available CPU with services.exe consistently taking 90% or more of the CPU.Thanks for your continued help.gaughin Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2010 ID:255381 Share Posted May 24, 2010 OK. The flushing of the Windows Automatic Updates is only a one-time thing. I will not be asking you to do again.And I'm sure you have completed TFC temp file cleaner.Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from >>> here <<< Double-click FixPolicies.exe. Click the "Install" button on the bottom toolbar of the box that will open. The program will create a new Folder called FixPolicies. Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd. A black box will briefly appear and then close.As a one-time try, see about downloading (and saving) and then installing StartUpLite by MalwareByteshttp://www.malwarebytes.org/startuplite.phpInstall it, restart system, and get me a status update.Be very aware, that since we have not been able to see residual malware, that we are very quickly reaching the end-of-the road in this sub-forum. I will help you remove the tools used. But as far as malware hunting, we are at an end.This system appears to be haunted, and you'd likely be a)safer long term, & b: quicker to resolve by c) saving your files & documents to offline media, and then doing a HD wipe/reformat and fresh install of Windows. Link to post Share on other sites More sharing options...
Gaughin Posted May 24, 2010 Author ID:255601 Share Posted May 24, 2010 It seems marginally better, but it's definitely not right. I really appreciate the people who participate in this site. Even though my case is not successful, it was great of you guys to take this much time with me. I would ask 2 final questions.1) I have read bits and pieces about Windows "repair". Is this worth trying?2) If not, can you point me to good instructions about how to re-format the hard drive and re-install Windows from scratch? There are so many options that it's hard for a tech-challenged guy like me to know which one to use as a map.Thanks again for your timegaughin Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 25, 2010 ID:255713 Share Posted May 25, 2010 At this time, let's remove Combo-Fix.exeWe have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix ), put that name in the RUN box stated just below. The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.Note the space before the slash mark.The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.Click Start, then click Run. Then type in Combo-Fix /uninstalland press OKDe-install Spybot (if still present). That version you had is outdated.Next:Download OTC to your desktop and run itClick Yes to beginning the Cleanup process and remove these components, including this application.You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.Notes on Windows XP Repair:A Windows XP repair install is "iffy" in that there can be no guarantee that it will really result in a fix of your issues.I would urge a full offline backup of the system before you even start it. Having the backup would serve as a means of possibly reverting it in case things did not work out.Following is the Repair Install scenario.Only if you have a "full" XP CD ----The object of this exercise is to do an in-place upgrade or an in-place installation for purposes of "repair".It needs to go to the same partition as before , and the same directory as before.Usually for example XP is on C drive and is on folder/directory \Windows or \WINNT. Configure your computer to start from the CD-ROM drive. You do that from the pc BIOS setup screen. You specify CDROM as the first drive to boot from.Insert your Windows XP CD into your CD-ROM drive, and then restart your pc.When the "Press any key to boot from CD" message is displayed on yourscreen, press a key to boot pc from the XP CD.When you see the following message displayed on the Welcome to Setup screen,press ENTER:To setup Windows XP now, press ENTER.At this point an option to press R to enter the Recovery Console is displayed. Do NOT select this option.On the Windows XP Licensing Agreement screen, press F8 function key to agree to it.Make sure that your current installation of Windows XP (in your case, the one you wish to repair) is selected in the box, and then press the R key to repair XP.Follow the instructions on the screen.NOTE: You may refer to this article for more detailshttp://www.michaelstevenstech.com/XPrepairinstall.htmClean Install of Windows XPHow to do a clean (new) Windows Install:Before you start, make sure you have at hand the Windows XP CD and also, a fresh new copy of your antivirus that is downloaded from a clean pc and saved on transportable-media (CD-DVD or clean thumb drive).When you are at point of re-installing o.s., I'd recommend you have the pc disconnected from internet until after the o.s. is installed, plus the antivirus is fully setup and running.See Windows XP Clean Installation - Partitioning and Formatting using Windows XP CD by Ramesh Srinivasan, MS-MVP & AumHa VSOPAlso Clean Install Windows by Michael Stevens, MS-MVPI would urge you to follow the directions very carefully.You will loose your documents so if you have some to save, offload them to a separate offline media. And later on insure you do a full scan of them by running your antivirus before you copy or open them for use.NOTE: If XP CD is from a pc manufacturer, and they bundled an AV like McAfee or Norton/Symantec trial versions or any other AV, immediately de-install those, since they will be outdated & of no use. Install your antivirus immediately after.Review these articles for general security reference4 steps to protect your computerhttp://www.microsoft.com/security/pypc.aspxMiekiemoes' How to prevent MalwareAlways backup your system on a regular basisMake regular backups of your system to removable media: DVD, USB external hard drive, etc.We are finished here. Best regards. Link to post Share on other sites More sharing options...
Recommended Posts