multiple problems

[brhsoccer14]

Hello everyone,

I have been experiencing multiple problems for quite a while now... The problems consist of:

The computer freezing often... It freezes while at the desktop screen if not used in a while, and it also freezes on startup a lot.
Mozilla Firefox opens for a split second and then closes.
When clicking links in Internet explorer, it opens up a new tab with windows live search.
Sometimes, randomly, people will start talking on my computer as if a soap opera and nothing is open on my desktop... A little strange and scary.

DDS:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Joey at 22:20:34.48 on Tue 06/23/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1261 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\program files\steam\steam.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Joey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\joey\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\joey\local settings\temp\{026cd46e-c4a8-49c7-86ea-35ca8dd20c1c}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: intuit.com\community
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joey\applic~1\mozilla\firefox\profiles\n229tw6y.test\

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-6 11608]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-6 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-6 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-6 55640]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090612.003\naveng.sys [2009-6-12 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090612.003\navex15.sys [2009-6-12 876144]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]

=============== Created Last 30 ================

2009-06-23 21:29 <DIR> --d----- c:\program files\Microsoft WSE
2009-06-06 22:55 45,748 a------- c:\windows\system32\oodbs.lor
2009-06-06 22:14 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-06 22:14 <DIR> --d----- c:\program files\Avira
2009-06-06 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-06-06 21:49 0 a------- c:\windows\OODCNT.INI
2009-06-06 21:45 <DIR> --d----- c:\windows\system32\oodag
2009-06-06 21:44 <DIR> --d----- c:\program files\OO Software
2009-06-06 20:29 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-25 21:25 <DIR> --d----- c:\docume~1\joey\applic~1\Atari
2009-05-25 21:25 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-05-25 21:18 <DIR> --d----- c:\program files\Atari

==================== Find3M ====================

2008-12-02 20:27 32 a----r-- c:\documents and settings\all users\hash.dat
2008-10-18 16:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101820081019\index.dat

============= FINISH: 22:21:33.84 ===============

[tetonbob]

Hello again -

Glad to see you were able to run GMER this time.

While I'm not sure this will address all the issues you're describing, I do see malware present.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

I see the cause of the malware issues...but first...

---------------------------------------------------------------------------------------------

As stated in our pre-posting sticky topic...

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

If you have more than one antivirus software installed, leave only ONE and uninstall the others

While this may seem like greater protection, it can cause problems including slowdowns, system hangs or even crashes. This can happen if both AntiVirus applications attempt to access the same file at the same time. This may cause the applications to interfere with each other, or cause the system to lock up. It can also be a drain on system resources, making a machine run slower than it should.

I see you have more than one Anti-Virus program installed, Avira and Symantec. Choose one to keep and uninstall the other.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

-----------------------------------------------------------------------

Once you've done that....

• Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
  
  Link 1
  Link 2
  Link 3
  
  
  
  
  
  
  --------------------------------------------------------------------
  
  
  * IMPORTANT !!! Place combofix.exe on your Desktop
  
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  
  
  You can get help on disabling your protection programs here
  
  
• Double click on combo-fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  
  Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  
  
  
  
  
  The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
  
  With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  
  Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
  
  ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
  
  Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
  
  The Recovery Console was successfully installed.
  
  
  
  Click on Yes, to continue scanning for malware.
  
• Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  
• When finished, it shall produce a log for you. Post that log in your next reply
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  
  ---------------------------------------------------------------------------------------------
  
• Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
  
  
  ---------------------------------------------------------------------------------------------

[brhsoccer14]

Weird... I only downloaded Symantec...


ComboFix 09-06-26.02 - Joey 06/27/2009 13:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1503 [GMT -5:00]
Running from: c:\documents and settings\Joey\Desktop\joey.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACqjnvdbbnetyxtaw.sys
c:\windows\system32\UACeebimonvupxeqwb.dll
c:\windows\system32\UACfpppxfolwawqqhl.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACnulvkdqqsylcfua.db
c:\windows\system32\UACpjlywqqweocbefk.dll
c:\windows\system32\UACrpkwmroqcivcqwc.log
c:\windows\system32\UACsblqdfuxsvgdsho.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACtxjklqobfookvdp.log
c:\windows\system32\UACuyabrktnoteptas.dll
c:\windows\system32\UACvrdjmhkinswvcsm.log
c:\windows\system32\UACxdkpkcwqwgkxmis.dll
c:\windows\system32\UACxtpirmynqgpxiur.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-24 02:29 . 2009-06-24 02:29 10134 ----a-r- c:\documents and settings\Joey\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-24 02:29 . 2009-06-24 02:29 -------- d-----w- c:\program files\Microsoft WSE
2009-06-07 04:58 . 2009-06-07 04:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-06-07 03:14 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-07 02:45 . 2009-06-07 02:48 -------- d-----w- c:\windows\system32\oodag
2009-06-07 02:44 . 2009-06-07 02:44 -------- d-----w- c:\documents and settings\Joey\Local Settings\Application Data\O&O
2009-06-07 02:44 . 2009-06-07 02:44 -------- d-----w- c:\program files\OO Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 16:48 . 2008-09-10 21:48 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-27 16:17 . 2008-11-12 04:08 -------- d-----w- c:\program files\Steam
2009-06-24 03:10 . 2008-10-11 00:11 -------- d-----w- c:\program files\Electronic Arts
2009-06-24 03:10 . 2008-09-10 21:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-07 01:59 . 2008-09-11 20:48 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-05-31 03:08 . 2009-05-26 02:25 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-05-26 02:25 . 2009-05-26 02:25 -------- d-----w- c:\documents and settings\Joey\Application Data\Atari
2009-05-26 02:22 . 2009-05-26 02:22 -------- d-----w- c:\documents and settings\Joey\Application Data\Leadertech
2009-05-26 02:18 . 2009-05-26 02:18 -------- d-----w- c:\program files\Atari
2009-05-16 23:48 . 2009-03-14 02:29 530 ----a-w- c:\windows\eReg.dat
2009-05-09 23:24 . 2009-05-09 19:48 -------- d-----w- c:\program files\Full Tilt Poker
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"Steam"="c:\program files\steam\steam.exe" [2009-06-14 1217784]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 868352]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-10 136600]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2008-09-04 2524416]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-1-15 984352]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\football manager 2009 demo\\fm.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\medieval ii total war demo\\medieval2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 9:01 PM 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: intuit.com\community
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\Joey\Application Data\Mozilla\Firefox\Profiles\n229tw6y.test\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 13:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="A22405E8C1221C8BCE1C4A9AFE5EB8BAD464989A2B1AFD4171E842A75F774A4100CC4312DD26A005B4307A9ADC8F9D8F72C1E1FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A9C6AECB7A5D1407BA7FD869164D6794A6A0AC4980AC7933C30D2F84E81B91C94B8DDA314E4694685428AA9EAE64E533E0318DC7D160F8B98911C5742F690492DF8919337D3F151C2E8C4E611396F4507A20F7C69401DFA9E25A9140F8EF040FC263EBFAD8BFDCDC2D0E6B3F0CDBD0F4367C90471FE32BDE89D9D82E8F755DFE529C67E95D7014D5766105D0EDDC1ED21FCCE8BBB9549D368B07592B4D060D0742BE94031CBC9693013F10D49D8736FE8F1B83BCBDE02CED4A5CC2C6A46F47B097D371703A55F38799E4F8AC940D23F6B8F356821D5A7FAB7BD939B418C57066AEEC6E7F722DED075F919B5EE262A79721E8CD6DD857F6F32980D4CC415FA47AB51CEF9F90FDFDCBC58B4B15A9C03723A09048010933A2B4B1D7210CCBD9B21F30FA50E6F5C3CE73941B4C1C9FA47BBF63059862598948BA466A1F90F6111BEEF3245B8E983DC07E670C5AE68E50CE796A62075E093FE13CECC5411F99A99664AB3752F202EEE4D22FAF240CD4C8C3BC8BCB4D63EA781DCE7E7EF120190B0E61D6D6EA934D2285B9AE5AC9C366561F5C6D661A8265215A6E292A0A9EF3DF222A49ACCD182EE21EE17DE4E16D4706D70F8FDA12F475E5B07AEF635CCBB91823E627E397C7E8805BDA09ABF589912A1B704057CA1529B8673527C8AA798E669823EB2C5A8FD68F241B0F9005BFF5D7497CA58ECF612551FE48F87DAFA12A413D5068379A80E5E78EFAA4F601D7B4E67718B835207C9E29A63DE327945F5964FDC23DBF50CF162665B931C7D042A5F56D07C5052FAD63FD4585B8F17B727DCE7F32E1FE69D57E2B29766FEECB0FB1E52876ED3CE2DFD0D273729D0B77BD894498BB2135471046190EB8715FC2F456DA58F2A41B9822DA6D7EBB0D26114B054BD15F9AA7BE9E2CD9F8E8190BF54DA83E616EB3E81CA688D5E9FCD2F944C58E2F6A82401B1947811888539EEC9C164D3E5E41386FB346F55EE8B61340007D5400D4EBD75E9173A9C50AAB8E00DF717E4B9825237A93F8D095E6CA423729E59B0E38487DBDDBAD21150306C645DD250A9A13B7B85C68DFDE547F012AA49898BC746EA920909B29F17F295CFDC1A81B53A501FB116C513D7432850669CB19CE248B868202AB693ABFC0E80BB97EC662D0A84C589981DF77FE0EFE68F0F7EB6951F3C22DBAEA53D8BE59E0545607B1AA8AA50F17137C1D9AFB8CA31A86F8C26DD80F1A6433AF5AA3B78DE55E83ECD7CA21629C67133B8255011162F445A0C701E306B5492CDCF15A89E4FEB0C5441B3E476677D981A77F7833"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2009-06-27 13:32
ComboFix-quarantined-files.txt 2009-06-27 18:32

Pre-Run: 247,827,230,720 bytes free
Post-Run: 248,094,371,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

139 --- E O F --- 2009-04-16 08:03

[tetonbob]

Hi -

Are you the only one with access to this machine? Legit AntiVirus applications are not in the habit of downloading and installing themselves. You're down to one now, that's good, and the main infection has been neutralized.

I need a bit more information before we continue.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

[brhsoccer14]

Before I came here, I asked my roommate who is pretty good with computers to help, so I don't know what he did... Plus, my sister uses the computer as well, but I don't think she downloaded it.

2007 Microsoft Office Suite Service Pack 1 (SP1)
7-Zip 4.57
Adobe Flash Player 10 ActiveX
Barbarian Invasion
Battlefield 2(TM)
CCleaner (remove only)
Critical Update for Windows Media Player 11 (KB959772)
EA Download Manager
Empire: Total War
Europa Universalis III
Full Tilt Poker
GameSpy Arcade
Gleim's CIA Test Prep 13th Edition WebDeploy
High Definition Audio Driver Package - KB888111
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 11
Java(TM) 6 Update 7
LiveUpdate 3.2 (Symantec Corporation)
Medieval II Total War
Medieval II: Total War Demo
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Rise Of Nations
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (2.0.0.21)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
Netflix Movie Viewer
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
O&O Defrag Professional Edition
QuickBooks
QuickBooks Premier: Professional Services Edition 2009
Rise of Nations Thrones and Patriots
RollerCoaster Tycoon 3 Platinum
Rome - Total War(TM)
Rome Total War - patch 1.3
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sid Meier's Civilization 4
Sid Meier's Railroads!
SimCity 4 Deluxe
SoundMAX
Steam
SupportSoft Assisted Service
Symantec AntiVirus
The Sims 2
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Apartment Life
The Sims™ 2 Bon Voyage
The Sims™ 2 FreeTime
The Sims™ 2 Seasons
TuneXP 1.5
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Visual Studio 2005 Tools for Office Second Edition Runtime
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3

[tetonbob]

Ok, thanks. Next steps...

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):


Java(TM) 6 Update 7

This is outdated, and a security risk by having it installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Java(TM) 6 Update 11 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving now?

[brhsoccer14]

The online scan keeps failing every time I try to run it...

[tetonbob]

Can you be more specific, please? Are you getting any error messages?

[brhsoccer14]

Failed to connect to update source...

Program is starting. Please wait...
Update source selected: http://www.kaspersky.com
Downloading file: packages/kos-extras.jar
Program has started.

Program database is being updated. Please wait...
Update source selected: http://downloads5.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to connect to update source: downloads5.kaspersky-labs.com
Update source selected: ftp://downloads2.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: ftp://downloads1.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: ftp://downloads3.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: ftp://downloads4.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: http://downloads1.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to connect to update source: downloads1.kaspersky-labs.com
Update source selected: http://downloads3.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to connect to update source: downloads3.kaspersky-labs.com
Update source selected: ftp://downloads5.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: http://downloads2.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to connect to update source: downloads2.kaspersky-labs.com
Update source selected: http://downloads4.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to connect to update source: downloads4.kaspersky-labs.com

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7.0 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7.0. [ERROR: Failed to connect to update source]

[tetonbob]

Sometimes Kaspersky scanner is quirky. You can uninstall it from Add or Remove programs, and try again. If it still gives you trouble, try a different browser. If still no joy, use this scanner in it's place.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[brhsoccer14]

Kaspersky isnt in add/remove programs and ive tried in different browsers... When I click on ESET's link, IE says it can not display this page

[tetonbob]

Are you having troubles visiting other sites?

Please go to Start > Run and copy/paste the following, then press Enter:

notepad C:\Windows\system32\drivers\etc\hosts

A text file should open. Please post the contents of that file in your next reply. If it's a large file, you may need to save it to your desktop, then attach it.

[brhsoccer14]

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

[tetonbob]

You should have no trouble connecting to these sites.

Quote:

Are you having troubles visiting other sites?

[brhsoccer14]

So what do I do because I am not able to get to eset and kaspersky keeps giving me the error I showed you...

[tetonbob]

Answer my question, so I can better help you please. I've asked it twice. Are you having troubles getting to other sites?

[tetonbob]

Example, can you visit these sites?

http://www.eset.com/

http://www.kaspersky.com/

http://www.pandasecurity.com/usa/

Will this online scan work?

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

[brhsoccer14]

Sorry, it was just miscommunication. I can go to other sitesm i just couldnt go to ESET. I can go to Kapersky, but the online scan keeps failing. I went to Panda and it got to 34% and then just stopped...

[tetonbob]

Hmm, well that's unusual for you to have troubles with all the scanners. Is your AntiVirus disabled while you're trying to run the scans? If not, try again. Each scan works in Firefox, also.

We can use an onboard tool to help us also.

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

Next, run a new scan with DDS, and post it's main log, dds.txt

[brhsoccer14]

The Panda scan is attached.