Hi Tashi,

Thank you very much for responding so quick to my posting.
It took me some time to get the ERUNT and DDS programs.
I did run ERUNT to make a backup and ran DDS to create a log as you requested on your "BEFORE you POST" page. Also, included is the link to the original posting as requested.

http://forums.spybot.info/showthread.php?t=57215

Here is the DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 15:40:54.09 on Thu 05/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.486 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\IrfanView\i_view32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.sbc.com/dsl
uWindow Title = Microsoft Internet Explorer
uSearch Bar = hxxp://www.att.net/ie4/search/index.html
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Yahoo! Pager] 1
uRun: [EPSON Stylus C80 Series] c:\windows\system32\spool\drivers\w32x86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [nForce Tray Options] sstray.exe /r
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [Ink Monitor] c:\program files\epson\ink monitor\InkMonitor.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sbcsel~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261169929187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258667742656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-9-24 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-24 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-9-24 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-24 56816]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2003-8-15 255136]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2003-8-15 234656]
R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\navapsvc.exe [2003-8-17 158376]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2003-8-6 35008]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20040913.023\NAVENG.Sys [2004-10-1 68168]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20040913.023\NavEx15.Sys [2004-10-1 617288]
R3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2003-8-6 300736]
R3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVScan.exe [2003-8-10 193816]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2003-6-25 66784]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2003-8-15 87200]

=============== Created Last 30 ================

2010-05-06 22:11:50 0 d--h--w- c:\windows\PIF
2010-05-04 22:10:12 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-04 22:09:06 0 d-----w- c:\program files\America Online 9.0
2010-05-04 22:09:01 0 d-----w- c:\program files\AOL Companion
2010-05-04 22:08:55 0 d-----w- c:\program files\common files\aolshare
2010-05-04 22:08:51 0 d-----w- c:\program files\MSXML 4.0
2010-05-04 22:08:51 0 d-----w- c:\program files\common files\ODBC
2010-05-04 22:08:51 0 d-----w- c:\program files\AOL Toolbar
2010-05-04 22:08:50 0 d-----w- c:\program files\Pure Networks
2010-05-03 21:52:52 0 ----a-w- C:\.tmA.tmp
2010-04-18 10:38:30 0 ----a-w- C:\.tm2DE.tmp
2010-04-18 10:36:11 0 ----a-w- C:\.tm2DD.tmp

==================== Find3M ====================

2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 16:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 15:41:37.93 ===============


Thanks

Hi,

Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Please post attach.txt of DDS run too.

Hi Blade81,

Thank you and tashi for starting the process to get my computer out of this mess. Just opening each page in this forum can take several minutes, and it seems to get worse. As you requested, here are the 2(two) logs; GMER (2010-05-11) and Attach DDS-txt (2010-05-06)

I also included the zipped files, in case these are considered large. See attachment.

Thank you.


GMER-log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-11 09:08:05
Windows 5.1.2600 Service Pack 3
Running: oso3coyc.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwloqaob.sys


---- System - GMER 1.0.15 ----

SSDT F7B7825E ZwCreateKey
SSDT F7B78254 ZwCreateThread
SSDT F7B78263 ZwDeleteKey
SSDT F7B7826D ZwDeleteValueKey
SSDT F7B78272 ZwLoadKey
SSDT F7B78240 ZwOpenProcess
SSDT F7B78245 ZwOpenThread
SSDT F7B7827C ZwReplaceKey
SSDT F7B78277 ZwRestoreKey
SSDT F7B78268 ZwSetValueKey
SSDT F7B7824F ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF71E149E]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF64B4380, 0x21F24D, 0xE8000020]
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF781F300]
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2948] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2948] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2948] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2948] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2948] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2948] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2948] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2948] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2948] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3416] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

---- EOF - GMER 1.0.15 ----


Here is the DDS-txt log:

see attached file.

Hi,

You seem to have both Antivir and Norton installed there. It's not recommended to have more than one antivirus program running. Decide which one you want to keep, please.

Start MBAM, update its database and run a quick scan (remove found items). Post back the report + fresh dds.txt log.

Hi Blade81,

Thank you for your quick response. Although the Norton Antivirus (old version) was de-activated since I installed Avira (not having caused any problem until recently), I did as you recommended and removed one Antivirus program. So, I removed the Norton Antivirus program via the MS Add-Remove. Furthermore, I did update MBAM to its latest version 1.46, and did a quick scan (see below). No malware was found. In addition you will find enclosed the latest Attach DDS-txt .

Now, with the above action it seems that I already have an improved response time when loading the pages in this forum and other internet sites, compared to what I was experiencing before. I'm grateful that you put me on the right track toward fixing this. Opening of large folders and applications still takes some time. However, this is a huge improvement.

Here is the mbam-log-2010-05-11 (18-32-33):

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/11/2010 6:32:33 PM
mbam-log-2010-05-11 (18-32-33).txt

Scan type: Quick scan
Objects scanned: 119243
Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Also attached is th latest Attach DDS-txt 2010-05-11 6-57pm log (zip)

Thank you

Hi again,


Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.2) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 20 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report & a fresh dds.txt log. How's the system running?

Hello Blade81,

Well, it took me some time to get through the tasks you asked me to do.

First, via Add/Remove I removed Adobe Reader 8.1.2 and then downloaded Adobe Reader 9.3 installed it, plus then updated to v9.3.2. Rebooted.

Second, via Add/Remove I removed Java v1.4.2, downloaded & installed Java 6, update 20. At the Adobe site I tested if it is working: Yes. Rebooted.

Third, I downloaded the ATF-Cleaner & ran it. It reported that about 100mb of space got free. Nice to have.

I deactivated the Antivirus program before running the Kaspersky online scan.
Downloading the Kaspersky online scan program and database (2374 files) and about 100mb took almost 1hr15m (downloading the Adobe Reader and Java took only a few minutes). What ATF gave me in space, Kaspersky took back.

The online scan took 2h26min. It found 1 threath, which my Antivirus program had not reported, and MBAM did also not report this.

See the report below.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, May 13, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, May 13, 2010 19:42:39
Records in database: 4109545
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 90423
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:26:44


File name / Threat / Threats count
C:\Downloads & installed\Downloaded\Win95 - HP8260\MPC-6.4.9.exe Infected: not-a-virus:AdWare.Win32.Agent.lmz 1

Selected area has been scanned.

--------------------------------------------------------------------------------

Since Avira and mbam did not report this, what is the best method to eliminate it? - Deleting this file (which I don't need) - would this solve the problem?

I did run DDS. See the attached report (zip).

Here are some other questions:

Since I installed the ERDNT program, the folder ERDNT in the Windows folder grows by about 47mb per day. Is it safe to eliminate some of the daily entries after a certain time?

I tried to use Add/Remove to get rid of AOL (41mb) but Add/Remove tells me it cant find it.

So far, throughout this problem finding process I had de-activated the Spybot Resident TeaTimer. Should I reactivate again? What about adding SpywareBlaster?

Now, to your question how's the system running? Well, I tell you since removing NAV, web browsing has become a charm again (not as fast as on cable, but OK). Also it seems that the folders and programs open faster (with the exception of some folders with about 3200 Notepad files, when opening right after a boot, thereafter they also open fast).

Overall, I'm very happy that you guided me through this process. Please let me know how I can get rid of this threat Kaspersky found.

Thank you very much.

Hi,


Since Avira and mbam did not report this, what is the best method to eliminate it? - Deleting this file (which I don't need) - would this solve the problem?
Please ignore that Kaspersky finding.


Since I installed the ERDNT program, the folder ERDNT in the Windows folder grows by about 47mb per day. Is it safe to eliminate some of the daily entries after a certain time?
You may uninstall ERUNT now that the problem is resolved.


I tried to use Add/Remove to get rid of AOL (41mb) but Add/Remove tells me it cant find it.
Revo Uninstaller (http://www.revouninstaller.com/) may help you there.


So far, throughout this problem finding process I had de-activated the Spybot Resident TeaTimer. Should I reactivate again? What about adding SpywareBlaster?
Yes, you may reactivate it at this point and install SpywareBlaster if you wish :)


Now, to your question how's the system running? Well, I tell you since removing NAV, web browsing has become a charm again (not as fast as on cable, but OK). Also it seems that the folders and programs open faster (with the exception of some folders with about 3200 Notepad files, when opening right after a boot, thereafter they also open fast).
If the hard drive hasn't been defragged lately then I recommend to do so. For defragging I'd use 3rd party solution. Good commercial ones are PerfectDisk (http://www.perfectdisk.com/home) and Diskeeper (http://www.diskeeper.com/diskeeper/home/diskeeper.aspx). Of free options I recommend MyDefrag (http://www.mydefrag.com/).

Hi Blade81,

Thanks for your tips about removing software without the MS Add/Remove program, as well as for ERUNT and TeaTimer. I did use MS defrag recently (~2 weeks ago); however, I will look into your suggestion about a 3rd party solution to remove AOL.

Now, I did some online browsing, mostly news last night; after installing the new version of Java v6u20, I noticed some slight delay (compared to having Java 1.4.2) while opening a web-page for the first time (eg. BBC, NYT). It seems that more stuff gets downloaded (pictures, others etc.) as seen on the IE8 status bar. Once I open again the same site (eg. BBC, NYT) from a different link, to a different page of the site, the delay becomes insignificant. Overall I'm very happy with the result of your help.

When I looked at the Add-ons, I noticed that now I have 6 Java add-ons (previously 2)

1) Java Plug-in 1.6.0_20, Sun Microsystems, Enabled, 5/13/2010 1:35 PM, v1.6.0.20

2) Web Browser Applet Control, " , " , " , v6.0.200.2

3) isInstalled Class, " , " , " , v6.0.200.2

4) Deployment Toolkit, " , " , " , v6.0.200.2

5) Java(tm) Plug-In 2 SSV Helper, " , " , " , v6.0.200.2

6) JQSIEStartDetectorImpl Class, " , " , " , v6.0.200.2

Do I need all that stuff enabled?
(In IE8, Internet Option, Security Settings, I have Java VM, Java permission at High safety).

Also, Java did install an Icon on the taskbar for the Java control panel. Any special feature I can use to streamline my browsing with that?

In addition to the Java Add-ons, Adobe included the following Add-ons as well:

1) Adobe PDF Link Helper, Adobe Systems, 4/3/2010, 4:36 PM, v9.3.2.163

2) Shockwave Flash Object, " , 1/26/2010, 5:58 PM, v10.0.45.2

Do they influence anything in web-page loading/browsing?

Do I keep the Kaspersky files (107mb) in jkos folder? Does this program somehow stay active? (The product.conf CONF file seems to have been updated late last night).

Now, I want to thank you, Blade81, very, very much for the insightful help you provided me in solving these problems with the slow browsing and otherwise improving my system.

You, and your team at the Spybot Safer-Network-Forums (Malware Removal) provide an invaluable service to the many lost users affected by malware or otherwise pesty problems with their personal computer system.


Thank you & take care. :thanks:

You're welcome :)


Do I need all that stuff enabled?
I'd keep those Java items enabled.


Also, Java did install an Icon on the taskbar for the Java control panel. Any special feature I can use to streamline my browsing with that?
The icon will only appear when you're browsing some site that contains Java code.


In addition to the Java Add-ons, Adobe included the following Add-ons as well:

1) Adobe PDF Link Helper, Adobe Systems, 4/3/2010, 4:36 PM, v9.3.2.163

2) Shockwave Flash Object, " , 1/26/2010, 5:58 PM, v10.0.45.2

Do they influence anything in web-page loading/browsing?
Yes, I think the first one is needed when pdf file is opened inside browser. Shockwave is needed to play contents made with that technology.


Do I keep the Kaspersky files (107mb) in jkos folder? Does this program somehow stay active? (The product.conf CONF file seems to have been updated late last night).
You can delete those.

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.