XP PC Hanging, Freezing

[dc4580]

Problem is that no matter what I am doing, whether it is browsing using IE 8, emailing, or creating docs, I will experience a hang or freeze of the whole PC.  Everything halts, no mouse, can't even refresh.  Doesn't matter what the browser is, and it doesn't matter which AV software I am using.  It isn't high CPU, but I do see high memory usage by IE within Task Manager.  Page file size increases.  Software environment is XP SP3, IE 8.  AV and Firewall are Norton 360.   Ran through the cleanup, and here are the three logs:

SuperAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/08/2012 at 03:49 AM

Application Version : 5.0.1142

Core Rules Database Version : 8112
Trace Rules Database Version: 5924

Scan type       : Complete Scan
Total Scan Time : 01:32:26

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 555
Memory threats detected   : 0
Registry items scanned    : 38853
Registry threats detected : 0
File items scanned        : 78468
File threats detected     : 2

Adware.Tracking Cookie
   C:\Documents and Settings\david cox\Cookies\1IIAF4JA.txt [ /imrworldwide.com ]
   C:\Documents and Settings\david cox\Cookies\SPGH7VY7.txt [ /invitemedia.com ]


MBAM:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.08.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
david cox :: DAVE-Q08ESS7TBC [administrator]

1/8/2012 5:52:44 AM
mbam-log-2012-01-08 (05-52-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 186546
Time elapsed: 20 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


First DD log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by david cox at 7:57:19 on 2012-01-08
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.447.94 [GMT -6:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] c:\windows\system32\ctfmon.exe
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" update "software\cyberlink\powerproducer\4.0"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [MBkLogonHook]
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [InstantBurn] c:\progra~1\cyberl~1\instan~1\win2k\IBurn.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [DMXLauncher] "c:\program files\roxio\cineplayer\DMXLauncher.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\program files\vmware\vmware player\vsocklib.dll
Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxps://myportal.ussco.com/bluezone/controls/,DanaInfo=intranet.ussco.com+sglw2hcm.ocx
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1212120081468
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208918393375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208921940093
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://myportal.ussco.com/dana-cached/sc/JuniperSetupClient.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{98F51424-7F98-4109-9E22-2025B352A261} : DhcpNameServer = 192.168.0.1
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1   www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2011-12-6 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2011-12-6 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20111221.003\BHDrvx86.sys [2011-12-21 819320]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2008-6-3 15784]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2011-12-6 136312]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\astra32\astra32.sys [2007-2-22 30864]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2008-6-3 162344]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccSvcHst.exe [2011-12-6 130008]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-11-11 70768]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-11-11 539248]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-12-18 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120106.002\IDSXpx86.sys [2012-1-6 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120107.009\NAVENG.SYS [2012-1-7 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120107.009\NAVEX15.SYS [2012-1-7 1576312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-21 136176]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-21 136176]
S3 PROCEXP150;PROCEXP150;\??\c:\windows\system32\drivers\procexp150.sys --> c:\windows\system32\drivers\PROCEXP150.SYS [?]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-8-29 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2011-8-18 86016]
S4 SessionLauncher;SessionLauncher;c:\docume~1\davidc~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\davidc~1\locals~1\temp\dx9\SessionLauncher.exe [?]
.
=============== Created Last 30 ================
.
2012-01-07 14:47:04   --------   d-----w-   c:\program files\CCleaner
2012-01-07 06:39:12   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-06 15:10:50   --------   d-----w-   c:\documents and settings\david cox\local settings\application data\Symantec
2012-01-06 14:54:52   --------   d-----w-   c:\windows\system32\wbem\repository\FS
2012-01-06 14:54:52   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-12-28 13:19:28   --------   d--h--w-   c:\windows\PIF
2011-12-28 13:17:46   --------   d-----w-   c:\documents and settings\david cox\application data\Windows Search
2011-12-25 00:46:51   --------   d-----w-   c:\program files\common files\Windows Live
2011-12-25 00:43:19   --------   d-----w-   c:\windows\system32\winrm
2011-12-25 00:43:03   --------   dc-h--w-   c:\windows\$968930Uinstall_KB968930$
2011-12-25 00:36:15   --------   d-----w-   c:\windows\system32\GroupPolicy
2011-12-25 00:36:15   --------   d-----w-   c:\program files\Windows Desktop Search
2011-12-24 13:36:09   --------   d-----w-   c:\program files\ASTRA32
2011-12-22 06:29:09   --------   d-----w-   c:\program files\Microsoft Windows Performance Toolkit
2011-12-22 06:27:47   --------   d-----w-   c:\program files\Debugging Tools for Windows (x86)
.
==================== Find3M  ====================
.
2011-12-10 21:24:06   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-12-07 05:43:20   60872   ----a-w-   c:\windows\system32\S32EVNT1.DLL
2011-12-07 05:43:20   126584   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2011-11-28 00:24:37   103784   ----a-w-   c:\documents and settings\david cox\GoToAssistDownloadHelper.exe
2011-11-23 13:25:32   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-23 08:55:11   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 11:54:13   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 09:27:10   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-04 19:20:51   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20:51   43520   ------w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59   385024   ------w-   c:\windows\system32\html.iec
2011-11-01 16:07:10   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31:48   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08   2192768   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03   2069376   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-10-10 14:22:41   692736   ----a-w-   c:\windows\system32\inetcomm.dll
.
============= FINISH:  7:59:23.78 ===============


Attach Log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/20/2008 10:26:55 PM
System Uptime: 1/7/2012 6:19:44 AM (25 hours ago)
.
Motherboard: ECS                                                              |  | Alhena5   
Processor:               Intel(R) Celeron(R) D CPU 3.33GHz | CPU 1 | 3325/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 104 GiB total, 82.542 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: ATI RADEON XPRESS 200 Series 
Device ID: PCI\VEN_1002&DEV_5A61&SUBSYS_2A4F103C&REV_00\4&1CF2FBB4&0&2808
Manufacturer: ATI Technologies Inc.
Name: ATI RADEON XPRESS 200 Series 
PNP Device ID: PCI\VEN_1002&DEV_5A61&SUBSYS_2A4F103C&REV_00\4&1CF2FBB4&0&2808
Service: ati2mtag
.
==== System Restore Points ===================
.
RP1: 12/8/2011 3:31:16 AM - System Checkpoint
RP2: 12/19/2011 1:53:28 AM - System Checkpoint
RP3: 12/19/2011 3:00:50 AM - Software Distribution Service 3.0
RP4: 12/20/2011 3:40:52 AM - System Checkpoint
RP5: 12/21/2011 4:06:16 AM - System Checkpoint
RP6: 12/22/2011 5:02:17 AM - System Checkpoint
RP7: 12/23/2011 5:40:28 AM - System Checkpoint
RP8: 12/24/2011 9:00:10 AM - System Checkpoint
RP9: 12/24/2011 4:31:54 PM - Software Distribution Service 3.0
RP10: 12/24/2011 5:22:28 PM - Software Distribution Service 3.0
RP11: 12/24/2011 6:31:53 PM - Software Distribution Service 3.0
RP12: 12/25/2011 6:59:04 PM - System Checkpoint
RP13: 12/26/2011 12:21:45 AM - Software Distribution Service 3.0
RP14: 12/27/2011 1:21:38 AM - System Checkpoint
RP15: 12/28/2011 1:33:06 AM - System Checkpoint
RP16: 12/29/2011 2:07:23 AM - System Checkpoint
RP17: 12/30/2011 2:23:40 AM - System Checkpoint
RP18: 12/31/2011 3:19:41 AM - System Checkpoint


RP19: 1/1/2012 4:19:40 AM - System Checkpoint
RP20: 1/2/2012 4:47:05 AM - System Checkpoint
RP21: 1/3/2012 5:34:07 AM - System Checkpoint
RP22: 1/4/2012 6:36:53 AM - System Checkpoint
RP23: 1/5/2012 7:34:08 AM - System Checkpoint
RP24: 1/6/2012 8:50:57 AM - Restore Operation
RP25: 1/6/2012 11:59:26 PM - Removed Apple Application Support
RP26: 1/7/2012 12:01:34 AM - Removed Apple Software Update
RP27: 1/7/2012 12:02:29 AM - Removed Bonjour
RP28: 1/7/2012 12:04:11 AM - Removed Support.com Toolbar.
RP29: 1/7/2012 9:13:26 AM - Installed Java(TM) 6 Update 30
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Reader 8.2.6
Adobe Reader 8.3.1
AMD APP SDK Runtime
ASTRA32 - Advanced System Information Tool 2.12
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Catalyst Install Manager
ATI Display Driver
ATI Parental Control & Encoder
AVIVO Codecs
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Compatibility Pack for the 2007 Office system
CyberLink InstantBurn
CyberLink PhotoNow
CyberLink Power2Go
CyberLink PowerStarter
Data Fax SoftModem with SmartCP
Debugging Tools for Windows (x86)
DirectXInstallService
Driver Detective
DriverGuide DriverScan
EMC 10 Content
Free Games Offer, Desktop Shortcut
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954550-v5)
HP Product Detection
InfraRecorder
Internet Explorer (Enable DEP)
Java(TM) 6 Update 30
Juniper Citrix Services Client
Juniper Networks Host Checker
Juniper Networks Setup Client
Juniper Terminal Services Client
LabelPrint
LightScribe Diagnostic Utility
LightScribe System Software  1.14.16.1
Linksys EasyLink Advisor
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.60.0.1800
MediaShow
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft Windows Performance Toolkit
Microsoft Windows SDK for Windows 7 (7.1)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton 360
Octoshape add-in for Adobe Flash Player
OGA Notifier 2.0.0048.0
Opera 11.50
PC Pitstop Optimize3 3.0
PowerBackup
PowerDVD
PowerDVD Copy
PowerProducer
Pure Networks Platform
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio BackOnTrack
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio CinePlayer
Roxio CinePlayer Decoder Pack
Roxio Disc Gallery
Roxio Easy Media Creator 10 Suite
Roxio File Backup
Roxio MediaShare
Roxio Update Manager
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Skins
SmartSound Quicktracks Plugin
Steam
Suite
SUPERAntiSpyware
Symantec Technical Support Web Controls
tools-linux
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
USB Video Driver
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VMware Player
WebEx Support Manager for Internet Explorer
WebFldrs XP
Windows Driver Package - Advanced Micro Devices, Inc. (USB28xxBGA) Media  (04/27/2007 5.7.0427.0)
Windows Driver Package - eMPIA Technology Inc, (emAudio) MEDIA  (04/27/2007 5.7.0427.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Mail
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
1/6/2012 8:49:30 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/6/2012 8:48:56 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/6/2012 8:48:55 AM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD BHDrvx86 ctxusbm eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX SymIRON SYMTDI Tcpip WS2IFSL
1/6/2012 8:48:55 AM, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error:  A device attached to the system is not functioning.
1/6/2012 8:48:55 AM, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
1/6/2012 8:48:55 AM, error: Service Control Manager [7001]  - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
1/6/2012 8:48:55 AM, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.
1/6/2012 7:37:35 AM, error: Service Control Manager [7034]  - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly.  It has done this 1 time(s).
1/6/2012 7:20:03 AM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the VMware Authorization Service service to connect.
1/6/2012 7:20:03 AM, error: Service Control Manager [7000]  - The VMware Authorization Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
1/5/2012 10:03:18 PM, error: atapi [11]  - The driver detected a controller error on \Device\Ide\IdePort0.
1/5/2012 10:02:12 PM, error: atapi [9]  - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
1/2/2012 12:30:28 AM, error: VMnetDHCP [2]  - Can't open C:\Documents and Settings\All Users\Application Data\VMware\vmnetdhcp.conf: The system cannot find the file specified.  / The system cannot find the file specified
1/2/2012 12:30:11 AM, error: Cdrom [11]  - The driver detected a controller error on \Device\CdRom0.
.
==== End Of File ===========================
   


If you could help me with this issue, I would appreciate it.

Thanks,
Dave

[dc4580]

I received word from a relative in my address book ( Outlook Express ) that she had received spam email from me.  Another item to work on?

[Allan]

Please wait for a response from our Malware Expert

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal

:COMMANDS
[resethosts]
[purity]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
***************************************************************

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply
****************************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you want to use Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[dc4580]

OTL -

========== OTL ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
OTL by OldTimer - Version 3.2.31.0 log created on 01082012_220057

ASWMBR -

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-08 22:04:10
-----------------------------
22:04:10.860    OS Version: Windows 5.1.2600 Service Pack 3
22:04:10.860    Number of processors: 1 586 0x605
22:04:10.860    ComputerName: DAVE-Q08ESS7TBC  UserName: david cox
22:04:15.985    Initialize success
22:04:38.860    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:04:38.876    Disk 0 Vendor: ST3120213AS 3.AHL Size: 114473MB BusType: 3
22:04:38.891    Disk 0 MBR read successfully
22:04:38.907    Disk 0 MBR scan
22:04:38.923    Disk 0 Windows XP default MBR code
22:04:38.938    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       105999 MB offset 63
22:04:38.969    Disk 0 scanning sectors +217086345
22:04:39.048    Disk 0 scanning C:\WINDOWS\system32\drivers
22:05:02.298    Service scanning
22:05:04.985    Modules scanning
22:05:37.032    Disk 0 trace - called modules:
22:05:37.079    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:05:37.094    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84f77608]
22:05:37.110    3 CLASSPNP.SYS[f76b6fd7] -> nt!IofCallDriver -> \Device\00000078[0x84f212b8]
22:05:37.126    5 ACPI.sys[f754d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84f64d98]
22:05:37.219    Scan finished successfully
22:06:13.329    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\david cox\Desktop\MBR.dat"
22:06:13.344    The log file has been saved successfully to "C:\Documents and Settings\david cox\Desktop\aswMBR.txt"


When I ran COMBOFIX, it completed stage 23 and went to a reboot.  No report.

[SuperDave]

When I ran COMBOFIX, it completed stage 23 and went to a reboot.  No report.

Please try running it again. If it doesn't work, delete ComboFix and try this.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[dc4580]

COMBOFIX worked after the rename.  Here is the log:

ComboFix 12-01-09.06 - david cox 01/09/2012  19:45:36.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.447.174 [GMT -6:00]
Running from: c:\documents and settings\david cox\desktop\commy.exe
Command switches used :: /stepdel
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\david cox\GoToAssistDownloadHelper.exe
c:\windows\system32\ccrpTmr6.dll
.
.
(((((((((((((((((((((((((   Files Created from 2011-12-10 to 2012-01-10  )))))))))))))))))))))))))))))))
.
.
2012-01-09 04:00 . 2012-01-09 04:00   --------   d-----w-   C:\_OTL
2012-01-07 14:47 . 2012-01-07 14:47   --------   d-----w-   c:\program files\CCleaner
2012-01-07 06:39 . 2012-01-07 06:41   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-06 15:10 . 2012-01-06 15:10   --------   d-----w-   c:\documents and settings\david cox\Local Settings\Application Data\Symantec
2012-01-06 14:54 . 2012-01-06 14:54   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-12-28 13:19 . 2011-12-28 13:19   --------   d--h--w-   c:\windows\PIF
2011-12-28 13:17 . 2011-12-28 13:17   --------   d-----w-   c:\documents and settings\david cox\Application Data\Windows Search
2011-12-25 00:46 . 2011-12-25 00:46   --------   d-----w-   c:\program files\Common Files\Windows Live
2011-12-25 00:43 . 2011-12-25 00:43   --------   d-----w-   c:\windows\system32\winrm
2011-12-25 00:43 . 2011-12-25 00:43   --------   dc-h--w-   c:\windows\$968930Uinstall_KB968930$
2011-12-25 00:36 . 2011-12-29 09:17   --------   d-----w-   c:\program files\Windows Desktop Search
2011-12-25 00:36 . 2011-12-25 00:36   --------   d-----w-   c:\windows\system32\GroupPolicy
2011-12-24 13:36 . 2011-12-25 01:56   --------   d-----w-   c:\program files\ASTRA32
2011-12-22 06:29 . 2011-12-22 06:29   --------   d-----w-   c:\program files\Microsoft Windows Performance Toolkit
2011-12-22 06:27 . 2011-12-22 06:28   --------   d-----w-   c:\program files\Debugging Tools for Windows (x86)
2011-12-22 06:25 . 2011-12-22 06:25   --------   d-----w-   c:\program files\Microsoft SDKs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2011-08-22 05:55   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-12-07 05:43 . 2011-12-07 05:43   60872   ----a-w-   c:\windows\system32\S32EVNT1.DLL
2011-12-07 05:43 . 2011-12-07 05:43   126584   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2011-11-23 13:25 . 2002-08-29 12:00   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-23 08:55 . 2011-07-13 10:55   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 11:54 . 2010-05-09 12:30   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 09:27 . 2011-01-11 02:35   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2002-08-29 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2002-08-29 12:00   43520   ------w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2002-08-29 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 05:59   385024   ------w-   c:\windows\system32\html.iec
2011-11-01 16:07 . 2002-08-29 12:00   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2002-08-29 12:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2002-08-29 12:00   2192768   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2002-08-29 01:04   2069376   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2002-08-29 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"InstantBurn"="c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2007-10-26 681256]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2007-10-17 128296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [12/6/2011 11:42 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [12/6/2011 11:42 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 8:25 PM 820344]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [6/3/2008 11:44 PM 15784]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [12/6/2011 11:42 PM 136312]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [2/22/2007 11:28 AM 30864]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [6/3/2008 11:44 PM 162344]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [12/6/2011 11:42 PM 130008]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [11/11/2010 1:32 PM 70768]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [11/11/2010 12:31 PM 539248]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/18/2011 9:46 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120107.001\IDSXpx86.sys [1/9/2012 6:08 PM 356280]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2010 12:52 AM 136176]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 1:43 PM 204800]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 2:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 2:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 2:52 PM 166384]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2010 12:52 AM 136176]
S3 PROCEXP150;PROCEXP150;\??\c:\windows\system32\Drivers\PROCEXP150.SYS --> c:\windows\system32\Drivers\PROCEXP150.SYS [?]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 2:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 2:52 PM 1083888]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/29/2002 6:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [8/18/2011 10:16 PM 86016]
S4 SessionLauncher;SessionLauncher;c:\docume~1\DAVIDC~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\DAVIDC~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM   REG_MULTI_SZ      WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-05-23 18:49   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 06:51]
.
2012-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 06:51]
.
2012-01-09 c:\windows\Tasks\User_Feed_Synchronization-{18A67AB4-86CC-47A1-B51A-C739DECF0A30}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal
TCP: DhcpNameServer = 192.168.0.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxps://myportal.ussco.com/bluezone/controls/,DanaInfo=intranet.ussco.com+sglw2hcm.ocx
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
HKLM-Run-MBkLogonHook - (no file)
HKLM-Run-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
HKLM-Run-googletalk - c:\program files\Google\Google Talk\googletalk.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-09 20:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,98,35,2b,66,3f,83,4f,a8,fa,40,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,98,35,2b,66,3f,83,4f,a8,fa,40,\
.
[HKEY_USERS\S-1-5-21-484763869-1060284298-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-01-09  20:13:54
ComboFix-quarantined-files.txt  2012-01-10 02:13
.
Pre-Run: 88,419,586,048 bytes free
Post-Run: 88,767,119,360 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 0DF1C78CC8AC13A3E9A74204A37E68B6

[dc4580]

Problem of PC freezing still exists.  No other reports of email issue. 

[SuperDave]

Problem of PC freezing still exists.

Please describe this freezing to me. Is it just momentary freezing? How long does it last? Do you have to do a hard reboot to get the computer working again? How much RAM do you have?

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  Firefox::
  
  Trusted Zone: internet
  Trusted Zone: live.com\onecare
  Trusted Zone: mcafee.com
  Trusted Zone: microsoft.com\download.windowsupdate
  Trusted Zone: microsoft.com\update
  Trusted Zone: microsoft.com\www.update
  Trusted Zone: ussco.com\myportal
  
  DDS::
  
  Trusted Zone: internet
  Trusted Zone: live.com\onecare
  Trusted Zone: mcafee.com
  Trusted Zone: microsoft.com\download.windowsupdate
  Trusted Zone: microsoft.com\update
  Trusted Zone: microsoft.com\www.update
  Trusted Zone: ussco.com\myportal
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• 
  

I don't need to see the log from this script.
**************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[dc4580]

The hang or freeze can be momentary or for a duration of several minutes.  There is no pattern in duration.  During the freeze, whether on a browser page, emailing or creating a doc, can't use any buttons like refresh and nothing responds.  If the duration is long enough, I will receive the Not Responding comment up top.  If I leave things alone, the Not Responding goes away and soon I have response again.  No hard reboot is necessary usually, unless the freeze is lengthy, then I will manually reboot.  RAM=512M. 

Completed the Combofix with CFScript successfully. 

Sysprot.exe has not completed successfully, and I have attempted several runs.  When the create log button is selected, the progress bar runs across, then the PC reboots.  Doesn't create any log.  No new window.

[SuperDave]

I suspect that the freezing problem is caused by running XP with only 512M's of Ram.

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
• When done, click on Save Report
  
• Save it to the Desktop.
• Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

[dc4580]

Rootrepeal report:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2012/01/11 19:55
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3C8E000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BDE000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF32B1000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: SYMDS.SYS
Image Path: SYMDS.SYS
Address: 0xF7462000   Size: 356352   File Visible: No   Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7395000   Size: 765952   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\system volume information\efadata\sdmys_dce0e3549948cfe54642a4c9
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df2d07.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df256a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df2b28.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df3993.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df516.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df576f.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df63f9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df685b.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df88f5.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df8f30.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df91c9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~dfeb58.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~dffab8.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~romfn_000006c4
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_pzsvjdwlbhu2hwaxq0fg
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_szkkqbvv3cvchjhhrtqs
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_wi4vouyhxyt8toj74dz3
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_xfgmmyih6pe9sfhh1xgr
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_8g9k2e2wabt9ochlcjul
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_ao1xpqbbbo0700ktwfx4
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_cffjd9uzxprhtxtxhyig
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_fhjshje6ljlknfuc5lag
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 012   Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x84a80978

#: 013   Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x84a788d0

#: 017   Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x845e6140

#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x84aa0cf8

#: 031   Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x849c66f0

#: 041   Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf408c710

#: 043   Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x84921770

#: 052   Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x84a4c5c8

#: 053   Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x84af6008

#: 057   Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x84aa0b80

#: 063   Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf408c990

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf408cef0

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x84a8b5e0

#: 083   Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x84ad4848

#: 089   Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x84a82b10

#: 091   Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x84a81db0

#: 097   Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x84980e58

#: 108   Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x84af8cd8

#: 114   Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x84a99110

#: 122   Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x84c8a1f0

#: 123   Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x84a67b68

#: 125   Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x84a9a650

#: 128   Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x84a6d738

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x84a4b710

#: 206   Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x84a70838

#: 213   Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x84a68868

#: 228   Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x84a990c8

#: 240   Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x84aa0b48

#: 247   Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf408d140

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x84a9a578

#: 254   Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x84a6dba0

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x84a63cc0

#: 258   Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x84a6bc28

#: 267   Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x84a69a70

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x84acfe18

Shadow SSDT
-------------------
#: 307   Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x84a48d98

#: 383   Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x84993668

#: 414   Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x84a09e08

#: 416   Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x84bbb840

#: 428   Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x849d2b78

#: 460   Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x84b8b510

#: 475   Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x84a7f240

#: 476   Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x84933b20

#: 549   Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x84970c58

#: 552   Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x84bd9cf0

==EOF==

[SuperDave]

Please give me an update about your computer.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[dc4580]

The latest is that ESET will not run.  As soon as the add-on click message shows and I click, it will hang and go into a state of Not Responding.

The problem still exists.  It began in May of 2010 and continued through October of 2010, until McAfee put out a fix that really did fix the problem.  I was good from October through May of 2011, then the same problem started with the same symptoms and has continued through now.  I am not the only person using McAfee that had the same experience.  Just Google mcshield.exe high cpu and you will eventually reach that complaint room.  Back in December, after trying to get McAfee Tier 2.5 support to grab debug data and watching them stumble around for months, I cut them off and am currently on Norton for AV and firewall. 

These tools you are using are all scanners.  Is there a tool that can start a trace before actively recording my activity ( usual browse, email, etc. ) ?   

[SuperDave]

I cut them off and am currently on Norton for AV and firewall. 

And, the problem still exists with Norton?

Is there a tool that can start a trace before actively recording my activity ( usual browse, email, etc. ) ?   

I'm not sure what you mean here.