BleepingComputer.com: suspected rootkit infection

I first noticed a problem in internet explorer when my forward, backward and refresh buttons were not working (they are working now though). I decided to do a scan with my Norton's AV program but when I looked in the system tray it wasn't there and when I tried the shortcut on my desktop it wouldn't work. I looked in add/remove programs and Norton's wasn't even listed.

Next I tried to open system restore but found that it was turned off. I turned it back on, but it turned off again and again, although now it has been on for 2 days. And finally at one point my automatic downloads had been turned off, I turned them on again and have had no issues there. Everything actually seems to be working fine, but something had to be causing all these problems.

I downloaded and ran Malware bytes and it found nothing. I next downloaded AVG-free (currently still using it) and it found [Adware.WebSearch, path: hku\S-1-5-21-1004336348-1035525444-725345543-1004\Software\toolbar], nothing was found in the rootkit scan. I also tried a couple scanners from Microsoft, but they found nothing. And finally I used a free scanner from McAfee which also found nothing. Could the Adware.WebSearch item really have been the cause of all this?

Thank you for looking into my problem. ~JC

Edit: My operating system is Windows XP Home Edition, Service Pack 3

This post has been edited by SpaceGoonie: 17 November 2011 - 11:46 AM

Hello and welcome.
Rootkit scan...
Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.



I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check and check Remove found threats
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

NOTE: In some instances if no malware is found there will be no log produced.

Thank you for assisting me. The gmer indicated possible rootkit activity, and the eset scanner removed 1 infected file. Both logs are below.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-18 11:36:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800AAJB-00J3A0 rev.01.03E01
Running: gmer.exe; Driver: C:\DOCUME~1\JEFFAN~1\LOCALS~1\Temp\pxtdrpog.sys


---- System - GMER 1.0.15 ----

SSDT 89F28260 ZwConnectPort
SSDT 8A1CC820 ZwLoadDriver
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB2EA3F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB2EA3FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB2EA4080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB2EA411C]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 450 804E2ABC 8 Bytes JMP EA4080B2
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB70B23A0, 0x88C445, 0xE8000020]
? C:\DOCUME~1\JEFFAN~1\LOCALS~1\Temp\pxtdrpob.sys The system cannot find the file specified. !
? C:\DOCUME~1\JEFFAN~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Processes - GMER 1.0.15 ----

Process hidden process (*** hidden *** ) 14672
Process hidden process (*** hidden *** ) 19092
Process hidden process (*** hidden *** ) 20492
Process hidden process (*** hidden *** ) 33532
Process hidden process (*** hidden *** ) 34392

---- EOF - GMER 1.0.15 ----

C:\Program Files\Common Files\ZugoInstaller.exe multiple threats deleted - quarantined

Was that the complete GMER log?


Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.



Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:

• Flush DNS
  
• Report IE Proxy Settings
  
• Reset IE Proxy Settings
  
• Report FF Proxy Settings
  
• Reset FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List Winsock Entries
  
• List last 10 Event Viewer log
  
• List Installed Programs
  
• List Users, Partitions and Memory size.
  
• List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

That was the entire log... here are the 2 new ones you asked for.



aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-18 21:01:53
-----------------------------
21:01:53.640 OS Version: Windows 5.1.2600 Service Pack 3
21:01:53.640 Number of processors: 1 586 0x209
21:01:53.640 ComputerName: ACJC UserName:
21:01:54.265 Initialize success
21:04:49.500 AVAST engine defs: 11111801
21:04:54.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:04:54.671 Disk 0 Vendor: WDC_WD800AAJB-00J3A0 01.03E01 Size: 76319MB BusType: 3
21:04:56.671 Disk 0 MBR read successfully
21:04:56.671 Disk 0 MBR scan
21:04:56.687 Disk 0 Windows XP default MBR code
21:04:56.687 Disk 0 scanning sectors +156280320
21:04:56.734 Disk 0 scanning C:\WINDOWS\system32\drivers
21:05:10.265 Service scanning
21:05:10.609 Service PciCon D:\PciCon.sys **LOCKED** 21
21:05:11.234 Modules scanning
21:05:15.687 Disk 0 trace - called modules:
21:05:15.687 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
21:05:15.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a20aab8]
21:05:15.703 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a1b9b00]
21:05:16.125 AVAST engine scan C:\WINDOWS
21:05:19.187 AVAST engine scan C:\WINDOWS\system32
21:07:39.984 AVAST engine scan C:\WINDOWS\system32\drivers
21:07:56.328 AVAST engine scan C:\Documents and Settings\Jeff and Angie
21:10:13.078 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jeff and Angie\Desktop\MBR.dat"
21:10:13.093 The log file has been saved successfully to "C:\Documents and Settings\Jeff and Angie\Desktop\aswMBR.txt"


MiniToolBox by Farbar
Ran by Jeff and Angie (administrator) on 18-11-2011 at 21:11:37
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Could not flush the DNS Resolver Cache: Function failed during execution.




========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : acjc

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-0C-F1-92-52-23



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : WNDA3100v2 - RangeMax Dual Band Wireless-N USB Adapter #2

Physical Address. . . . . . . . . : 00-26-F2-4E-E7-56

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.0.0.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.0.0.1

DHCP Server . . . . . . . . . . . : 10.0.0.1

DNS Servers . . . . . . . . . . . : 10.0.0.1

Lease Obtained. . . . . . . . . . : Friday, November 18, 2011 4:47:04 PM

Lease Expires . . . . . . . . . . : Saturday, November 19, 2011 4:47:04 PM

Server: UnKnown
Address: 10.0.0.1

Name: google.com
Addresses: 173.194.33.18, 173.194.33.19, 173.194.33.20, 173.194.33.16
173.194.33.17



Pinging google.com [173.194.33.17] with 32 bytes of data:



Reply from 173.194.33.17: bytes=32 time=58ms TTL=56

Reply from 173.194.33.17: bytes=32 time=59ms TTL=56



Ping statistics for 173.194.33.17:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 58ms, Maximum = 59ms, Average = 58ms

Server: UnKnown
Address: 10.0.0.1

Name: yahoo.com
Addresses: 98.137.149.56, 98.139.180.149, 209.191.122.70, 72.30.2.43



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=98ms TTL=54

Reply from 72.30.2.43: bytes=32 time=82ms TTL=54



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 82ms, Maximum = 98ms, Average = 90ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=64

Reply from 127.0.0.1: bytes=32 time<1ms TTL=64



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c f1 92 52 23 ...... Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
0x10004 ...00 26 f2 4e e7 56 ...... WNDA3100v2 - RangeMax Dual Band Wireless-N USB Adapter #2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.2 10
10.0.0.0 255.255.255.0 10.0.0.2 10.0.0.2 10
10.0.0.2 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.0.0.2 10.0.0.2 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 10.0.0.2 10.0.0.2 20
224.0.0.0 240.0.0.0 10.0.0.2 10.0.0.2 10
255.255.255.255 255.255.255.255 10.0.0.2 2 1
255.255.255.255 255.255.255.255 10.0.0.2 10.0.0.2 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/16/2011 09:52:10 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2012 -- SA_Error25101: StandardAction(0xC007620D): We have detected that Norton AntiVirus, is already installed on your system, therefore the installation can not continue. We recommend that you uninstall this product first and then try to launch the installation again.

Error: (11/15/2011 04:12:36 PM) (Source: Microsoft Security Client) (User: )
Description: Microsoft Security ClientFEP clean-up policy0x80040154

Error: (11/15/2011 00:01:57 PM) (Source: MPSampleSubmission) (User: )
Description: mptelemetry0moaccapability3.0.8402.000unspecifiedunspecifiedNILNILNIL

Error: (11/15/2011 11:45:36 AM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientsetup.exe2.1.1116.00x80004002morrobootstraper__cinstallflow__internalrun - getenablefirewallactionmorrobootstraper__cflow__processflowactionresult0security essentialsNILNILNIL

Error: (11/15/2011 11:45:31 AM) (Source: MPSampleSubmission) (User: )
Description: mptelemetry0x80070003moaccachereset3.0.8402.0unspecifiedunspecifiedunspecifiedNILNILNIL

Error: (10/13/2011 02:31:49 AM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (08/09/2011 09:51:25 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (07/26/2011 10:31:53 PM) (Source: Lavasoft Ad-Aware Service) (User: )
Description: Only one instance of service process is allowed.

Error: (07/25/2011 11:09:08 AM) (Source: Application Error) (User: )
Description: Faulting application morrowind.exe, version 1.6.0.1820, faulting module morrowind.exe, version 1.6.0.1820, fault address 0x000ee8b0.
Processing media-specific event for [morrowind.exe!ws!]

Error: (07/25/2011 10:31:59 AM) (Source: Application Error) (User: )
Description: Faulting application morrowind.exe, version 1.6.0.1820, faulting module morrowind.exe, version 1.6.0.1820, fault address 0x000ee8b0.
Processing media-specific event for [morrowind.exe!ws!]


System errors:
=============
Error: (11/18/2011 09:02:34 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058

Error: (11/18/2011 09:02:34 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058

Error: (11/18/2011 09:02:34 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058

Error: (11/18/2011 09:02:34 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058

Error: (11/18/2011 09:00:48 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058

Error: (11/18/2011 09:00:48 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058

Error: (11/18/2011 09:00:47 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058

Error: (11/18/2011 09:00:07 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058

Error: (11/18/2011 09:00:06 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058

Error: (11/18/2011 09:00:05 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058


Microsoft Office Sessions:
=========================
Error: (11/16/2011 09:52:10 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2012 -- SA_Error25101: StandardAction(0xC007620D): We have detected that Norton AntiVirus, is already installed on your system, therefore the installation can not continue. We recommend that you uninstall this product first and then try to launch the installation again.(NULL)(NULL)(NULL)

Error: (11/15/2011 04:12:36 PM) (Source: Microsoft Security Client)(User: )
Description: Microsoft Security ClientFEP clean-up policy0x80040154

Error: (11/15/2011 00:01:57 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry0moaccapability3.0.8402.000unspecifiedunspecifiedNILNILNIL

Error: (11/15/2011 11:45:36 AM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientsetup.exe2.1.1116.00x80004002morrobootstraper__cinstallflow__internalrun - getenablefirewallactionmorrobootstraper__cflow__processflowactionresult0security essentialsNILNILNIL

Error: (11/15/2011 11:45:31 AM) (Source: MPSampleSubmission)(User: )
Description: mptelemetry0x80070003moaccachereset3.0.8402.0unspecifiedunspecifiedunspecifiedNILNILNIL

Error: (10/13/2011 02:31:49 AM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (08/09/2011 09:51:25 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (07/26/2011 10:31:53 PM) (Source: Lavasoft Ad-Aware Service)(User: )
Description: Only one instance of service process is allowed.

Error: (07/25/2011 11:09:08 AM) (Source: Application Error)(User: )
Description: morrowind.exe1.6.0.1820morrowind.exe1.6.0.1820000ee8b0

Error: (07/25/2011 10:31:59 AM) (Source: Application Error)(User: )
Description: morrowind.exe1.6.0.1820morrowind.exe1.6.0.1820000ee8b0


=========================== Installed Programs ============================

1310 (Version: 43.0.217.000)
1310_Help (Version: 43.0.217.000)
1310Tour (Version: 43.0.217.000)
1310Trb (Version: 43.0.217.000)
7-Zip 4.65
Adobe Flash Player 11 ActiveX (Version: 11.0.1.152)
Adobe Reader X (10.1.1) (Version: 10.1.1)
Adobe Shockwave Player 11.5 (Version: 11.5.7.609)
Advanced SystemCare 4 (Version: 4.2.0)
AiO_Scan (Version: 43.0.217.000)
AiOSoftware (Version: 43.0.217.000)
Apple Application Support (Version: 2.1.5)
Apple Mobile Device Support (Version: 4.0.0.96)
Apple Software Update (Version: 2.1.3.127)
Auslogics Disk Defrag (Version: version 3.2)
AVG 2012 (Version: 12.0.1869)
AVG 2012 (Version: 12.0.1872)
AVG 2012 (Version: 12.0.2092)
AVG 2012 (Version: 2012.0.1872)
BCM V.92 56K Modem
Bonjour (Version: 3.0.0.10)
BufferChm (Version: 43.1.5.000)
CCleaner (Version: 3.12)
Copy (Version: 43.1.5.000)
CreativeProjects (Version: 43.1.5.000)
CreativeProjectsTemplates (Version: 43.1.5.000)
CueTour (Version: 43.1.5.000)
Cultures
Dell ResourceCD
DeLorme Send To GPS 1.2
Destinations (Version: 43.1.5.000)
DIGOpt (Version: 9.0.0917.2)
Director (Version: 43.1.5.000)
DocProc (Version: 4.0.0.0)
DocumentViewer (Version: 43.0.217.000)
ESET Online Scanner v3
Fax (Version: 43.0.217.000)
Free Text Tool 0.1 (Version: 0.1)
Free YouTube Downloader 3.3.91
Garmin Communicator Plugin (Version: 2.9.3)
Garmin USB Drivers (Version: 2.3.0.0)
Google Earth (Version: 6.0.3.2197)
Google Update Helper (Version: 1.3.21.57)
HamsterFreeVideoConverter
HP Diagnostic Assistant (Version: 1.0.0.0)
HP Image Zone 4.2 (Version: 4.2)
HP PSC & OfficeJet 4.2
HPSystemDiagnostics (Version: 1.5.0.0)
InstantShare (Version: 4.0.0.40)
Intel® PRO Network Connections Drivers
IrfanView (remove only) (Version: 4.27)
iTunes (Version: 10.5.0.142)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
Junk Mail filter update (Version: 14.0.8117.416)
MapSource - MetroGuide North America v6 (Version: 6.00)
MapSource (Version: 6.3)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Morrowind
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (KB933579) (Version: 6.10.1200.0)
Nero 7 Essentials (Version: 7.01.7763)
NETGEAR WNDA3100v2 wireless USB 2.0 adapter (Version: 1.0.0.133)
Norton AntiVirus (Version: 19.1.1.3)
NVIDIA Control Panel 275.33 (Version: 275.33)
NVIDIA Graphics Driver 275.33 (Version: 275.33)
NVIDIA Install Application (Version: 2.275.78.0)
NVIDIA nView 135.85 (Version: 135.85)
NVIDIA nView Desktop Manager (Version: 6.14.10.13585)
NVIDIA Update 1.3.5 (Version: 1.3.5)
NVIDIA Update Components (Version: 1.3.5)
OpenOffice.org 3.3 (Version: 3.3.9567)
Overland (Version: 2.1.5)
PhotoGallery (Version: 43.1.5.000)
PrintScreen (Version: 43.1.5.000)
ProductContext (Version: 43.0.217.000)
progeCAD 2009 Smart! ENG
QFolder (Version: 1.00.0000)
QuickProjects (Version: 43.1.5.000)
QuickTime (Version: 7.69.80.9)
RCA Detective™ 2.0.0.99
RCA Digital Voice Manager 5.1.1.2
Readme (Version: 43.0.217.000)
Scan (Version: 4.1.0.0)
Segoe UI (Version: 14.0.4327.805)
SkinsHP1 (Version: 43.1.5.000)
SolidWorks eDrawings 2010 (Version: 10.4.126)
SoundMAX
SST Programming Software
TES Construction Set
TrayApp (Version: 43.1.5.000)
Uninstall 1.0.0.1
Unload (Version: 4.0.0)
VC 9.0 Runtime (Version: 1.0.0)
Watchtower Library 2010 - English (Version: 12.0)
WebFldrs XP (Version: 9.50.6513)
WebReg (Version: 43.1.5.000)
What's Running 2.2 (Version: 2.2)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0) (Version: 06/03/2009 2.3.0.0)
Windows Imaging Component (Version: 3.0.0.0)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Mail (Version: 14.0.8117.0416)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
WordPerfect Office 11 (Version: 11.0)

========================= Memory info: ===================================

Percentage of memory in use: 24%
Total physical RAM: 3070.98 MB
Available physical RAM: 2332.84 MB
Total Pagefile: 3298.56 MB
Available Pagefile: 2713.66 MB
Total Virtual: 2047.88 MB
Available Virtual: 1991.3 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:74.52 GB) (Free:32.55 GB) NTFS

========================= Users: ========================================

User accounts for \\ACJC

Administrator ASPNET Guest
HelpAssistant Jeff and Angie SUPPORT_388945a0
UpdatusUser

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

Hello, I do not see a rootkit. I suspect the Norton mey be corrupt or is in conflict with AVG. It is on here ..Norton AntiVirus (Version: 19.1.1.3)

Download and run the Norton Removal Tool