Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AXWIN Frame Window: svchost.exe - Application Error


  • This topic is locked This topic is locked
8 replies to this topic

#1 mashenden

mashenden

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:03:38 AM

Posted 10 February 2010 - 05:46 PM

I initially posted this in the "Am I infected, What do I do?" forum and was since referred here. Thank you in advance for your help. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/294050/axwin-frame-window-svchostexe-application-error/ ~ OB

I am having a problem with the following error:

AXWIN Frame Window: svchost.exe - Application Error, etc.
Generic Host Process for Win 32 Services, Windows has closed this program. Data Execution Prevention etc.
System by NT/Authority/System DCOM Server Process, etc.

Then sometimes the PC begins to shutdown. I have been able to stop the shutdown by using Run Shutdown -a.

Other symptoms earlier included not being able to do an Alt/Ctrl/Del, followed by an hourglass. In the lower right I could see that Task Manager had opened but there was no way to get it on the screen to review/stop processes. End result - a hard reboot was needed to go further.

System restores even back to the initial restore point (which was only about 4 months ago) have not been successful.

Using Norton, I disabled svchost and all is good (with the huge exception being I cannot get out to the Internet), but the PC is not autoshutting down or getting hung up with the hour glass and Alt/Ctrl/Del always works. Soon as it is enabled again the previously noted symptoms start up again.

Norton, Defender, Malwarebytes (Quick and Full scans) and SUPERAntiSpyWare have not removed this problem.

As requested in the other forum, I ran Rkill, then MBAM Quick, then rebooted - Things were much better for about 2 hours but then got progressively worse. First I got the error noted in the title AXWIN Frame Window... Then I got a pop up; "Message from webpage. Warning! Your PC contains signs of a virus...etc. System Security will perform a quick and free scan...etc. ". I selected Cancel and of course it does the scan anyways. Then I noticed that I was not able to do an Alt/Ctrl/Del although I can see them in the tray next to the clock.

Attach.zip file is attached. Here are the contents of the DDS.txt file:

DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Owner at 11:57:04.68 on Wed 02/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.178 [GMT -6:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.mg201.mail.yahoo.com/dc/launch?.partner=sbc&.gx=0&.rand=2rejsu5i0iq5r
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: []
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256056634906
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256060134687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-8 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-8 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-8 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100204.001\IDSXpx86.sys [2010-2-8 329592]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-8 117640]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-7 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100208.002\NAVENG.SYS [2010-2-8 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100208.002\NAVEX15.SYS [2010-2-8 1324720]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]

=============== Created Last 30 ================

2010-02-10 13:18:38 0 ----a-w- c:\documents and settings\hp_owner\defogger_reenable
2010-02-10 13:06:56 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-02-10 13:06:56 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-02-08 16:37:13 0 d-----w- c:\program files\Norton Support
2010-02-07 22:41:47 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-07 22:41:15 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-07 22:41:15 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-07 22:41:15 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-07 22:41:15 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-07 22:41:11 0 d-----w- c:\program files\Symantec
2010-02-07 22:41:11 0 d-----w- c:\program files\common files\Symantec Shared
2010-02-07 22:39:40 0 d-----w- c:\windows\system32\drivers\N360
2010-02-07 22:39:37 0 d-----w- c:\program files\Norton Security Suite
2010-02-07 22:39:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-02-07 22:36:39 0 d-----w- c:\program files\NortonInstaller
2010-02-07 22:36:39 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-01-24 02:42:32 917504 ----a-w- c:\windows\system32\FLASH.OCX
2010-01-18 21:23:04 0 ----a-w- c:\windows\system32\5705.exe
2010-01-18 21:02:28 0 ----a-w- c:\windows\system32\24464.exe
2010-01-18 20:41:46 0 ----a-w- c:\windows\system32\26962.exe
2010-01-18 20:20:59 0 ----a-w- c:\windows\system32\29358.exe
2010-01-18 20:00:22 0 ----a-w- c:\windows\system32\11478.exe
2010-01-18 19:39:27 0 ----a-w- c:\windows\system32\15724.exe
2010-01-18 19:19:02 0 ----a-w- c:\windows\system32\19169.exe
2010-01-18 18:58:46 0 ----a-w- c:\windows\system32\26500.exe
2010-01-18 18:38:27 0 ----a-w- c:\windows\system32\6334.exe
2010-01-18 18:18:26 0 ----a-w- c:\windows\system32\18467.exe
2010-01-13 15:26:36 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-02-07 22:40:25 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-07 22:40:15 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-07 15:25:38 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-07 15:25:38 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-01-14 17:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 16:00:50 112942 ----a-w- c:\windows\hpoins07.dat
2010-01-02 04:03:19 10322 ----a-w- c:\docume~1\hp_owner\applic~1\wklnhst.dat
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-11-21 14:52:08 139264 ----a-w- c:\windows\system32\hpzjrd01.dll
2006-07-01 20:22:16 22 --sha-w- c:\windows\sminst\HPCD.sys
============= FINISH: 11:59:32.23 ==============

Attached Files


Edited by mashenden, 11 February 2010 - 07:53 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,087 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:38 AM

Posted 12 February 2010 - 07:11 AM

Ok mashenden lets pick up where we left off.

If you are are using a CD Emulator (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) be aware that they use hidden drivers with rootkit-like techniques to hide from other applications. When dealing with a malware infection, CD Emulators can interfere with investigative tools producing misleading or inaccurate scan results, false detection of legitimate files, cause unexpected crashes, BSODs, and general 'dross' which often makes it hard to differentiate between malicious rootkits and the legitimate drivers used by CM Emulators. Since CD Emulators use a hidden driver which can be seen as a rootkit and can interfere with investigative tools or cause other problems, it is recommended that they be removed or disabled until disinfection is completed.

Please download DeFogger by jpshortstuff and save it to your desktop.
  • Double click DeFoggerexe to run the tool.
  • The application window will appear.
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue.
  • A 'Finished!' message will appear.
  • Click OK...DeFogger will now ask to reboot the machine...click OK. If not, reboot manually.
  • Do not re-enable these drivers until instructed or your system has been cleaned.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Please download ComboFix from one of these locations and save it to your Desktop. <-Important!!!
Note: If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
Download Mirror #1
Download Mirror #2
Download Mirror #3 <- provides a redirect link to both mirrors above

Be sure to print out and follow these instructions: A guide and tutorial on using ComboFix.
The guide includes instructions in other languages and step by step instructions with screenshots.
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click this link to see a list of such programs and how to disable them. The list is not all inclusive.
  • Install the Windows Recovery Console. As part of it's routine, ComboFix will check to see if the Recovery Console is installed before attempting to remove any malware. If not installed, Combofix will not attempt to fix some serious infections. The Recovery Console will allow you to boot into a special repair mode should your computer encounter any problems during the disinfection process. Vista users can use their Windows DVD to boot up into the Vista Recovery Environment. If you don't have an XP CD, go to Microsoft's web site, scroll down to Step 1 and download the appropriate XP Setup boot disks for your operating system.
  • Follow the prompts to allow ComboFix to download and install the Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install it.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes to continue scanning for malware.
  • When finished, please copy and paste the contents of C:\ComboFix.txt (which will open after reboot) in your next reply.
  • Be sure to re-enable your anti-virus and other security programs.
  • If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.
-- Do not touch your mouse/keyboard until the Combofix scan has completed, as this may cause the process to stall or the computer to lock.
-- Combofix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.
-- Combofix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.


QUOTE
Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.


Reports/logs to post in your next reply:
* ComboFix.txt
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mashenden

mashenden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:03:38 AM

Posted 13 February 2010 - 02:33 PM

I am glad it is you, Quietman7.

Back to the grind ... thumbup2.gif Apparently my Norton Security Suite is not easy to turn off. It is the Comcast provided version, which I understand to be similar to Norton 360, but not similar enough. The BleepingPC instructions say:
  • Right-click the Norton 360 icon in the system tray and select Open Tasks and Settings Window.
  • On the right side, under Settings, click on Change advanced settings.
  • Next, click on the Virus & Spyware Protection Settings.
  • Uncheck Turn on Auto-Protect and select Apply.
On my Norton there is a separate heading for Tasks and another for Settings. Within Settings, there is no way to change to Advanced Settings and no way to turn Auto-Protect off. I have turned off several things, to include my firewall, silent mode, antiphishing, etc (unchecked everything on the Quick Control menu) and also stopped Defender and SUPERAntispyware. Norton Auto Protect is the one remaining. I tried looking in the Norton Start Up manager but nothing there would allow me to turn it off either.

Google has nothing that works yet that I can find.

I thought I had it figured out - Used Services.msc to turn off Norton, but ComboFix still says it is running. I proceeded regardless with the scan at my own risk (I really need to get this resolved) as that was presented as an option. All seems to be going well with respect to the scan - It is now preparing the Log Report

Any other ideas in the event I need to disable it later?

[UPDATE] Here is the log:

ComboFix 10-02-12.01 - HP_Owner 02/13/2010 14:07:56.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.203 [GMT -6:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\Local Settings\Application Data\{51F7B2CC-DF95-413F-A6F1-C35CE915CD57}
c:\documents and settings\HP_Owner\Local Settings\Application Data\{51F7B2CC-DF95-413F-A6F1-C35CE915CD57}\chrome.manifest
c:\documents and settings\HP_Owner\Local Settings\Application Data\{51F7B2CC-DF95-413F-A6F1-C35CE915CD57}\chrome\content\_cfg.js
c:\documents and settings\HP_Owner\Local Settings\Application Data\{51F7B2CC-DF95-413F-A6F1-C35CE915CD57}\chrome\content\overlay.xul
c:\documents and settings\HP_Owner\Local Settings\Application Data\{51F7B2CC-DF95-413F-A6F1-C35CE915CD57}\install.rdf
c:\program files\Common Files\Uninstall
c:\recycler\S-1-5-21-117609710-484061587-682003330-1003
c:\recycler\S-1-5-21-3037522431-989166283-3608034271-1009
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\ef6b26db-344d-4ad3-ba24-aca0bdaa999a.cab
c:\windows\Downloaded Program Files\ODCTOOLS\f04d289f-c60a-422b-8396-6c372047042e.cab
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\29358.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\ps2.bat
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.

2010-02-13 20:06 . 2010-02-13 20:06 -------- d-----w- c:\windows\LastGood
2010-02-11 21:26 . 2010-02-11 21:26 46640 ----a-w- c:\windows\system32\msln.exe
2010-02-10 13:06 . 2008-04-13 19:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-02-10 13:06 . 2008-04-13 19:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-02-08 21:50 . 2010-02-07 17:34 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100208.002\NAVENG.SYS
2010-02-08 21:50 . 2010-02-07 17:34 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100208.002\NAVENG32.DLL
2010-02-08 21:50 . 2010-02-07 17:34 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100208.002\NAVEX32A.DLL
2010-02-08 21:50 . 2010-02-07 17:34 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100208.002\NAVEX15.SYS
2010-02-08 21:50 . 2010-02-07 17:34 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100208.002\EECTRL.SYS
2010-02-08 21:50 . 2010-02-07 17:34 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100208.002\CCERASER.DLL
2010-02-08 21:50 . 2010-02-07 17:34 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100208.002\ECMSVR32.DLL
2010-02-08 21:50 . 2010-02-07 17:34 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100208.002\ERASER.SYS
2010-02-08 21:27 . 2010-02-07 17:34 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp520.tmp\NAVENG.SYS
2010-02-08 21:27 . 2010-02-07 17:34 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp520.tmp\NAVENG32.DLL
2010-02-08 21:27 . 2010-02-07 17:34 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp520.tmp\NAVEX32A.DLL
2010-02-08 21:27 . 2010-02-07 17:34 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp520.tmp\NAVEX15.SYS
2010-02-08 21:27 . 2010-02-07 17:34 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp520.tmp\EECTRL.SYS
2010-02-08 21:27 . 2010-02-07 17:34 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp520.tmp\CCERASER.DLL
2010-02-08 21:27 . 2010-02-07 17:34 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp520.tmp\ECMSVR32.DLL
2010-02-08 21:27 . 2010-02-07 17:34 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp520.tmp\ERASER.SYS
2010-02-08 16:37 . 2010-02-08 16:37 -------- d-----w- c:\program files\Norton Support
2010-02-08 13:30 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSvix86.sys
2010-02-08 13:30 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSXpx86.sys
2010-02-08 13:30 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\Scxpx86.dll
2010-02-08 13:30 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSxpx86.dll
2010-02-08 13:30 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSviA64.sys
2010-02-08 08:53 . 2010-02-08 08:53 1315 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp1ba9.tmp\cur.scr
2010-02-07 23:22 . 2010-02-07 23:22 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-07 22:41 . 2010-02-07 22:40 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-07 22:41 . 2010-02-07 23:21 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-07 22:41 . 2010-02-07 23:21 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-07 22:41 . 2010-02-08 16:38 -------- d-----w- c:\program files\Symantec
2010-02-07 22:41 . 2010-02-07 23:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-07 22:40 . 2010-02-07 22:40 1291104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-02-07 22:40 . 2010-02-07 22:40 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-02-07 22:40 . 2010-02-07 22:40 776952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-02-07 22:39 . 2010-02-08 16:32 -------- d-----w- c:\windows\system32\drivers\N360
2010-02-07 22:39 . 2010-02-07 22:40 -------- d-----w- c:\program files\Norton Security Suite
2010-02-07 22:39 . 2010-02-07 22:39 -------- d-----w- c:\program files\Windows Sidebar
2010-02-07 22:39 . 2010-02-07 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-07 22:36 . 2010-02-07 22:36 -------- d-----w- c:\program files\NortonInstaller
2010-02-07 22:36 . 2010-02-07 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-07 19:11 . 2010-02-07 19:11 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-07 17:17 . 2010-02-07 17:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-07 16:18 . 2010-02-07 16:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-07 14:52 . 2010-02-07 14:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-01-19 15:49 . 2010-01-19 15:49 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Threat Expert
2010-01-19 15:14 . 2010-01-24 02:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-15 15:28 . 2010-01-15 15:28 52224 ----a-w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-08 16:11 . 2005-10-28 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-02-08 13:51 . 2005-10-28 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-07 23:21 . 2010-02-07 22:41 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-07 23:21 . 2010-02-07 22:41 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-07 22:40 . 2005-03-08 01:52 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-07 22:40 . 2005-03-08 01:52 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-07 19:16 . 2009-10-20 20:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-07 18:54 . 2005-10-28 03:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-07 18:54 . 2005-10-28 03:14 -------- d-----w- c:\program files\Quicken
2010-02-07 18:11 . 2009-10-20 18:31 117760 ----a-w- c:\documents and settings\HP_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-07 16:16 . 2005-10-28 03:27 -------- d-----w- c:\program files\Google
2010-02-07 15:25 . 2010-02-13 20:06 96512 ----a-w- c:\windows\system32\drivers\OLD48.tmp
2010-01-25 15:39 . 2009-10-20 18:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-24 02:39 . 2010-01-24 02:45 169516 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-01-19 14:50 . 2010-01-10 15:05 120 ----a-w- c:\windows\Ncefowoma.dat
2010-01-19 14:50 . 2010-01-10 15:05 0 ----a-w- c:\windows\Uvuxelisuzogeru.bin
2010-01-14 17:12 . 2009-10-20 16:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 22:07 . 2009-10-20 20:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-10-20 20:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 16:00 . 2005-10-28 02:51 112942 ----a-w- c:\windows\hpoins07.dat
2010-01-02 04:03 . 2006-01-03 15:40 10322 ----a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2009-12-29 21:22 . 2006-01-03 20:03 49056 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 14:29 . 2005-10-28 02:31 -------- d-----w- c:\program files\Java
2009-12-23 14:28 . 2009-12-23 14:28 152576 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-23 14:27 . 2009-12-23 14:27 79488 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-21 20:20 . 2009-09-14 01:11 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\HpUpdate
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-07 14:51 . 2009-10-20 18:24 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 14:52 . 2005-01-25 00:30 139264 ----a-w- c:\windows\system32\hpzjrd01.dll
2006-07-01 20:22 . 2006-07-01 18:22 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 19:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 68856]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-10-20 275912]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-23 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-10-28 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-28 98304]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck msln\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/8/2010 7:42 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/8/2010 7:42 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/8/2010 7:42 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100204.001\IDSXpx86.sys [2/8/2010 7:30 AM 329592]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/7/2010 11:34 AM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
S2 EraserSvc10923;Symantec Eraser Service;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/8/2010 7:41 AM 117640]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 10:17 AM 135664]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/8/2010 7:41 AM 117640]
.
Contents of the 'Scheduled Tasks' folder

2010-02-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 16:16]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 16:16]

2010-02-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-02-12 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2010-02-11 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2010-02-13 c:\windows\Tasks\User_Feed_Synchronization-{713BE33F-AD71-4FEA-9256-7E0F3FBAA936}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mg201.mail.yahoo.com/dc/launch?.partner=sbc&.gx=0&.rand=2rejsu5i0iq5r
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
HKU-Default-Run-SVCHOST.EXE - c:\windows\system32\drivers\svchost.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 14:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F31618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86e5f28
\Driver\ACPI -> ACPI.sys @ 0xf8638cb8
\Driver\atapi -> atapi.sys @ 0xf851b852
\Driver\iaStor -> iaStor.sys @ 0xf853fade
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
SecurityProcedure -> ntoskrnl.exe @ 0x805d96a1
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
SecurityProcedure -> ntoskrnl.exe @ 0x805d96a1
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf83d9bd4
PacketIndicateHandler -> NDIS.sys @ 0xf83c7a0d
SendHandler -> NDIS.sys @ 0xf83dbb40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4004589832-3744565243-1406750296-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1e,f4,db,a0,48,27,4e,46,82,f5,fb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1e,f4,db,a0,48,27,4e,46,82,f5,fb,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(896)
c:\windows\system32\WININET.dll
.
Completion time: 2010-02-13 14:35:55
ComboFix-quarantined-files.txt 2010-02-13 20:35

Pre-Run: 171,756,179,456 bytes free
Post-Run: 172,752,187,392 bytes free

- - End Of File - - 27EC9367E48E1AD3EBA4050F4D51D808

Edited by mashenden, 13 February 2010 - 04:01 PM.


#4 mashenden

mashenden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:03:38 AM

Posted 13 February 2010 - 03:56 PM

Oh, oh - I think I just crossed the "To reformat or not to reformat" line smile.gif

I reactivated the antivirus and firewall programs then rebooted - Now I get the blue screen of death, in Normal and in Safe Mode.

Edited by mashenden, 13 February 2010 - 03:58 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,087 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:38 AM

Posted 13 February 2010 - 04:31 PM

Did the BSOD provide a Stop error or identify a driver (.sys file) as shown in this example?

Crashes (BSOD), unexpected shutdowns, sudden freezing, random restarting, and booting problems during or after running anti-malware scanners can be symptomatic of a variety of things to include problems encountered with certain types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, etc) that are being scanned. Crashes can also be symptomatic of hardware/software issues, overheating caused by a failed processor fan, bad memory (RAM), failing or underpowered power supply, CPU overheating, motherboard, video card, faulty or unsigned device drivers, CMOS battery going bad, BIOS and firmware problems, dirty hardware components, programs hanging or unresponsive in the background, and even malware. Troubleshooting for these kinds of issues can be arduous and time consuming. There are no shortcuts.

QUOTE
I think I just crossed the "To reformat or not to reformat" line

Your decision as to what action to take should be made by reading and asking yourself the questions presented in these articles:In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned, repaired or trusted especially if you are dealing with rootkit components that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. In some instances an infection may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned, repaired or trusted. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

Do you have your Windows XP CD? If so, that's an option we can try.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 mashenden

mashenden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:03:38 AM

Posted 13 February 2010 - 09:10 PM

QUOTE(quietman7 @ Feb 13 2010, 04:31 PM) View Post
Did the BSOD provide a Stop error or identify a driver (.sys file) as shown in this example?


The error was Stop 0x0000007B...

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,087 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:38 AM

Posted 13 February 2010 - 11:19 PM

You can receive a Stop 0x0000007B error message during Windows XP Setup when the Setup program restarts during the installation process. This can be an indication of a serious hardware problem with a hard drive controller or a driver issue. However, another possible cause is a Boot-Sector virus:
QUOTE
You may receive a "Stop 0x0000007B" error message if your computer is infected with a boot-sector virus. If the problem is intermittent and you can start Windows, check your computer for viruses. If you find a virus, also check any floppy disks for viruses before you use them again.
"Stop 0x0000007B" errors in Windows XP

Also, your CF log indicates a critical file has failed File Signature Verification. Files which fail signature verification are those which do not appear to be original and may have been altered by malware infection so CF flags them. In this case, that's probably one of the problems you are dealing with.

Since you cannot bootup in normal or safe mode, then your options are limited. As I said we can try using the Recovery Console or you can consider reformatting which is probably the safest thing to do as your machine has a serious infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 mashenden

mashenden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:03:38 AM

Posted 14 February 2010 - 08:02 AM

While I had hoped to avoid reformatting, it is time to take that direction. Thank you very much for your help.

My guess is that the blue screen was not a hardware problem, given the issues we were troubleshooting, but stranger things have happened. I tend to not believe in coincidences, but on the other hand, I have learned to never say never (except in quoting this wiseisum smile.gif )

Again, thank you for you r help.

mashenden


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,087 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:38 AM

Posted 14 February 2010 - 08:17 AM

QUOTE
My guess is that the blue screen was not a hardware problem
I agree. From all indications in the logs you provided for my review, your issues are due to a very nasty malware infection. Part of my job is to provide as much information as I can so you can make an informed decision whether is worth the time and effort to attempt disinfection or move on.

QUOTE
While I had hoped to avoid reformatting, it is time to take that direction
I understand and that's the decision I would have made if this were my computer. Starting over by wiping your drive, reformatting, and performing a clean install of the OS removes everything and ensures no remnants of malicious files are left behind.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Windows 7 users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq, Toshiba, Gateway or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. Also be sure to read Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the appropriate Windows Operating System Subforum.

Edited by quietman7, 14 February 2010 - 08:18 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users