PDA

View Full Version : Google browser getting redirected



mmdallas
2009-06-18, 05:33
I've never posted before so I'm not sure but I think this is the info you requested to help me figure out exactly what part of interstellar space my browser is being directed to when I try to open what used to be my homepage "google" ...

Any help/suggestions you have ... (other than never turn on my computer again) would be greatly appreciated.

I run windows XP and this started recently.

from hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:29 PM, on 6/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\CompuPicPro17\ScsiAccess.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Michael May\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: MCIEPlugIn Class - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IE\IEPlugIn.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\TOSHIBA\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael May\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131500730765
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EBCCB38-8E2E-4665-9CA9-CA6F7D0355F3}: NameServer = 68.94.156.1 151.164.8.201
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro17\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14752 bytes

Bio-Hazard
2009-06-18, 19:20
Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:



I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.



No Reply Within 5 Days Will Result In Your Topic Being Closed!!

Bio-Hazard
2009-06-18, 19:22
Disable Teatimer

Please disable Teatimer as it may interfere with the fix.


If you have version 1.6, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
Click on Mode > Advanced Mode. When it prompts you, click Yes.
On the left hand side, click on Tools.
Check this box if it is not yet ticked: Resident.
You will notice that Resident is now added under Tools. Click on Resident.
Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active.
Exit Spybot Search & Destroy.
Reboot your machine for the changes to take effect.


Once your log is clean you can re-enable those settings in TeaTimer.





STEP 1

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:

http://img.photobucket.com/albums/v666/sUBs/dds_scr.gif
Download DDS and save it to your desktop from:

Link1 (http://www.techsupportforum.com/sectools/sUBs/dds)
Link2 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link3 (http://www.forospyware.com/sUBs/dds)

Please disable any anti-malware program that will block scripts from running before running DDS.



Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:

DDS.txt
Attach.txt


A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply




STEP 2


RootRepeal - Rootkit Detector

Download RootRepeal.zip (http://rootrepeal.googlepages.com/RootRepeal.zip) and unzip it to your Desktop.



Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Clickthe Scan button
In the Select Scan dialog, check:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program




Next Reply

Please reply with:


DDS.txt
Attach.txt
RootRepeal.txt

mmdallas
2009-06-19, 03:57
Bio,

I'm just replying to the post as requested and to thank you for getting back to me so quick ... I'll now follow the instructions in your post ... thanks again

mmdallas
2009-06-19, 04:36
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/30/2004 10:38:42 AM
System Uptime: 6/18/2009 8:05:20 PM (0 hours ago)

Motherboard: TOSHIBA | | DBQ02
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | NWD | 3192/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 31.568 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Atheros AR5001X+ Wireless Network Adapter
Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_7057144F&REV_01\4&3A321F38&0&10F0
Manufacturer: Atheros
Name: Atheros AR5001X+ Wireless Network Adapter
PNP Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_7057144F&REV_01\4&3A321F38&0&10F0
Service: AR5211

==== System Restore Points ===================

RP1163: 3/20/2009 12:56:16 PM - System Checkpoint
RP1164: 3/21/2009 5:50:06 PM - System Checkpoint
RP1165: 3/22/2009 9:05:23 PM - System Checkpoint
RP1166: 3/24/2009 1:55:03 PM - System Checkpoint
RP1167: 3/25/2009 1:58:05 PM - System Checkpoint
RP1168: 3/26/2009 5:01:34 PM - System Checkpoint
RP1169: 3/28/2009 2:10:30 PM - System Checkpoint
RP1170: 3/29/2009 2:21:08 PM - System Checkpoint
RP1171: 3/30/2009 6:21:48 PM - System Checkpoint
RP1172: 4/1/2009 7:11:08 PM - System Checkpoint
RP1173: 4/3/2009 5:54:32 PM - System Checkpoint
RP1174: 4/4/2009 10:49:51 PM - System Checkpoint
RP1175: 4/8/2009 8:11:39 PM - System Checkpoint
RP1176: 4/9/2009 9:04:11 PM - System Checkpoint
RP1177: 4/10/2009 10:05:47 PM - System Checkpoint
RP1178: 4/11/2009 10:59:29 PM - System Checkpoint
RP1179: 4/15/2009 6:12:28 PM - System Checkpoint
RP1180: 4/16/2009 9:06:22 PM - System Checkpoint
RP1181: 4/16/2009 11:28:55 PM - Software Distribution Service 3.0
RP1182: 4/18/2009 3:51:57 AM - System Checkpoint
RP1183: 4/19/2009 9:13:40 AM - System Checkpoint
RP1184: 4/21/2009 8:13:03 PM - System Checkpoint
RP1185: 4/23/2009 7:32:21 PM - System Checkpoint
RP1186: 4/25/2009 6:21:07 PM - System Checkpoint
RP1187: 4/26/2009 7:04:19 PM - System Checkpoint
RP1188: 4/27/2009 10:14:31 PM - System Checkpoint
RP1189: 4/28/2009 10:14:55 PM - System Checkpoint
RP1190: 4/28/2009 11:36:15 PM - Software Distribution Service 3.0
RP1191: 5/2/2009 6:46:15 PM - System Checkpoint
RP1192: 5/3/2009 7:09:43 PM - System Checkpoint
RP1193: 5/4/2009 7:36:39 PM - System Checkpoint
RP1194: 5/5/2009 11:34:18 PM - System Checkpoint
RP1195: 5/7/2009 7:37:10 PM - System Checkpoint
RP1196: 5/9/2009 10:17:26 PM - System Checkpoint
RP1197: 5/10/2009 10:31:14 PM - System Checkpoint
RP1198: 5/11/2009 11:03:08 PM - System Checkpoint
RP1199: 5/16/2009 11:25:31 PM - System Checkpoint
RP1200: 5/17/2009 3:00:29 AM - Software Distribution Service 3.0
RP1201: 5/19/2009 6:41:14 PM - System Checkpoint
RP1202: 5/20/2009 6:46:45 PM - System Checkpoint
RP1203: 5/22/2009 5:57:53 PM - System Checkpoint
RP1204: 5/23/2009 10:11:09 PM - System Checkpoint
RP1205: 5/24/2009 11:08:02 PM - System Checkpoint
RP1206: 5/27/2009 11:13:54 PM - System Checkpoint
RP1207: 5/30/2009 6:06:20 PM - System Checkpoint
RP1208: 5/31/2009 6:09:45 PM - System Checkpoint
RP1209: 6/5/2009 7:17:30 PM - System Checkpoint
RP1210: 6/6/2009 7:23:11 PM - System Checkpoint
RP1211: 6/7/2009 7:39:29 PM - System Checkpoint
RP1212: 6/9/2009 9:37:18 AM - System Checkpoint
RP1213: 6/9/2009 11:00:48 PM - Software Distribution Service 3.0
RP1214: 6/11/2009 6:14:59 PM - System Checkpoint
RP1215: 6/12/2009 6:20:24 PM - System Checkpoint
RP1216: 6/13/2009 7:54:16 PM - System Checkpoint
RP1217: 6/15/2009 1:54:14 PM - System Checkpoint
RP1218: 6/16/2009 11:53:21 PM - System Checkpoint
RP1219: 6/17/2009 7:29:49 AM - Restore Operation

==== Installed Programs ======================

Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Shockwave Player
Ahead Nero Burning ROM
AIM 6
AIM Toolbar 5.0
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
Apycom Java Menus and Buttons
ArcSoft Software Suite
Atheros Client Utility
ATT-PRT22
AutoCAD 2006 - English
Autodesk DWF Viewer
AutoUpdate
B's CLiP
Bonjour
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon i70
Canon PhotoRecord
Canon Utilities Easy-PhotoPrint
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
ccCommon
CD/DVD Drive Acoustic Silencer
CheckIt Diagnostics
CheckIt Diagnostics
CompuPic Pro
Connection Keep Alive
Copy Protection Notification Utility
DivX
DivX Player
DivX Web Player
Drag'n Drop CD+DVD
DVD-RAM Driver
Easy-WebPrint
Easy Button
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.5
GemMaster Mystic
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Updater
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 2200 series
hp psc 2200 series
Internet Worm Protection
InterVideo WinDVD 4
InterVideo WinDVD Creator 2
iTunes
J2SE Runtime Environment 5.0 Update 1
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Managed DirectX (0901)
MetaFrame Presentation Server Client
Metamail
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft ActiveSync 3.7
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Standard Edition 2003
Microsoft Windows Journal Viewer
Microsoft Works 7.0
MobileMe Control Panel
MSN Music Assistant
MSRedist
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NAVShortcut
NETGEAR WG511v2 54 Mbps Wireless PC Card
Norton AntiVirus 2006
Norton AntiVirus Parent MSI
Norton Cleanup
Norton GoBack 4.1
Norton Protection Center
Norton Security Scan
Norton SystemWorks
Norton SystemWorks 2006
Norton SystemWorks 2006 (Symantec Corporation)
Norton Utilities
Norton WMI Update
Notebook Maximizer
NSW_DRM_COLLECTION
NVIDIA Display Driver
Otto
Pop-Up Stopper Free Edition
PrintStation
QuickTime
RealPlayer
Realtek AC'97 Audio
Realtek Fast Ethernet Adapter Driver
Safari
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SMSC IrCC Driver V5.1.2462.0 (WinXP)
Sonic PrimeTime
SPBBC
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Symantec KB-DocID:2003093015493306
Symantec Technical Support Web Controls
SymNet
TOSHIBA Access
TOSHIBA ConfigFree
TOSHIBA Console
Toshiba Controls
TOSHIBA Fax Extension
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Management Utility
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Tbiosdrv Driver
TouchPad On/Off Utility
TurboCAD v6
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinZip

==== Event Viewer Messages From Past Week ========

6/15/2009 11:43:16 AM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
6/12/2009 11:12:14 AM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
6/12/2009 11:12:14 AM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
6/11/2009 11:09:14 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Norton Protection Center Service service to connect.
6/11/2009 11:09:14 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service NSCService with arguments "" in order to run the server: {09B7ADDC-8BF0-409B-8571-43E8EA2AAFA3}
6/11/2009 11:08:32 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
6/11/2009 11:08:31 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
6/11/2009 11:08:31 AM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================




DDS (Ver_09-05-14.01) - NTFSx86
Run by Michael May at 20:30:56.01 on Thu 06/18/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.145 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\CompuPicPro17\ScsiAccess.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\Toshiba Controls\CpRmtKey.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Michael May\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael May\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: MCIEPlugIn Class: {c09c9904-fd44-11d6-a711-00105ac8f168} - c:\progra~1\metama~1\metama~1\ie\IEPlugIn.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\michael may\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [CpRmtKey] "c:\program files\toshiba\toshiba controls\CpRmtKey.EXE"
mRun: [B'sCLiP] c:\progra~1\b'scli~1\win2k\BSCLIP.exe
mRun: [CeEPOWER] c:\program files\toshiba\power management\CePMTray.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [EzButton] c:\program files\ezbutton\EzButton.EXE
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_01\bin\jusched.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\windows\installer\{b93d24b3-928d-4805-b379-4aa47cb3794e}\NewShortcut1_1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\norton~1.lnk - c:\program files\norton systemworks\norton goback\GBTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_01\bin\npjpi150_01.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131500730765
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38110.6220833333
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} - hxxps://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
TCP: {3EBCCB38-8E2E-4665-9CA9-CA6F7D0355F3} = 68.94.156.1 151.164.8.201
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
SEH: MCOEShellHook Class: {b9e618a2-a4fe-11d4-83c2-005004636c96} - c:\program files\metamail inc\metamail reader\oe\OESHook.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2004-1-29 10112]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton systemworks\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2004-12-2 3744]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [2004-2-10 395008]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169320]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2004-12-2 3904]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~2\norton~2\NPROTECT.EXE [2005-10-3 95832]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-12-3 1251720]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-21 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton systemworks\norton antivirus\NAVAPSVC.EXE [2005-9-23 139888]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090618.004\NAVENG.Sys [2009-6-18 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090618.004\NavEx15.Sys [2009-6-18 876144]
R3 SAVRT;SAVRT;c:\program files\norton systemworks\norton antivirus\savrt.sys [2005-8-26 334984]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2004-5-3 69692]
S3 RkHit;RkHit;\??\c:\windows\system32\drivers\rkhit.sys --> c:\windows\system32\drivers\RKHit.sys [?]
S3 SAVScan;Symantec AVScan;c:\program files\norton systemworks\norton antivirus\SAVScan.exe [2005-8-26 198368]
S3 ttv100x;TOSHIBA USB2 TV Tuner;c:\windows\system32\drivers\ttv100x.sys [2003-10-15 1233024]

=============== Created Last 30 ================

2009-06-17 21:14 <DIR> --d----- c:\program files\Trend Micro
2009-06-15 12:58 <DIR> --d----- c:\docume~1\michae~1\applic~1\Malwarebytes
2009-06-15 12:58 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 12:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-15 12:58 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 12:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-10 18:11 3,247 a------- c:\windows\system32\wbem\Outlook_01c9ea20d268fd1e.mof

==================== Find3M ====================

2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 23:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2004-08-16 22:26 168 a---h--- c:\documents and settings\michael may\hpothb07.dat
2008-11-28 23:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112820081129\index.dat

============= FINISH: 20:32:11.32 ===============

mmdallas
2009-06-19, 05:06
Bio,

I didn't think you wanted me to re-post the dds text files again so I'm just sending this one ... if you do want me to resend the others please advise as I have them saved to my desktop


Thanks again for your help.





ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time: 2009/06/18 20:40
Program Version: Version 1.3.0.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1987000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8E36000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEEDD3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\gobackio.bin
Status: Locked to the Windows API!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\unzipped\RootRepeal
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000151.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000152.DLL
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000153.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000154.VXD
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000155.DLL
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000156.sys
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000157.grd
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000158.sig
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000159.spm
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000160.sys
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000161.BIN
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000162
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000163.EXP
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000164.SYS
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000165.VXD
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000166.DLL
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000167.EXP
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000168.SYS
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000169.VXD
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000170.DLL
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000171.TXT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000172.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000173.CAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000174.INF
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000175.cat
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000176.inf
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000177.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000178.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000179.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000180.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000181.TXT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000182.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000183.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000184.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000185.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000186.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000187.GRD
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000188.SIG
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000189.INF
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000190.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000191.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000192.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000193.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000194.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000195.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000196.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000197.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000198.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000199.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000200.dat
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000201.TXT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000202.DAT
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000207.EVM
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000216.edb
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\NPROTECT\00000291.SYS
Status: Visible to the Windows API, but not on disk.

Path: c:\recycler\s-1-5-21-515768181-1641645791-2319526321-1005\info2
Status: Size mismatch (API: 1620, Raw: 20)

Path: C:\RECYCLER\S-1-5-21-515768181-1641645791-2319526321-1005\Dc1.scr
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\S-1-5-21-515768181-1641645791-2319526321-1005\Dc2.txt
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\ALUSCHEDULERSVC.EXE-07C29CF3.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\APPLEMOBILEDEVICESERVICE.EXE-2BCF7F43.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\CEEPWRSVC.EXE-27C54555.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\CFSVCS.EXE-05A90D42.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\CSCRIPT.EXE-1C26180C.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\DDS.PIF-0BF4547B.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\DVDRAMSV.EXE-26747295.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\EDS.EXE-1B60C66E.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\EHSCHED.EXE-1E5750BC.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\ETPATHS.EXE-3AEC40AA.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\FI.EXE-0395DCDD.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\FIND.EXE-0EC32F1E.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\FINDSTR.EXE-0CA6274B.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\MDNSRESPONDER.EXE-02F30C6E.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-05EED422.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\SORT.EXE-194AE83C.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\WINZIP32.EXE-335422C1.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Prefetch\WREGS.EXE-05EA9F0A.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\A0206251.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\A0206252.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\A0206253.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\A0206254.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\A0206255.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\A0206256.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\A0206257.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\A0206258.dll
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\A0206259.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\A0206260.Lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\A0206261.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\A0206262.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{AD5C5BB2-17BA-4D96-82F1-82DA2A916DDC}\RP1219\change.log.2
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\michael may\cookies\michael_may@forums.spybot[2].txt
Status: Size mismatch (API: 172, Raw: 176)

Path: C:\Documents and Settings\Michael May\Desktop\Attach.txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael May\Desktop\dds.pif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael May\Desktop\DDS.txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael May\Desktop\RootRepeal.zip
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael May\Recent\Attach.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael May\Recent\dds - Notepad.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael May\Recent\DDS.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael May\Recent\RootRepeal.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Common Files\Symantec Shared\SPBBC\2009-06-18-5ecc.kc
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\SPBBC\2009-06-18-76a7.kc
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\lulock.dat
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6674.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmpcf6.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Norton SystemWorks\Norton Antivirus\Savrt\0349NAV~.TMP
Status: Invisible to the Windows API!

Path: C:\Program Files\Norton SystemWorks\Norton Antivirus\Savrt\0483NAV~.TMP
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\all users\application data\spybot - search & destroy\configuration.ini
Status: Size mismatch (API: 3347, Raw: 3348)

Path: c:\documents and settings\all users\application data\spybot - search & destroy\proccache.sbc
Status: Size mismatch (API: 2930, Raw: 2760)

Path: C:\Documents and Settings\Michael May\Local Settings\Temp\Perflib_Perfdata_ff8.dat
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael May\Local Settings\Temp\~DFEE2A.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael May\Local Settings\Temp\~DFEE4D.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael May\Local Settings\Temp\IMG5.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael May\Local Settings\Temp\Perflib_Perfdata_d54.dat
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael May\Local Settings\Temp\RarSFX0
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael May\Local Settings\Temp\~DF6453.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael May\Local Settings\Temp\~DF6476.tmp
Status: Visible to the Windows API, but not on disk.

Path: \\?\C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\NAVEX32A.DLL
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\CATALOG.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\CCERASER.DLL
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\definst.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\ECBOOTIL.VXD
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\ECMSVR32.DLL
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\eeCtrl.sys
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\ERASER.grd
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\ERASER.sig
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\ERASER.spm
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\eraser.sys
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\ESRDEF.BIN
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\HH
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\NAVENG.EXP
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\NAVENG.SYS
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\NAVENG.VXD
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\NAVENG32.DLL
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\NAVEX15.EXP
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\NAVEX15.SYS
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\NAVEX15.VXD
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\NCSACERT.TXT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\SCRAUTH.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\SYMAVENG.CAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\SYMAVENG.INF
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\SymErase.cat
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\SymErase.inf
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\TCDEFS.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\TCSCAN7.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\TCSCAN8.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\TCSCAN9.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\TECHNOTE.TXT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\TINF.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\TINFIDX.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\TINFL.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\TSCAN1.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\TSCAN1HD.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\V.GRD
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\V.SIG
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\VIRSCAN.INF
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\VIRSCAN1.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\VIRSCAN2.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\VIRSCAN3.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\VIRSCAN4.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\VIRSCAN5.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\VIRSCAN6.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\VIRSCAN7.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\VIRSCAN8.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\VIRSCAN9.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\VIRSCANT.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\vscanmsx.dat
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\WHATSNEW.TXT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090616.004\ZDONE.DAT
Status: Invisible to the Windows API!

Path: c:\program files\common files\symantec shared\virusdefs\20090618.004\virscan7.dat
Status: Size mismatch (API: 41185851, Raw: 41147503)

Path: c:\program files\common files\symantec shared\virusdefs\20090618.004\virscan8.dat
Status: Size mismatch (API: 1090860, Raw: 1090676)

Path: c:\program files\common files\symantec shared\virusdefs\20090618.004\virscan9.dat
Status: Size mismatch (API: 3920583, Raw: 3917157)

Path: \\?\C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\cur.scr
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\ESRDEF.999
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\TCDEFS.998
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\TCSCAN7.997
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\TCSCAN8.996
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\TCSCAN9.995
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\TINF.994
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\TINFL.993
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\TSCAN1.992
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\V.990
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\V.991
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\VIRSCAN.989
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\VIRSCAN1.988
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\VIRSCAN2.987
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\VIRSCAN3.986
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\VIRSCAN4.985
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\VIRSCAN5.984
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\VIRSCAN6.983
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\VIRSCAN7.982
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\VIRSCAN8.981
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\VIRSCAN9.980
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\virscant.dat
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5594.tmp\WHATSNEW.979
Status: Invisible to the Windows API!

Path: \\?\C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6674.tmp\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: \\?\C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\NAVEX32A.DLL
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\CATALOG.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\CCERASER.DLL
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\definst.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\ECBOOTIL.VXD
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\ECMSVR32.DLL
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\eeCtrl.sys
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\ERASER.grd
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\ERASER.sig
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\ERASER.spm
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\eraser.sys
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\ESRDEF.BIN
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\HH
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\NAVENG.EXP
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\NAVENG.SYS
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\NAVENG.VXD
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\NAVENG32.DLL
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\NAVEX15.EXP
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\NAVEX15.SYS
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\NAVEX15.VXD
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\NCSACERT.TXT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\SCRAUTH.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\SYMAVENG.CAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\SYMAVENG.INF
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\SymErase.cat
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\SymErase.inf
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\TCDEFS.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\TCSCAN7.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\TCSCAN8.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\TCSCAN9.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\TECHNOTE.TXT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\TINF.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\TINFIDX.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\TINFL.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\TSCAN1.DAT
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp6703.tmp\TSCAN1HD.DAT
Status: Invisible to the Windows API!

Path: C:\Program FilSSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x82eb17c8

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x82fd2858

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x82edbc38

#: 025 Function Name: NtClose
Status: Hooked by "GoBack2K.sys" at address 0xf873fa40

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x82fb0398

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf1bb3020

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x82f7c878

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x82fb4670

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf1bb32a0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf1bb3800

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x82f99c30

#: 084 Function Name: NtFsControlFile
Status: Hooked by "GoBack2K.sys" at address 0xf873fad0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x82f7bb20

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x82ee0310

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x82f321b0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x83131cc0

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x82efe0b0

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x82ef9560

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x82f90790

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x82ef54d0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x82f92158

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x82ecc710

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x82efae60

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf1bb3a50

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x82ee9c00

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8311fae8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x82f1b0b0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x83121c18

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x82efe890

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x82f99cc0

==EOF==

Bio-Hazard
2009-06-19, 17:28
Gmer's mbr.exe

Please download mbr.exe from HERE (http://www2.gmer.net/mbr/mbr.exe) and save it to your desktop.



Click the downloaded file to run the scan (a window will open briefly,then close).
The scan will create a mbr.log on your desktop
Please copy/paste those contents in your next reply.

mmdallas
2009-06-21, 17:19
Bio, hope I did this correct ... the log was brief ....


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully

Bio-Hazard
2009-06-21, 17:32
Hello!

Well done. That was the log i need to see.

Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)



You must download it to and run it from your Desktop
ComboFix SHOULD NOT be used unless requested by a forum helper.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click on ComboFix.exe and follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.



IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.


Next Reply

Please reply with:


ComboFix log (found at C:\Combofix.txt)
New HijackThis log

mmdallas
2009-06-22, 01:14
Bio,

I believe this is the log you needed .... please advise if you need add'l info ... thanks



ComboFix 09-06-20.04 - Michael May 06/21/2009 16:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.179 [GMT -5:00]
Running from: c:\documents and settings\Michael May\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT\00000000
c:\recycler\NPROTECT\00000001
c:\recycler\NPROTECT\00000002.dat
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000005
c:\recycler\NPROTECT\00000006
c:\recycler\NPROTECT\00000010.DAT
c:\recycler\NPROTECT\00000011
c:\recycler\NPROTECT\00000012
c:\recycler\NPROTECT\00000013
c:\recycler\NPROTECT\00000014
c:\recycler\NPROTECT\00000015
c:\recycler\NPROTECT\00000016
c:\recycler\NPROTECT\00000017
c:\recycler\NPROTECT\00000018
c:\recycler\NPROTECT\00000019
c:\recycler\NPROTECT\00000020
c:\recycler\NPROTECT\00000022
c:\recycler\NPROTECT\00000023.DAT
c:\recycler\NPROTECT\00000024
c:\recycler\NPROTECT\00000025
c:\recycler\NPROTECT\00000026
c:\recycler\NPROTECT\00000027
c:\recycler\NPROTECT\00000028
c:\recycler\NPROTECT\00000029
c:\recycler\NPROTECT\00000030
c:\recycler\NPROTECT\00000031
c:\recycler\NPROTECT\00000032
c:\recycler\NPROTECT\00000033
c:\recycler\NPROTECT\00000034
c:\recycler\NPROTECT\00000035
c:\recycler\NPROTECT\00000036
c:\recycler\NPROTECT\00000037
c:\recycler\NPROTECT\00000038
c:\recycler\NPROTECT\00000039
c:\recycler\NPROTECT\00000040
c:\recycler\NPROTECT\00000043
c:\recycler\NPROTECT\00000044
c:\recycler\NPROTECT\00000045
c:\recycler\NPROTECT\00000048
c:\recycler\NPROTECT\00000049
c:\recycler\NPROTECT\00000050
c:\recycler\NPROTECT\00000051
c:\recycler\NPROTECT\00000053
c:\recycler\NPROTECT\00000055
c:\recycler\NPROTECT\00000056
c:\recycler\NPROTECT\00000057
c:\recycler\NPROTECT\00000058
c:\recycler\NPROTECT\00000059
c:\recycler\NPROTECT\00000060
c:\recycler\NPROTECT\00000061
c:\recycler\NPROTECT\00000062
c:\recycler\NPROTECT\00000064
c:\recycler\NPROTECT\00000065
c:\recycler\NPROTECT\00000066
c:\recycler\NPROTECT\00000067
c:\recycler\NPROTECT\00000069
c:\recycler\NPROTECT\00000070
c:\recycler\NPROTECT\00000071
c:\recycler\NPROTECT\00000073
c:\recycler\NPROTECT\00000074
c:\recycler\NPROTECT\00000075
c:\recycler\NPROTECT\00000076
c:\recycler\NPROTECT\00000077
c:\recycler\NPROTECT\00000078
c:\recycler\NPROTECT\00000080
c:\recycler\NPROTECT\00000081
c:\recycler\NPROTECT\00000082
c:\recycler\NPROTECT\00000083
c:\recycler\NPROTECT\00000084
c:\recycler\NPROTECT\00000086
c:\recycler\NPROTECT\00000087
c:\recycler\NPROTECT\00000088
c:\recycler\NPROTECT\00000089
c:\recycler\NPROTECT\00000090
c:\recycler\NPROTECT\00000091
c:\recycler\NPROTECT\00000092
c:\recycler\NPROTECT\00000093
c:\recycler\NPROTECT\00000094
c:\recycler\NPROTECT\00000098
c:\recycler\NPROTECT\00000099.dat
c:\recycler\NPROTECT\00000100.dat
c:\recycler\NPROTECT\00000101.dat
c:\recycler\NPROTECT\00000102.dat
c:\recycler\NPROTECT\00000103
c:\recycler\NPROTECT\00000104
c:\recycler\NPROTECT\00000105
c:\recycler\NPROTECT\00000106
c:\recycler\NPROTECT\00000107
c:\recycler\NPROTECT\00000108
c:\recycler\NPROTECT\00000109
c:\recycler\NPROTECT\00000110
c:\recycler\NPROTECT\00000111
c:\recycler\NPROTECT\00000112
c:\recycler\NPROTECT\00000113
c:\recycler\NPROTECT\00000115
c:\recycler\NPROTECT\00000118
c:\recycler\NPROTECT\00000119.bat
c:\recycler\NPROTECT\00000120
c:\recycler\NPROTECT\00000121
c:\recycler\NPROTECT\00000122
c:\recycler\NPROTECT\00000123
c:\recycler\NPROTECT\00000124
c:\recycler\NPROTECT\00000125
c:\recycler\NPROTECT\00000127
c:\recycler\NPROTECT\00000128
c:\recycler\NPROTECT\00000130
c:\recycler\NPROTECT\00000131
c:\recycler\NPROTECT\00000132
c:\recycler\NPROTECT\00000135
c:\recycler\NPROTECT\00000136
c:\recycler\NPROTECT\00000137
c:\recycler\NPROTECT\00000138
c:\recycler\NPROTECT\00000139
c:\recycler\NPROTECT\00000140
c:\recycler\NPROTECT\00000141
c:\recycler\NPROTECT\00000143
c:\recycler\NPROTECT\00000144
c:\recycler\NPROTECT\00000145
c:\recycler\NPROTECT\00000146
c:\recycler\NPROTECT\00000147
c:\recycler\NPROTECT\00000148
c:\recycler\NPROTECT\00000149
c:\recycler\NPROTECT\00000150
c:\recycler\NPROTECT\00000151
c:\recycler\NPROTECT\00000152
c:\recycler\NPROTECT\00000153
c:\recycler\NPROTECT\00000154
c:\recycler\NPROTECT\00000155
c:\recycler\NPROTECT\00000156
c:\recycler\NPROTECT\00000157
c:\recycler\NPROTECT\00000158
c:\recycler\NPROTECT\00000159
c:\recycler\NPROTECT\00000160
c:\recycler\NPROTECT\00000161
c:\recycler\NPROTECT\00000162
c:\recycler\NPROTECT\00000163
c:\recycler\NPROTECT\00000164
c:\recycler\NPROTECT\00000165
c:\recycler\NPROTECT\00000166
c:\recycler\NPROTECT\00000167
c:\recycler\NPROTECT\00000168
c:\recycler\NPROTECT\00000169
c:\recycler\NPROTECT\00000170
c:\recycler\NPROTECT\00000171
c:\recycler\NPROTECT\00000172
c:\recycler\NPROTECT\00000173
c:\recycler\NPROTECT\00000174
c:\recycler\NPROTECT\00000175
c:\recycler\NPROTECT\00000176
c:\recycler\NPROTECT\00000177
c:\recycler\NPROTECT\00000178
c:\recycler\NPROTECT\00000179
c:\recycler\NPROTECT\00000180
c:\recycler\NPROTECT\00000181
c:\recycler\NPROTECT\00000182
c:\recycler\NPROTECT\00000183
c:\recycler\NPROTECT\00000185
c:\recycler\NPROTECT\00000186
c:\recycler\NPROTECT\00000187
c:\recycler\NPROTECT\00000188
c:\recycler\NPROTECT\00000190
c:\recycler\NPROTECT\00000193
c:\recycler\NPROTECT\00000194
c:\recycler\NPROTECT\00000195
c:\recycler\NPROTECT\00000196
c:\recycler\NPROTECT\00000197
c:\recycler\NPROTECT\00000198
c:\recycler\NPROTECT\00000199.dat
c:\recycler\NPROTECT\00000200
c:\recycler\NPROTECT\00000201
c:\recycler\NPROTECT\00000202
c:\recycler\NPROTECT\00000203
c:\recycler\NPROTECT\00000204
c:\recycler\NPROTECT\00000205.bad
c:\recycler\NPROTECT\00000206
c:\recycler\NPROTECT\00000207
c:\recycler\NPROTECT\00000208
c:\recycler\NPROTECT\00000209
c:\recycler\NPROTECT\00000210
c:\recycler\NPROTECT\00000216
c:\recycler\NPROTECT\00000217.md5
c:\recycler\NPROTECT\00000224
c:\recycler\S-1-5-21-1970226904-2619930774-1313513210-500
c:\recycler\S-1-5-21-2128814108-120919247-1307924255-500
c:\recycler\S-1-5-21-24490976-4010482216-3067663967-500
c:\recycler\NPROTECT . . . . failed to delete
c:\recycler\NPROTECT\00000000.DAT
c:\recycler\NPROTECT\00000001.DAT
c:\recycler\NPROTECT\00000001.DLL
c:\recycler\NPROTECT\00000002
c:\recycler\NPROTECT\00000002.exe
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000003.VXD
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000004.DLL
c:\recycler\NPROTECT\00000005
c:\recycler\NPROTECT\00000005.sys
c:\recycler\NPROTECT\00000006
c:\recycler\NPROTECT\00000006.grd
c:\recycler\NPROTECT\00000007
c:\recycler\NPROTECT\00000007.sig
c:\recycler\NPROTECT\00000008.spm
c:\recycler\NPROTECT\00000009
c:\recycler\NPROTECT\00000009.sys
c:\recycler\NPROTECT\00000010.BIN
c:\recycler\NPROTECT\00000011
c:\recycler\NPROTECT\00000012
c:\recycler\NPROTECT\00000012.EXP
c:\recycler\NPROTECT\00000013
c:\recycler\NPROTECT\00000013.SYS
c:\recycler\NPROTECT\00000014
c:\recycler\NPROTECT\00000014.VXD
c:\recycler\NPROTECT\00000015.DLL
c:\recycler\NPROTECT\00000016.EXP
c:\recycler\NPROTECT\00000017.SYS
c:\recycler\NPROTECT\00000018.VXD
c:\recycler\NPROTECT\00000019.DLL
c:\recycler\NPROTECT\00000020.TXT
c:\recycler\NPROTECT\00000021.DAT
c:\recycler\NPROTECT\00000022.CAT
c:\recycler\NPROTECT\00000023.INF
c:\recycler\NPROTECT\00000024.cat
c:\recycler\NPROTECT\00000025.inf
c:\recycler\NPROTECT\00000026.DAT
c:\recycler\NPROTECT\00000027.DAT
c:\recycler\NPROTECT\00000028.DAT
c:\recycler\NPROTECT\00000029.DAT
c:\recycler\NPROTECT\00000030.TXT
c:\recycler\NPROTECT\00000031.DAT
c:\recycler\NPROTECT\00000032.DAT
c:\recycler\NPROTECT\00000033.DAT
c:\recycler\NPROTECT\00000034.DAT
c:\recycler\NPROTECT\00000035.DAT
c:\recycler\NPROTECT\00000036.GRD
c:\recycler\NPROTECT\00000037.SIG
c:\recycler\NPROTECT\00000038.INF
c:\recycler\NPROTECT\00000039.DAT
c:\recycler\NPROTECT\00000040.DAT
c:\recycler\NPROTECT\00000041.DAT
c:\recycler\NPROTECT\00000042.DAT
c:\recycler\NPROTECT\00000043.DAT
c:\recycler\NPROTECT\00000044.DAT
c:\recycler\NPROTECT\00000045.DAT
c:\recycler\NPROTECT\00000046.DAT
c:\recycler\NPROTECT\00000047.DAT
c:\recycler\NPROTECT\00000048.DAT
c:\recycler\NPROTECT\00000049.TXT
c:\recycler\NPROTECT\00000050.DAT
c:\recycler\NPROTECT\00000055.sxx
c:\recycler\NPROTECT\00000058.sxx
c:\recycler\NPROTECT\00000059.sxx
c:\recycler\NPROTECT\00000060.sxx
c:\recycler\NPROTECT\00000065.dat
c:\recycler\NPROTECT\00000066.ini
c:\recycler\NPROTECT\00000067.ini
c:\recycler\NPROTECT\00000068.UIZ
c:\recycler\NPROTECT\00000079.JOB
c:\recycler\NPROTECT\00000092.CAB
c:\recycler\NPROTECT\00000097.cab
c:\recycler\NPROTECT\00000101.cab
c:\recycler\NPROTECT\00000107.edb
c:\recycler\NPROTECT\00000110.JOB
c:\recycler\NPROTECT\00000114
c:\recycler\NPROTECT\00000115.JOB
c:\recycler\NPROTECT\00000153.sxx
c:\recycler\NPROTECT\00000154.sxx
c:\recycler\NPROTECT\00000155.sxx
c:\recycler\NPROTECT\00000156.sxx
c:\recycler\NPROTECT\00000158.dat
c:\recycler\NPROTECT\00000159.ini
c:\recycler\NPROTECT\00000167.log
c:\recycler\NPROTECT\00000197.JOB
c:\recycler\NPROTECT\00000260.DAT
c:\recycler\NPROTECT\00000261.DLL
c:\recycler\NPROTECT\00000262.exe
c:\recycler\NPROTECT\00000263.VXD
c:\recycler\NPROTECT\00000264.DLL
c:\recycler\NPROTECT\00000265.sys
c:\recycler\NPROTECT\00000266.grd
c:\recycler\NPROTECT\00000267.sig
c:\recycler\NPROTECT\00000268.spm
c:\recycler\NPROTECT\00000269.sys
c:\recycler\NPROTECT\00000270.BIN
c:\recycler\NPROTECT\00000271
c:\recycler\NPROTECT\00000272.EXP
c:\recycler\NPROTECT\00000273.SYS
c:\recycler\NPROTECT\00000274.VXD
c:\recycler\NPROTECT\00000275.DLL
c:\recycler\NPROTECT\00000276.EXP
c:\recycler\NPROTECT\00000277.SYS
c:\recycler\NPROTECT\00000278.VXD
c:\recycler\NPROTECT\00000279.DLL
c:\recycler\NPROTECT\00000280.TXT
c:\recycler\NPROTECT\00000281.DAT
c:\recycler\NPROTECT\00000282.CAT
c:\recycler\NPROTECT\00000283.INF
c:\recycler\NPROTECT\00000284.cat
c:\recycler\NPROTECT\00000285.inf
c:\recycler\NPROTECT\00000286.DAT
c:\recycler\NPROTECT\00000287.DAT
c:\recycler\NPROTECT\00000288.DAT
c:\recycler\NPROTECT\00000289.DAT
c:\recycler\NPROTECT\00000290.TXT
c:\recycler\NPROTECT\00000291.DAT
c:\recycler\NPROTECT\00000292.DAT
c:\recycler\NPROTECT\00000293.DAT
c:\recycler\NPROTECT\00000294.DAT
c:\recycler\NPROTECT\00000295.DAT
c:\recycler\NPROTECT\00000296.GRD
c:\recycler\NPROTECT\00000297.SIG
c:\recycler\NPROTECT\00000298.INF
c:\recycler\NPROTECT\00000299.DAT
c:\recycler\NPROTECT\00000300.DAT
c:\recycler\NPROTECT\00000301.DAT
c:\recycler\NPROTECT\00000302.DAT
c:\recycler\NPROTECT\00000303.DAT
c:\recycler\NPROTECT\00000304.DAT
c:\recycler\NPROTECT\00000305.DAT
c:\recycler\NPROTECT\00000306.DAT
c:\recycler\NPROTECT\00000307.DAT
c:\recycler\NPROTECT\00000308.DAT
c:\recycler\NPROTECT\00000309.TXT
c:\recycler\NPROTECT\00000310.DAT
c:\recycler\NPROTECT\00000338
c:\recycler\NPROTECT\00000339.pif
c:\recycler\NPROTECT\00000353
c:\recycler\NPROTECT\00000354
c:\recycler\NPROTECT\00000357.DAT
c:\recycler\NPROTECT\00000362
c:\recycler\NPROTECT\00000363.chm
c:\recycler\NPROTECT\00000365
c:\recycler\NPROTECT\00000367
c:\recycler\NPROTECT\00000370
c:\recycler\NPROTECT\00000375
c:\recycler\NPROTECT\00000378
c:\recycler\NPROTECT\00000379
c:\recycler\NPROTECT\00000382.cmd
c:\recycler\NPROTECT\00000385.exe
c:\recycler\NPROTECT\00000386.TXT
c:\recycler\NPROTECT\00000387.exe
c:\recycler\NPROTECT\00000388.TXT
c:\recycler\NPROTECT\00000389.TXT
c:\recycler\NPROTECT\00000390.TXT
c:\recycler\NPROTECT\00000391.bat
c:\recycler\NPROTECT\00000392.exe
c:\recycler\NPROTECT\00000393.TXT
c:\recycler\NPROTECT\00000394.exe
c:\recycler\NPROTECT\00000395.txt
c:\recycler\NPROTECT\00000396.zip
c:\recycler\NPROTECT\00000397.txt
c:\recycler\NPROTECT\00000398.bat
c:\recycler\NPROTECT\00000399.bat
c:\recycler\NPROTECT\00000400.ZIP
c:\recycler\NPROTECT\00000401.HTM
c:\recycler\NPROTECT\00000402.TXT
c:\recycler\NPROTECT\00000403
c:\recycler\NPROTECT\00000404
c:\recycler\NPROTECT\00000405
c:\recycler\NPROTECT\00000408.edb
c:\recycler\NPROTECT\00000409
c:\recycler\NPROTECT\00000413.cmd
c:\recycler\NPROTECT\00000414.txt
c:\recycler\NPROTECT\00000415.EXE
c:\recycler\NPROTECT\00000422
c:\recycler\NPROTECT\00000435
c:\recycler\NPROTECT\00000443.CMD
c:\recycler\NPROTECT\00000451
c:\recycler\NPROTECT\00000462
c:\recycler\NPROTECT\00000463
c:\recycler\NPROTECT\00000464
c:\recycler\NPROTECT\00000465
c:\recycler\NPROTECT\00000466
c:\recycler\NPROTECT\00000467
c:\recycler\NPROTECT\00000469
c:\recycler\NPROTECT\00000470
c:\recycler\NPROTECT\00000471
c:\recycler\NPROTECT\00000472
c:\recycler\NPROTECT\00000473
c:\recycler\NPROTECT\00000474
c:\recycler\NPROTECT\00000475
c:\recycler\NPROTECT\00000476
c:\recycler\NPROTECT\00000477
c:\recycler\NPROTECT\00000478
c:\recycler\NPROTECT\00000479
c:\recycler\NPROTECT\00000480
c:\recycler\NPROTECT\00000481
c:\recycler\NPROTECT\00000482
c:\recycler\NPROTECT\00000483
c:\recycler\NPROTECT\00000484
c:\recycler\NPROTECT\00000485
c:\recycler\NPROTECT\00000487
c:\recycler\NPROTECT\00000493
c:\recycler\NPROTECT\00000494
c:\recycler\NPROTECT\00000495.dll
c:\recycler\NPROTECT\00000500.DAT
c:\recycler\NPROTECT\00000501.DAT
c:\recycler\NPROTECT\00000502.DAT
c:\recycler\NPROTECT\00000506.c
c:\recycler\NPROTECT\00000509
c:\recycler\NPROTECT\00000510
c:\recycler\NPROTECT\00000512
c:\recycler\NPROTECT\00000513
c:\recycler\NPROTECT\00000514
c:\recycler\NPROTECT\00000515
c:\recycler\NPROTECT\00000516
c:\recycler\NPROTECT\00000517
c:\recycler\NPROTECT\00000518
c:\recycler\NPROTECT\00000519
c:\recycler\NPROTECT\00000535.dat
c:\recycler\NPROTECT\00000536.DAT
c:\recycler\NPROTECT\00000541
c:\recycler\NPROTECT\00000542
c:\recycler\NPROTECT\00000544
c:\recycler\NPROTECT\00000561.BAT
c:\recycler\NPROTECT\00000562
c:\recycler\NPROTECT\00000563
c:\recycler\NPROTECT\00000564
c:\recycler\NPROTECT\00000565
c:\recycler\NPROTECT\00000566
c:\recycler\NPROTECT\00000567
c:\recycler\NPROTECT\00000568
c:\recycler\NPROTECT\00000569
c:\recycler\NPROTECT\00000571
c:\recycler\NPROTECT\00000572
c:\recycler\NPROTECT\00000573
c:\recycler\NPROTECT\00000574
c:\recycler\NPROTECT\00000575
c:\recycler\NPROTECT\00000576
c:\recycler\NPROTECT\00000580
c:\recycler\NPROTECT\00000585
c:\recycler\NPROTECT\00000586
c:\recycler\NPROTECT\00000587
c:\recycler\NPROTECT\00000588
c:\recycler\NPROTECT\00000589
c:\recycler\NPROTECT\00000590
c:\recycler\NPROTECT\00000591
c:\recycler\NPROTECT\00000592
c:\recycler\NPROTECT\00000593
c:\recycler\NPROTECT\00000594
c:\recycler\NPROTECT\00000595
c:\recycler\NPROTECT\00000596
c:\recycler\NPROTECT\00000597
c:\recycler\NPROTECT\00000598
c:\recycler\NPROTECT\00000599
c:\recycler\NPROTECT\00000600
c:\recycler\NPROTECT\00000601
c:\recycler\NPROTECT\00000602
c:\recycler\NPROTECT\00000603
c:\recycler\NPROTECT\00000604
c:\recycler\NPROTECT\00000605
c:\recycler\NPROTECT\00000606
c:\recycler\NPROTECT\00000607.BAT
c:\recycler\NPROTECT\00000608
c:\recycler\NPROTECT\00000610.CFU
c:\recycler\NPROTECT\00000611
c:\recycler\NPROTECT\00000612.BAT
c:\recycler\NPROTECT\00000613
c:\recycler\NPROTECT\00000614
c:\recycler\NPROTECT\00000615
c:\recycler\NPROTECT\00000616
c:\recycler\NPROTECT\00000617
c:\recycler\NPROTECT\00000618
c:\recycler\NPROTECT\00000619
c:\recycler\NPROTECT\00000620.cfu
c:\recycler\NPROTECT\00000621
c:\recycler\NPROTECT\00000622.cfu
c:\recycler\NPROTECT\00000623
c:\recycler\NPROTECT\00000624.cfu
c:\recycler\NPROTECT\00000625
c:\recycler\NPROTECT\00000626.cfu
c:\recycler\NPROTECT\00000627
c:\recycler\NPROTECT\00000628.CFU
c:\recycler\NPROTECT\00000629
c:\recycler\NPROTECT\00000630.CFU
c:\recycler\NPROTECT\00000631
c:\recycler\NPROTECT\00000632.CFU
c:\recycler\NPROTECT\00000633
c:\recycler\NPROTECT\00000634.CFU
c:\recycler\NPROTECT\00000635
c:\recycler\NPROTECT\00000636.cfu
c:\recycler\NPROTECT\00000637
c:\recycler\NPROTECT\00000638.cfu
c:\recycler\NPROTECT\00000639
c:\recycler\NPROTECT\00000640.CFU
c:\recycler\NPROTECT\00000641
c:\recycler\NPROTECT\00000642.cfu
c:\recycler\NPROTECT\00000643
c:\recycler\NPROTECT\00000644.CFU
c:\recycler\NPROTECT\00000645.sed
c:\recycler\NPROTECT\00000646.RE5
c:\recycler\NPROTECT\00000647.re5
c:\recycler\NPROTECT\00000648.re5
c:\recycler\NPROTECT\00000649.re5
c:\recycler\NPROTECT\00000650.re5
c:\recycler\NPROTECT\00000651.re5
c:\recycler\NPROTECT\00000652.re5
c:\recycler\NPROTECT\00000653.RE5
c:\recycler\NPROTECT\00000654.FOL
c:\recycler\NPROTECT\00000655.FOL
c:\recycler\NPROTECT\00000656.FOL
c:\recycler\NPROTECT\00000657.FOL
c:\recycler\NPROTECT\00000658.FOL
c:\recycler\NPROTECT\00000659.FOL
c:\recycler\NPROTECT\00000660.FOL
c:\recycler\NPROTECT\00000661.FOL
c:\recycler\NPROTECT\00000662.FOL
c:\recycler\NPROTECT\00000663.FOL
c:\recycler\NPROTECT\00000664.FOL
c:\recycler\NPROTECT\00000665.FOL
c:\recycler\NPROTECT\00000666.FOL
c:\recycler\NPROTECT\00000667
c:\recycler\NPROTECT\00000668
c:\recycler\NPROTECT\00000669
c:\recycler\NPROTECT\00000670
c:\recycler\NPROTECT\00000671.dat
c:\recycler\NPROTECT\00000672.DAT
c:\recycler\NPROTECT\00000673
c:\recycler\NPROTECT\00000674
c:\recycler\NPROTECT\00000675
c:\recycler\NPROTECT\00000676
c:\recycler\NPROTECT\00000677
c:\recycler\NPROTECT\00000678.SI_
c:\recycler\NPROTECT\00000679.REG
c:\recycler\NPROTECT\00000681
c:\recycler\NPROTECT\00000682
c:\recycler\NPROTECT\00000683.cmd
c:\recycler\NPROTECT\00000684.CMD
c:\recycler\NPROTECT\00000685.img
c:\recycler\NPROTECT\00000686.img
c:\recycler\NPROTECT\00000687.img
c:\recycler\NPROTECT\00000688.img
c:\recycler\NPROTECT\00000689.img
c:\recycler\NPROTECT\00000690.img
c:\recycler\NPROTECT\00000691.exe
c:\recycler\NPROTECT\00000692.exe
c:\recycler\NPROTECT\00000693
c:\recycler\NPROTECT\00000694
c:\recycler\NPROTECT\00000695
c:\recycler\NPROTECT\00000696
c:\recycler\NPROTECT\00000697
c:\recycler\NPROTECT\00000698
c:\recycler\NPROTECT\00000699
c:\recycler\NPROTECT\00000700
c:\recycler\NPROTECT\00000701
c:\recycler\NPROTECT\00000702
c:\recycler\NPROTECT\00000703
c:\recycler\NPROTECT\00000704.sed
c:\recycler\NPROTECT\00000705.sed
c:\recycler\NPROTECT\00000706.bat
c:\recycler\NPROTECT\00000707.bat
c:\recycler\NPROTECT\00000708
c:\recycler\NPROTECT\00000709
c:\recycler\NPROTECT\00000711
c:\recycler\NPROTECT\00000716
c:\recycler\NPROTECT\00000717
c:\recycler\NPROTECT\00000718
c:\recycler\NPROTECT\00000719
c:\recycler\NPROTECT\00000720.CMD
c:\recycler\NPROTECT\00000721.cmd
c:\recycler\NPROTECT\00000722.dat
c:\recycler\NPROTECT\00000724
c:\recycler\NPROTECT\00000725
c:\recycler\NPROTECT\00000726
c:\recycler\NPROTECT\00000727
c:\recycler\NPROTECT\00000728
c:\recycler\NPROTECT\00000729
c:\recycler\NPROTECT\00000730
c:\recycler\NPROTECT\00000731
c:\recycler\NPROTECT\00000732
c:\recycler\NPROTECT\00000733
c:\recycler\NPROTECT\00000734
c:\recycler\NPROTECT\00000735
c:\recycler\NPROTECT\00000736
c:\recycler\NPROTECT\00000737
c:\recycler\NPROTECT\00000738
c:\recycler\NPROTECT\00000739
c:\recycler\NPROTECT\00000740
c:\recycler\NPROTECT\00000741.VBS
c:\recycler\NPROTECT\00000742
c:\recycler\NPROTECT\00000743
c:\recycler\NPROTECT\00000744
c:\recycler\NPROTECT\00000745
c:\recycler\NPROTECT\00000746
c:\recycler\NPROTECT\00000747.SYS
c:\recycler\NPROTECT\00000748
c:\recycler\NPROTECT\00000749
c:\recycler\NPROTECT\00000750
c:\recycler\NPROTECT\00000751
c:\recycler\NPROTECT\00000752
c:\recycler\NPROTECT\NPROTECT.LOG . . . . failed to delete
c:\recycler\S-1-5-21-1970226904-2619930774-1313513210-500\desktop.ini
c:\recycler\S-1-5-21-1970226904-2619930774-1313513210-500\INFO2
c:\recycler\S-1-5-21-2128814108-120919247-1307924255-500\desktop.ini
c:\recycler\S-1-5-21-2128814108-120919247-1307924255-500\INFO2
c:\recycler\S-1-5-21-24490976-4010482216-3067663967-500\desktop.ini
c:\recycler\S-1-5-21-24490976-4010482216-3067663967-500\INFO2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT
-------\Service_RkHit


((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-06-18 02:14 . 2009-06-18 02:14 -------- d-----w- c:\program files\Trend Micro
2009-06-15 17:58 . 2009-06-15 17:58 -------- d-----w- c:\documents and settings\Michael May\Application Data\Malwarebytes
2009-06-15 17:58 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 17:58 . 2009-06-15 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-15 17:58 . 2009-06-15 17:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 17:58 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 04:20 . 2007-12-26 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-19 01:34 . 2004-05-12 04:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-15 12:41 . 2004-08-30 03:08 -------- d-----w- c:\program files\Norton SystemWorks
2009-06-10 02:38 . 2008-12-20 00:11 -------- d-----w- c:\program files\iTunes
2009-05-07 15:32 . 2004-01-29 17:13 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 03:13 . 2009-05-02 03:12 -------- d-----w- c:\program files\ATT-PRT22-WISE
2009-05-02 03:13 . 2009-05-02 03:13 -------- d-----w- c:\program files\att-prt22
2009-05-02 03:13 . 2009-05-02 03:12 -------- d-----w- c:\program files\Common Files\Motive
2009-05-02 03:12 . 2009-05-02 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-04-29 04:56 . 2005-02-18 21:19 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-01-29 17:13 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-05-03 22:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-06 01:14 . 2009-04-06 01:14 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 524288]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-09-01 376912]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Michael May\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-14 50176]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-06-18 151552]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"CpRmtKey"="c:\program files\TOSHIBA\Toshiba Controls\CpRmtKey.EXE" [2003-12-09 94208]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2004-02-04 1409024]
"CeEPOWER"="c:\program files\TOSHIBA\Power Management\CePMTray.exe" [2004-02-13 139264]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-02-12 53248]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-02-13 2904064]
"EzButton"="c:\program files\EzButton\EzButton.EXE" [2003-12-18 712704]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2004-02-12 638976]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-07 36975]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-02-13 782336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-5-12 82026]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-11-27 303104]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
NETGEAR WG511v2 Wireless Assistant.lnk - c:\windows\Installer\{B93D24B3-928D-4805-B379-4AA47CB3794E}\NewShortcut1_1.exe [2005-5-12 2238]
Norton GoBack.lnk - c:\program files\Norton SystemWorks\Norton GoBack\GBTray.exe [2005-10-3 857728]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-1-29 155648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= "c:\program files\Metamail Inc\Metamail Reader\OE\OESHook.dll" [2003-04-07 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [1/29/2004 7:41 PM 10112]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [12/2/2004 2:11 AM 3744]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [2/10/2004 3:58 PM 395008]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [12/2/2004 2:11 AM 3904]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~2\NORTON~2\NPROTECT.EXE [10/3/2005 3:50 PM 95832]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/21/2008 9:01 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 5:59 PM 101936]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [5/3/2004 2:05 PM 69692]
S3 ttv100x;TOSHIBA USB2 TV Tuner;c:\windows\system32\drivers\ttv100x.sys [10/15/2003 2:16 PM 1233024]
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2004-08-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2200 series5E771253C1676EBED677BF361FDFC537825E15B8083712704.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]

2009-06-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-26 02:23]

2009-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515768181-1641645791-2319526321-1005.job
- c:\documents and settings\Michael May\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 00:30]

2009-06-13 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Michael May.job
- c:\progra~1\NORTON~2\NORTON~1\Navw32.exe [2005-09-24 17:13]

2009-06-15 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2005-10-06 04:02]

2009-06-21 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-10-04 02:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {3EBCCB38-8E2E-4665-9CA9-CA6F7D0355F3} = 68.94.156.1 151.164.8.201
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 17:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3776)
c:\program files\Norton SystemWorks\Norton GoBack\ShellExt.dll
c:\progra~1\PANICW~1\POP-UP~1\XAHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\Power Management\CeEPwrSvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehsched.exe
c:\program files\Norton SystemWorks\Norton GoBack\GBPoll.exe
c:\windows\eHome\ehrec.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Norton SystemWorks\Norton Antivirus\IWP\NPFMNTOR.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Photodex\CompuPicPro17\scsiaccess.exe
c:\progra~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.exe
c:\toshiba\Ivp\Swupdate\swupdtmr.exe
c:\windows\system32\wdfmgr.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\NETGEAR\WG511v2\wlancfg5.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2009-06-21 17:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-21 22:08

Pre-Run: 33,799,577,600 bytes free
Post-Run: 33,477,038,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

790 --- E O F --- 2009-06-10 04:09

Bio-Hazard
2009-06-22, 15:57
Hello!

Can i see your new HijackThis log.

mmdallas
2009-06-24, 02:24
Hi Bio, Sorry for the slight delay ... here's the latest hijackthis log ...

thanks,



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:45 PM, on 6/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\CompuPicPro17\ScsiAccess.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\Toshiba Controls\CpRmtKey.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Michael May\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: MCIEPlugIn Class - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IE\IEPlugIn.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\TOSHIBA\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael May\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131500730765
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EBCCB38-8E2E-4665-9CA9-CA6F7D0355F3}: NameServer = 68.94.156.1 151.164.8.201
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro17\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14340 bytes

Bio-Hazard
2009-06-24, 11:27
Disable Teatimer

Please disable Teatimer as it may interfere with the fix.


If you have version 1.6, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
Click on Mode > Advanced Mode. When it prompts you, click Yes.
On the left hand side, click on Tools.
Check this box if it is not yet ticked: Resident.
You will notice that Resident is now added under Tools. Click on Resident.
Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active.
Exit Spybot Search & Destroy.
Reboot your machine for the changes to take effect.


Once your log is clean you can re-enable those settings in TeaTimer.



Remove HijackThis entries



Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Close all open windows and browsers/email etc...
Click on the Fix Checked button
When completed close the application.





Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 14.


Go to HERE (http://java.sun.com/javase/downloads/index.jsp)
Scroll down to where it says Java Runtime Environment (JRE) 6 Update 14
Click the Download button to the right
From the dropdown menu choose your platform. Which is Windows
Dont change the language box.
Click on the radio button to Accept License Agreement and after that click continue
Click on Windows Offline Installation Multi-language and save the downloaded file to your computer
Go to Start => Control Panel => Add or Remove Programs
Uninstall all old versions of Java (Java 2 Runtime Environment JRE or JSE)
Reboot your computer
Delete the folder C:\Program Files\Java if present
Install the new version by running the newly-downloaded file and follow the on-screen instructions.
Reboot your computer




ATF-Cleaner

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.



Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.




Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
Archives


Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.






Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:


Kaspersky Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

mmdallas
2009-06-26, 05:50
Hi Bio,

Did good on getting Java installed I' think but couldn't get Kaspersksy to load right ... after several tries it appears to load right but can't get it to scan so I can get a log.

If you have any thoughts on how I can get it to scan so I get a log I'd really appreciate input .... would it help me sending a hijackthis log?

Thanks,

Bio-Hazard
2009-06-26, 10:48
Hello!

Lets try another online scanner.

Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:





Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology


Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.



Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

mmdallas
2009-06-27, 20:09
Bio, ESET seemed to work well .... this is the file log I believe you need ... please advise if you need add'l info. Thanks.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=b0ba498d980d224d978bef9ee53a4e52
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-06-27 05:02:43
# local_time=2009-06-27 12:02:43 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 21 100 88 119265937500
# scanned=94388
# found=1
# cleaned=0
# scan_time=10547
C:\Qoobox\Quarantine\C\RECYCLER\NPROTECT\00000733.vir Eicar test file 00000000000000000000000000000000

Bio-Hazard
2009-06-27, 21:08
Hello!


That was the log i needed to see.

Please post the following logs/Information in your reply:
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

mmdallas
2009-06-28, 19:23
Bio,

With regard overall computer performance it seems to be good however when trying to log onto internet explorer I'm still directed to the following page ... http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com ... with an "error page not found I believe it's error 404" ... then when I'm on that page I type "google.com" into my browser and can access the page.


I ran another hijackthis scan and here's the log generated ... thanks again

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:38 AM, on 6/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\CompuPicPro17\ScsiAccess.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\Toshiba Controls\CpRmtKey.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Michael May\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: MCIEPlugIn Class - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IE\IEPlugIn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\TOSHIBA\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael May\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131500730765
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EBCCB38-8E2E-4665-9CA9-CA6F7D0355F3}: NameServer = 68.94.156.1 151.164.8.201
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro17\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14537 bytes

Bio-Hazard
2009-06-28, 19:40
Back Up registry with ERUNT



Please use the following link and scroll down to ERUNT and download it on to your desktop. HERE (http://www.derfisch.de/lars/erunt-setup.exe)
Click on the erunt-setup.exe
Follow the prompts to install ERUNT
Choose language
A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO

http://i219.photobucket.com/albums/cc99/BioHazard_030/erunt.png
Backup your registry to the default location



Note: To restore your registry (if needed), go to the folder and start ERDNT.exe


Download and run OTM

Download OTM (http://oldtimer.geekstogo.com/OTM.exe) by Old Timer and save it to your Desktop.


Double-click OTM.exe to run it.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area. Do not include the word Code.



:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.msn.com"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.msn.com"

:Commands
[emptytemp]
[Reboot]


Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.



NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Optional Fix

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything bad. This may change,read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546).

I recommend that you remove the Viewpoint products; however, decide for yourself.

To uninstall the the Viewpoint components :


Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.


How to prevent it from being recreated every time you run the AOL software:

Open AOL
Go to Help on the toolbar
Select About AOL
Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.




Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:


Gmer Log
OTM Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

mmdallas
2009-06-29, 00:16
Bio,

I was successful (I think) in removing viewpoint manager using "remove programs" tool ... however I couldn't find the "about aol" section you referenced.

I went to aol but under help there were many selections but none that I could find with "about" in them. When I tried several of the selections and then "control+D" I was prompted with the question do I want to bookmark the page so I hit cancel. Would like to fix aol so next time AIM is used it doesn't reinstall viewpoint.

Anyway here are the logs you requested ... if I'm missing any please advise.


Thanks,




MBR log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully





OTM log

All processes killed
========== REGISTRY ==========
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\"Start Page"|"http://www.msn.com" /E : value set successfully!
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\"Start Page"|"http://www.msn.com" /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: %userprofile%

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: Michael May
->Temp folder emptied: 125002 bytes
->Temporary Internet Files folder emptied: 35999509 bytes
->Java cache emptied: 13430901 bytes
->FireFox cache emptied: 17406772 bytes
->Google Chrome cache emptied: 6663686 bytes
->Apple Safari cache emptied: 226301 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 39097 bytes
%systemroot%\System32 .tmp files removed: 223761 bytes
Windows Temp folder emptied: 0 bytes

RecycleBin emptied: 877610 bytes

Total Files Cleaned = 71.55 mb


OTM by OldTimer - Version 3.0.0.2 log created on 06282009_152839

Files moved on Reboot...

Registry entries deleted on Reboot...






hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:27 PM, on 6/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\CompuPicPro17\ScsiAccess.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\Toshiba Controls\CpRmtKey.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Michael May\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: MCIEPlugIn Class - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IE\IEPlugIn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\TOSHIBA\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael May\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131500730765
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EBCCB38-8E2E-4665-9CA9-CA6F7D0355F3}: NameServer = 68.94.156.1 151.164.8.201
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro17\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 14471 bytes

Bio-Hazard
2009-07-01, 10:40
Boot into Safe mode.

Here are the instructions how to boot into safe mode in Windows XP



If the computer is running shut down Windows and then turn off the power
Wait 30 seconds and then turn the computer on.
Start tapping the F8 key.(if this doesn't work try the F5 key) The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon some computers display a keyboard error message. To resolve this restart the computer and try again.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
You can see Safe mode in every corner of your screen
When you are finished with all troubleshooting close all programs and restart the computer as you normally would.





Remove HijackThis entries



Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Close all open windows and browsers/email etc...
Click on the Fix Checked button
When completed close the application.




Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:


A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

mmdallas
2009-07-02, 05:37
Bio,

Did exactly what you said ... restarted my computer and looks like it's running perfect ... when I open my browser it opens to google (my homepage selected) ... I think all your work has fixed it !!

I really appreciate your persistance and professional help ... just from following your instructions I can appreciate how complex this was to solve ... sure is nice to know that people will take time out of their day to help someone else ... thanks again ...



also, as requested, I ran hijackthis log:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:03 PM, on 7/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: MCIEPlugIn Class - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IE\IEPlugIn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\TOSHIBA\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael May\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131500730765
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\CompuPicPro17\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10979 bytes

Bio-Hazard
2009-07-04, 10:37
Hello!

Sorry for the delay. I had some family emergencies. It is looking very good.

Could you please post a one more HiajckThis log.

Bio-Hazard
2009-07-10, 08:37
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.