Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spyware issues including search engine redirect

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Spyware issues including search engine redirect

Unread postby emoulding » March 12th, 2010, 10:30 pm

log.txt (from RSIT):

Logfile of random's system information tool 1.06 (written by random/random)
Run by Kyle Van Impe at 2010-03-12 20:15:12
Microsoft Windows XP Professional Service Pack 3
System drive C: has 57 GB (55%) free of 104 GB
Total RAM: 1014 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:14 PM, on 3/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kyle Van Impe\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Kyle Van Impe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0699245605
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by134fd.bay134.hotmail.msn.com/a ... Atchmt.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 11481 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
Symantec NCO BHO - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll [2010-02-11 378736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.DLL [2010-02-11 107896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2009-05-19 137600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Norton Toolbar - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll [2010-02-11 378736]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Tvs"=C:\Program Files\Toshiba\Tvs\TvsTray.exe [2006-02-02 73728]
"TPSMain"=C:\WINDOWS\system32\TPSMain.exe [2005-05-31 282624]
"THotkey"=C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe [2006-08-25 356352]
"TFncKy"=TFncKy.exe []
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-03-02 761948]
"SmoothView"=C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [2005-04-26 122880]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-05-04 16206848]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-09 153136]
"NDSTray.exe"=NDSTray.exe []
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2006-08-02 802816]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2006-08-02 696320]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2006-03-22 94208]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2006-03-22 118784]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2006-03-22 77824]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"DLA"=C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-10-06 122940]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-12-12 88204]
"Symantec PIF AlertEng"=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe [2007-11-28 583048]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"=C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe [2004-12-30 65536]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-03-12 153136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe

C:\Documents and Settings\Kyle Van Impe\Start Menu\Programs\Startup
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2006-03-22 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SymEFA.sys]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
"DisableCMD"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableTaskMgr"=0
"DisableCMD"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0
"NoFolderOptions"=0
"NoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=
"NoFolderOptions"=
"NoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe"="C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

======List of files/folders created in the last 1 months======

2010-03-12 19:56:37 ----D---- C:\Documents and Settings\Kyle Van Impe\Application Data\Malwarebytes
2010-03-12 19:56:30 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-03-12 19:56:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-11 21:23:41 ----D---- C:\rsit
2010-03-07 15:56:37 ----D---- C:\Program Files\Trend Micro
2010-03-07 15:25:07 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-07 15:25:06 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-02-26 18:15:43 ----HDC---- C:\WINDOWS\$NtUninstallKB961503$
2010-02-26 18:12:47 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-02-21 20:04:06 ----D---- C:\Program Files\Microsoft Office Outlook Connector
2010-02-21 20:02:30 ----D---- C:\Program Files\Microsoft Sync Framework
2010-02-21 20:01:22 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2010-02-21 20:01:03 ----D---- C:\Program Files\Microsoft SQL Server Compact Edition
2010-02-21 20:00:23 ----HDC---- C:\WINDOWS\$NtUninstallKB954708$
2010-02-21 19:57:44 ----D---- C:\Program Files\Microsoft
2010-02-21 19:57:17 ----D---- C:\Program Files\Windows Live SkyDrive
2010-02-21 19:56:44 ----D---- C:\Program Files\Windows Live
2010-02-21 19:50:11 ----D---- C:\Program Files\Common Files\Windows Live

======List of files/folders modified in the last 1 months======

2010-03-12 20:08:38 ----D---- C:\WINDOWS\Temp
2010-03-12 20:08:23 ----D---- C:\WINDOWS
2010-03-12 20:07:53 ----D---- C:\WINDOWS\Registration
2010-03-12 20:07:35 ----D---- C:\WINDOWS\system32\DLA
2010-03-12 20:06:30 ----HDC---- C:\WINDOWS\$NtUninstallKB895961$
2010-03-12 20:06:30 ----D---- C:\WINDOWS\system32\drivers
2010-03-12 20:05:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-12 20:04:52 ----D---- C:\WINDOWS\system32
2010-03-12 20:04:52 ----D---- C:\Program Files
2010-03-12 15:50:00 ----SD---- C:\WINDOWS\Tasks
2010-03-12 15:46:34 ----D---- C:\Program Files\Adobe
2010-03-12 15:35:52 ----SHD---- C:\WINDOWS\Installer
2010-03-12 15:32:33 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-03-12 15:32:26 ----D---- C:\Program Files\Common Files\Adobe
2010-03-11 23:38:08 ----D---- C:\Program Files\Mozilla Firefox
2010-03-11 21:44:05 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-11 20:07:29 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-07 17:07:10 ----D---- C:\Program Files\Google
2010-03-07 16:05:13 ----AC---- C:\WINDOWS\wininit.ini
2010-03-07 15:33:00 ----D---- C:\Program Files\Internet Explorer
2010-03-07 14:51:03 ----D---- C:\Program Files\Common Files
2010-03-07 14:20:03 ----D---- C:\Program Files\Image-Line
2010-03-07 13:12:06 ----HD---- C:\WINDOWS\inf
2010-03-07 13:05:31 ----D---- C:\WINDOWS\WinSxS
2010-03-04 22:01:11 ----AC---- C:\WINDOWS\NeroDigital.ini
2010-02-26 18:12:59 ----A---- C:\WINDOWS\imsins.BAK
2010-02-22 20:37:17 ----D---- C:\WINDOWS\Microsoft.NET
2010-02-22 20:36:41 ----RSD---- C:\WINDOWS\assembly
2010-02-22 20:34:48 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-02-22 20:14:29 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-21 20:04:06 ----D---- C:\Program Files\Common Files\System
2010-02-21 20:03:29 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-02-21 20:02:17 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-02-21 20:01:25 ----D---- C:\WINDOWS\system32\DirectX
2010-02-21 19:58:41 ----D---- C:\Program Files\MSN Messenger
2010-02-21 19:57:26 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-02-21 19:56:52 ----RSD---- C:\WINDOWS\Fonts
2010-02-21 00:01:19 ----D---- C:\WINDOWS\repair
2010-02-14 22:37:48 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 BHDrvx86;Symantec Heuristics Driver; C:\WINDOWS\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-02-11 259632]
R1 ccHP;Symantec Hash Provider; C:\WINDOWS\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-02-11 482432]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 IDSxpx86;IDSxpx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100310.001\IDSxpx86.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 meiudf;meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [2005-06-01 102384]
R1 sdcplh;sdcplh; C:\WINDOWS\System32\drivers\sdcplh.sys [2005-09-15 40576]
R1 SRTSP;Symantec Real Time Storage Protection; C:\WINDOWS\System32\Drivers\N360\0308000.029\SRTSP.SYS [2010-02-11 308272]
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\WINDOWS\system32\drivers\N360\0308000.029\SRTSPX.SYS [2010-02-11 43696]
R1 SYMTDI;Symantec Network Dispatch Driver; C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMTDI.SYS [2010-02-11 217136]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.5.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-10-09 21419]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-10-06 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-10-06 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-10-06 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-10-06 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-10-06 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-10-06 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-10-06 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 fssfltr;FssFltr; C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys [2009-08-05 54752]
R2 Netdevio;TOSHIBA Network Device Usermode I/O Protocol; C:\WINDOWS\system32\DRIVERS\netdevio.sys [2003-01-29 12032]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2006-08-02 12544]
R3 AgereSoftModem;TOSHIBA V92 Software Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-12-12 1124097]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2006-01-12 163328]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2010-02-11 26600]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2006-03-22 1166972]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-05-04 4271616]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2003-09-11 21060]
R3 NAVENG;NAVENG; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100312.022\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100312.022\NAVEX15.SYS []
R3 NETw3x32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw3x32.sys [2006-07-25 1707776]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMFW;Symantec Network Filter Driver; C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMFW.SYS [2010-02-11 89904]
R3 SYMIDS;Symantec Network Filter Driver; C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMIDS.SYS [2010-02-11 33072]
R3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2010-02-11 36400]
R3 SYMNDIS;Symantec Network Filter Driver; C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMNDIS.SYS [2010-02-11 36400]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2006-03-02 191968]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-11-30 162560]
R3 TVALD;Toshiba Mobile PC Service; C:\WINDOWS\system32\DRIVERS\NBSMI.sys [2005-10-20 6144]
R3 Tvs;TOSHIBA Virtual Sound with SRS technologies; C:\WINDOWS\system32\DRIVERS\Tvs.sys [2006-05-30 45696]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 f1db375d-790b-4821-8a07-09171ba2a9ff;f1db375d-790b-4821-8a07-09171ba2a9ff; \??\E:\CDS300\cds300.dll []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NPF;Netgroup Packet Filter; C:\WINDOWS\system32\drivers\npf.sys []
S3 sffdisk;SFF Storage Class Driver; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2008-04-13 11904]
S3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2008-04-13 11008]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2010-02-11 36400]
S3 TBiosDrv;TBiosDrv; \??\C:\WINDOWS\system32\Drivers\Tbiosdrv.sys []
S3 tosrfec;Bluetooth ACPI from TOSHIBA; C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 9344]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-06-05 39424]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2008-02-09 238968]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 CFSvcs;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2005-01-17 40960]
R2 DVD-RAM_Service;DVD-RAM_Service; C:\WINDOWS\system32\DVDRAMSV.exe [2004-08-27 110592]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 EvtEng;Intel(R) PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2006-08-02 434176]
R2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe [2007-11-28 583048]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 N360;Norton 360; C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-02-11 117640]
R2 RegSrvc;Intel(R) PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2006-08-02 327680]
R2 S24EventMonitor;Intel(R) PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2006-08-02 937984]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-05-19 240512]
R2 TAPPSRV;TOSHIBA Application Service; C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe [2006-02-07 35840]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-03-12 271920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-05-22 651720]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 fsssvc;Windows Live Family Safety Service; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-08-05 704864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 KodakCCS;Kodak Camera Connection Software; C:\WINDOWS\system32\drivers\KodakCCS.exe []
S3 LiveUpdate;LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [2008-02-09 3220856]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-03-29 779824]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
User avatar
emoulding
Regular Member
 
Posts: 134
Joined: March 7th, 2010, 5:55 pm
Location: Vancouver, Canada
Advertisement
Register to Remove

Re: Spyware issues including search engine redirect

Unread postby Dakeyras » March 13th, 2010, 7:54 am

Hi. :)

Flash disinfector: run
-this appears to have disabled the firewall (Windows Firewall) on my computer, and I can't turn it back on, either through the Windows Security thing or directly in the control panel.
Hmmm not come accross that one before and it should not have occurred. Not a problem however and we can check this when finished up with your husbands laptop.

during reboot, the computer ran a disk check, was this expected? I let it run as it looked right. The log is included in case anything is relevant.
Absolutely fine.

Reset Host File:

  • Open Notepad.
  • Copy and Paste everything from the Code Box below into Notepad: <-- Start >> Run... type in notepad and select OK
Code: Select all
@Echo off
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
del %0
  • Go to File >> Save As
  • Save File name as "Dakeyras.bat" <-- Make sure to include the quotes.
  • Change Save as Type to All Files and save the file to your Desktop.
  • It should look like this: Image

Now double click on the desktop Dakeyras.bat to run the batch file. It will self-delete when completed.

Reset SP3 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK
Code: Select all
firewall.cpl
Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> select Off(not recommended) >> OK.

Note: No need for it to be active after the reset becuse the Norton 360 Firewall is active.

Next:

Please activate the internet connection for the laptop and carry out the below scan. If absolutely any problems encountered stop what you are doing, deactivate the internet connection and inform myself, thank you.

Now please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Scan with GMER:

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Spyware issues including search engine redirect

Unread postby emoulding » March 13th, 2010, 10:25 am

To confirm, the hosts file and the reset firewall are for my computer, and the rest is on the infected computer, correct?
User avatar
emoulding
Regular Member
 
Posts: 134
Joined: March 7th, 2010, 5:55 pm
Location: Vancouver, Canada

Re: Spyware issues including search engine redirect

Unread postby Dakeyras » March 13th, 2010, 10:30 am

No, all pertains to the infected laptop. I apologise for not making that clear.

So reset the host file and SP3 firewall etc then proceed with the following instructions, thank you.

As mentioned we will address any issues/check for malware on your computer once we have finished with your husbands laptop. :)
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Spyware issues including search engine redirect

Unread postby emoulding » March 13th, 2010, 6:58 pm

Ok, good to confirm then!

Host file: run.
Windows firewall: deactivated and defaults restored
-it was deactivated already.
Defogger: run
-as before, I couldn't download on the infected laptop, so it and the next were downloaded on my own and transferred
-it didn't ask to reboot, so I restarted it myself
GMER: currently running...is it supposed to take hours upon hours? I'll post the log when it's done.
User avatar
emoulding
Regular Member
 
Posts: 134
Joined: March 7th, 2010, 5:55 pm
Location: Vancouver, Canada

Re: Spyware issues including search engine redirect

Unread postby emoulding » March 14th, 2010, 1:11 am

Is there any way of retrieving a log later? I couldn't babysit the computer all day, and it froze after the scan finished.
User avatar
emoulding
Regular Member
 
Posts: 134
Joined: March 7th, 2010, 5:55 pm
Location: Vancouver, Canada

Re: Spyware issues including search engine redirect

Unread postby Dakeyras » March 14th, 2010, 7:21 am

Hi. :)

GMER: currently running...is it supposed to take hours upon hours? I'll post the log when it's done.
No it is not actually. OK by the time you read this post if it has not completed the scan merely stop it and proceed to the below instructions. If it did complete by all means post the log if available(but still carry out my instructions below).

Next:

Run Flash_Disinfector again as a precaution as outlined here on your computer.

Then download TDSSKiller.zip to your USB Drive.

Transfer the Zip file to the infected computer and extract the file to the desktop.

From within the newly created tdsskiller folder move TDSSKiller.exe to the desktop and delete the tdsskiller folder.

Click on Start >> Run... >> copy in the following text, and press Enter:
Code: Select all
"%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v
A Command Window will appear, follow the prompts.
There will be a log on your desktop when the scan is completed with the name report.
Copy and paste the contents of this log into your next reply.

Note: If unable to post the log from the infected computer transfer the log to your USB Drive and run Flash_Disinfector again as a precaution etc, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Spyware issues including search engine redirect

Unread postby emoulding » March 14th, 2010, 1:06 pm

TDSSKiller: downloaded
-this one managed to download on his computer. I looked at the Downloads window that popped up, all the previous downloads that fail say "blocked by your security zone policy", I'm not sure if that's Firefox or Norton or something else. I think this one was ok to download because it's a .zip instead of a .exe.
-the .exe was blocked from extracting, so I followed the instructions to unblock that
-ran fine, log to follow (posted from infected computer)
Last edited by emoulding on March 14th, 2010, 1:08 pm, edited 1 time in total.
User avatar
emoulding
Regular Member
 
Posts: 134
Joined: March 7th, 2010, 5:55 pm
Location: Vancouver, Canada

Re: Spyware issues including search engine redirect

Unread postby emoulding » March 14th, 2010, 1:06 pm

11:05:02:578 1644 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
11:05:02:578 1644 ================================================================================
11:05:02:578 1644 SystemInfo:

11:05:02:578 1644 OS Version: 5.1.2600 ServicePack: 3.0
11:05:02:578 1644 Product type: Workstation
11:05:02:578 1644 ComputerName: KYLE
11:05:02:578 1644 UserName: Kyle Van Impe
11:05:02:578 1644 Windows directory: C:\WINDOWS
11:05:02:578 1644 Processor architecture: Intel x86
11:05:02:578 1644 Number of processors: 2
11:05:02:578 1644 Page size: 0x1000
11:05:02:578 1644 Boot type: Normal boot
11:05:02:578 1644 ================================================================================
11:05:02:578 1644 UnloadDriverW: NtUnloadDriver error 1
11:05:02:578 1644 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
11:05:02:578 1644 LoadDriverW: Driver already loaded
11:05:02:578 1644 KLMD_DropNLoadW: LoadDriverW(klmd21) error 1056
11:05:02:578 1644 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
11:05:02:593 1644 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:05:02:593 1644 wfopen_ex: Trying to KLMD file open
11:05:02:593 1644 wfopen_ex: File opened ok (Flags 2)
11:05:02:593 1644 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
11:05:02:593 1644 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:05:02:593 1644 wfopen_ex: Trying to KLMD file open
11:05:02:593 1644 wfopen_ex: File opened ok (Flags 2)
11:05:02:593 1644 Initialize success
11:05:02:593 1644
11:05:02:593 1644 Scanning Services ...
11:05:03:140 1644 GetAdvancedServicesInfo: Raw services enum returned 390 services
11:05:03:156 1644
11:05:03:156 1644 Scanning Kernel memory ...
11:05:03:156 1644 Devices to scan: 4
11:05:03:156 1644
11:05:03:156 1644 Driver Name: Disk
11:05:03:156 1644 IRP_MJ_CREATE : F78E4BB0
11:05:03:156 1644 IRP_MJ_CREATE_NAMED_PIPE : 804F9739
11:05:03:156 1644 IRP_MJ_CLOSE : F78E4BB0
11:05:03:156 1644 IRP_MJ_READ : F78DED1F
11:05:03:156 1644 IRP_MJ_WRITE : F78DED1F
11:05:03:156 1644 IRP_MJ_QUERY_INFORMATION : 804F9739
11:05:03:156 1644 IRP_MJ_SET_INFORMATION : 804F9739
11:05:03:156 1644 IRP_MJ_QUERY_EA : 804F9739
11:05:03:156 1644 IRP_MJ_SET_EA : 804F9739
11:05:03:156 1644 IRP_MJ_FLUSH_BUFFERS : F78DF2E2
11:05:03:156 1644 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
11:05:03:156 1644 IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
11:05:03:156 1644 IRP_MJ_DIRECTORY_CONTROL : 804F9739
11:05:03:156 1644 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
11:05:03:156 1644 IRP_MJ_DEVICE_CONTROL : F78DF3BB
11:05:03:156 1644 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78E2F28
11:05:03:156 1644 IRP_MJ_SHUTDOWN : F78DF2E2
11:05:03:156 1644 IRP_MJ_LOCK_CONTROL : 804F9739
11:05:03:156 1644 IRP_MJ_CLEANUP : 804F9739
11:05:03:156 1644 IRP_MJ_CREATE_MAILSLOT : 804F9739
11:05:03:156 1644 IRP_MJ_QUERY_SECURITY : 804F9739
11:05:03:156 1644 IRP_MJ_SET_SECURITY : 804F9739
11:05:03:156 1644 IRP_MJ_POWER : F78E0C82
11:05:03:156 1644 IRP_MJ_SYSTEM_CONTROL : F78E599E
11:05:03:156 1644 IRP_MJ_DEVICE_CHANGE : 804F9739
11:05:03:156 1644 IRP_MJ_QUERY_QUOTA : 804F9739
11:05:03:156 1644 IRP_MJ_SET_QUOTA : 804F9739
11:05:03:218 1644 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
11:05:03:218 1644
11:05:03:218 1644 Driver Name: Disk
11:05:03:218 1644 IRP_MJ_CREATE : F78E4BB0
11:05:03:218 1644 IRP_MJ_CREATE_NAMED_PIPE : 804F9739
11:05:03:218 1644 IRP_MJ_CLOSE : F78E4BB0
11:05:03:218 1644 IRP_MJ_READ : F78DED1F
11:05:03:218 1644 IRP_MJ_WRITE : F78DED1F
11:05:03:218 1644 IRP_MJ_QUERY_INFORMATION : 804F9739
11:05:03:218 1644 IRP_MJ_SET_INFORMATION : 804F9739
11:05:03:218 1644 IRP_MJ_QUERY_EA : 804F9739
11:05:03:218 1644 IRP_MJ_SET_EA : 804F9739
11:05:03:218 1644 IRP_MJ_FLUSH_BUFFERS : F78DF2E2
11:05:03:218 1644 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
11:05:03:218 1644 IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
11:05:03:218 1644 IRP_MJ_DIRECTORY_CONTROL : 804F9739
11:05:03:218 1644 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
11:05:03:218 1644 IRP_MJ_DEVICE_CONTROL : F78DF3BB
11:05:03:218 1644 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78E2F28
11:05:03:218 1644 IRP_MJ_SHUTDOWN : F78DF2E2
11:05:03:218 1644 IRP_MJ_LOCK_CONTROL : 804F9739
11:05:03:218 1644 IRP_MJ_CLEANUP : 804F9739
11:05:03:218 1644 IRP_MJ_CREATE_MAILSLOT : 804F9739
11:05:03:218 1644 IRP_MJ_QUERY_SECURITY : 804F9739
11:05:03:218 1644 IRP_MJ_SET_SECURITY : 804F9739
11:05:03:218 1644 IRP_MJ_POWER : F78E0C82
11:05:03:218 1644 IRP_MJ_SYSTEM_CONTROL : F78E599E
11:05:03:218 1644 IRP_MJ_DEVICE_CHANGE : 804F9739
11:05:03:218 1644 IRP_MJ_QUERY_QUOTA : 804F9739
11:05:03:218 1644 IRP_MJ_SET_QUOTA : 804F9739
11:05:03:218 1644 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
11:05:03:218 1644
11:05:03:218 1644 Driver Name: Disk
11:05:03:218 1644 IRP_MJ_CREATE : F78E4BB0
11:05:03:218 1644 IRP_MJ_CREATE_NAMED_PIPE : 804F9739
11:05:03:218 1644 IRP_MJ_CLOSE : F78E4BB0
11:05:03:218 1644 IRP_MJ_READ : F78DED1F
11:05:03:218 1644 IRP_MJ_WRITE : F78DED1F
11:05:03:218 1644 IRP_MJ_QUERY_INFORMATION : 804F9739
11:05:03:218 1644 IRP_MJ_SET_INFORMATION : 804F9739
11:05:03:218 1644 IRP_MJ_QUERY_EA : 804F9739
11:05:03:218 1644 IRP_MJ_SET_EA : 804F9739
11:05:03:218 1644 IRP_MJ_FLUSH_BUFFERS : F78DF2E2
11:05:03:218 1644 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
11:05:03:218 1644 IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
11:05:03:218 1644 IRP_MJ_DIRECTORY_CONTROL : 804F9739
11:05:03:218 1644 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
11:05:03:218 1644 IRP_MJ_DEVICE_CONTROL : F78DF3BB
11:05:03:218 1644 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78E2F28
11:05:03:218 1644 IRP_MJ_SHUTDOWN : F78DF2E2
11:05:03:218 1644 IRP_MJ_LOCK_CONTROL : 804F9739
11:05:03:218 1644 IRP_MJ_CLEANUP : 804F9739
11:05:03:218 1644 IRP_MJ_CREATE_MAILSLOT : 804F9739
11:05:03:218 1644 IRP_MJ_QUERY_SECURITY : 804F9739
11:05:03:218 1644 IRP_MJ_SET_SECURITY : 804F9739
11:05:03:218 1644 IRP_MJ_POWER : F78E0C82
11:05:03:218 1644 IRP_MJ_SYSTEM_CONTROL : F78E599E
11:05:03:218 1644 IRP_MJ_DEVICE_CHANGE : 804F9739
11:05:03:218 1644 IRP_MJ_QUERY_QUOTA : 804F9739
11:05:03:218 1644 IRP_MJ_SET_QUOTA : 804F9739
11:05:03:218 1644 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
11:05:03:218 1644
11:05:03:218 1644 Driver Name: atapi
11:05:03:218 1644 IRP_MJ_CREATE : 87292856
11:05:03:218 1644 IRP_MJ_CREATE_NAMED_PIPE : 87292856
11:05:03:218 1644 IRP_MJ_CLOSE : 87292856
11:05:03:218 1644 IRP_MJ_READ : 87292856
11:05:03:218 1644 IRP_MJ_WRITE : 87292856
11:05:03:218 1644 IRP_MJ_QUERY_INFORMATION : 87292856
11:05:03:218 1644 IRP_MJ_SET_INFORMATION : 87292856
11:05:03:218 1644 IRP_MJ_QUERY_EA : 87292856
11:05:03:218 1644 IRP_MJ_SET_EA : 87292856
11:05:03:218 1644 IRP_MJ_FLUSH_BUFFERS : 87292856
11:05:03:218 1644 IRP_MJ_QUERY_VOLUME_INFORMATION : 87292856
11:05:03:218 1644 IRP_MJ_SET_VOLUME_INFORMATION : 87292856
11:05:03:234 1644 IRP_MJ_DIRECTORY_CONTROL : 87292856
11:05:03:234 1644 IRP_MJ_FILE_SYSTEM_CONTROL : 87292856
11:05:03:234 1644 IRP_MJ_DEVICE_CONTROL : 87292856
11:05:03:234 1644 IRP_MJ_INTERNAL_DEVICE_CONTROL : 87292856
11:05:03:234 1644 IRP_MJ_SHUTDOWN : 87292856
11:05:03:234 1644 IRP_MJ_LOCK_CONTROL : 87292856
11:05:03:234 1644 IRP_MJ_CLEANUP : 87292856
11:05:03:234 1644 IRP_MJ_CREATE_MAILSLOT : 87292856
11:05:03:234 1644 IRP_MJ_QUERY_SECURITY : 87292856
11:05:03:234 1644 IRP_MJ_SET_SECURITY : 87292856
11:05:03:234 1644 IRP_MJ_POWER : 87292856
11:05:03:234 1644 IRP_MJ_SYSTEM_CONTROL : 87292856
11:05:03:234 1644 IRP_MJ_DEVICE_CHANGE : 87292856
11:05:03:234 1644 IRP_MJ_QUERY_QUOTA : 87292856
11:05:03:234 1644 IRP_MJ_SET_QUOTA : 87292856
11:05:03:234 1644 Driver "atapi" infected by TDSS rootkit!
11:05:03:234 1644 C:\WINDOWS\system32\drivers\tsk1B.tmp - Verdict: 3
11:05:03:234 1644
11:05:03:234 1644 Completed
11:05:03:234 1644
11:05:03:234 1644 Results:
11:05:03:234 1644 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
11:05:03:234 1644 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
11:05:03:234 1644 File objects infected / cured / cured on reboot: 0 / 0 / 0
11:05:03:234 1644
11:05:03:234 1644 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
11:05:03:234 1644 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
11:05:03:234 1644 UnloadDriverW: NtUnloadDriver error 1
11:05:03:234 1644 KLMD_Unload: UnloadDriverW(klmd21) error 1
11:05:03:234 1644 KLMD(ARK) unloaded successfully
User avatar
emoulding
Regular Member
 
Posts: 134
Joined: March 7th, 2010, 5:55 pm
Location: Vancouver, Canada

Re: Spyware issues including search engine redirect

Unread postby Dakeyras » March 14th, 2010, 7:10 pm

Hi. :)

OK lets see if the following can be downloaded to the infected laptop. If not please transfer via your USB Drive in the safe manner advised in prior posts.

Note: if the executables for the below downloads will not work, run exehelper again and if still no success. Right click on each in turn and select rename:-

erunt-setup.exe - change to:- erunt-setup.scr

ComboFix.exe - change to:- dakeyras.com

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is the computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.
  • A new HijackThis Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Spyware issues including search engine redirect

Unread postby emoulding » March 14th, 2010, 7:59 pm

I wasn't able to download on his computer, same issue.

Registry: backed up
Antivirus/firewalls: off
ComboFix: run

Logs in next posts.

ETA: should have mentioned, I turned the antivirus back on before I posted, and one of these things put a IE shortcut on the desktop.
Last edited by emoulding on March 14th, 2010, 8:02 pm, edited 1 time in total.
User avatar
emoulding
Regular Member
 
Posts: 134
Joined: March 7th, 2010, 5:55 pm
Location: Vancouver, Canada

Re: Spyware issues including search engine redirect

Unread postby emoulding » March 14th, 2010, 7:59 pm

ComboFix log:

ComboFix 10-03-14.04 - Kyle Van Impe 03/14/2010 17:41:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.436 [GMT -6:00]
Running from: c:\documents and settings\Kyle Van Impe\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\eSellerateEngine.dll
c:\windows\wiaservim.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-02-14 to 2010-03-14 )))))))))))))))))))))))))))))))
.

2010-03-14 23:48 . 2010-02-12 23:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-03-14 23:47 . 2010-02-02 01:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-03-14 23:27 . 2010-03-14 23:27 -------- d-----w- c:\program files\ERUNT
2010-03-14 16:55 . 2010-02-11 17:57 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100313.021\NAVENG32.DLL
2010-03-14 16:55 . 2010-02-11 17:57 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100313.021\NAVEX32A.DLL
2010-03-14 16:55 . 2010-02-11 17:57 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100313.021\NAVEX15.SYS
2010-03-14 16:55 . 2010-02-11 17:57 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100313.021\NAVENG.SYS
2010-03-14 16:55 . 2010-02-11 17:57 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100313.021\EECTRL.SYS
2010-03-14 16:55 . 2010-02-11 17:57 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100313.021\CCERASER.DLL
2010-03-14 16:55 . 2010-02-11 17:57 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100313.021\ECMSVR32.DLL
2010-03-14 16:55 . 2010-02-11 17:57 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100313.021\ERASER.SYS
2010-03-13 01:56 . 2010-03-13 01:56 -------- d-----w- c:\documents and settings\Kyle Van Impe\Application Data\Malwarebytes
2010-03-13 01:56 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 01:56 . 2010-03-13 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-13 01:56 . 2010-03-13 01:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 01:56 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-12 03:23 . 2010-03-12 03:24 -------- d-----w- C:\rsit
2010-03-12 00:13 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\Scxpx86.dll
2010-03-12 00:13 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSXpx86.sys
2010-03-12 00:13 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSxpx86.dll
2010-03-12 00:13 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSvix86.sys
2010-03-12 00:13 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSviA64.sys
2010-03-09 04:43 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSvix86.sys
2010-03-09 04:43 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSXpx86.sys
2010-03-09 04:43 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\Scxpx86.dll
2010-03-09 04:43 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSxpx86.dll
2010-03-09 04:43 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSviA64.sys
2010-03-07 21:56 . 2010-03-07 21:56 -------- d-----w- c:\program files\Trend Micro
2010-03-07 21:25 . 2010-03-12 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-07 21:25 . 2010-03-12 21:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-07 20:24 . 2010-03-07 20:24 152576 ----a-w- c:\documents and settings\Kyle Van Impe\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-25 00:28 . 2009-09-18 15:28 421888 ----a-w- c:\documents and settings\Kyle Van Impe\Application Data\Mozilla\Firefox\Profiles\bcwy5iuu.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2010-02-22 02:05 . 2010-03-01 04:18 -------- d-----w- c:\documents and settings\Kyle Van Impe\Tracing
2010-02-22 02:04 . 2010-02-22 02:04 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-02-22 02:03 . 2009-08-06 04:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-02-22 02:02 . 2010-02-22 02:02 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-02-22 02:01 . 2006-11-29 19:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-02-22 02:01 . 2010-02-22 02:01 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-22 01:57 . 2010-02-22 02:04 -------- d-----w- c:\program files\Microsoft
2010-02-22 01:57 . 2010-02-22 01:57 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-22 01:56 . 2010-02-22 02:03 -------- d-----w- c:\program files\Windows Live
2010-02-22 01:50 . 2010-02-22 01:50 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 23:20 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-12 21:32 . 2007-08-28 05:55 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-07 23:07 . 2006-11-29 03:35 -------- d-----w- c:\program files\Google
2010-03-07 20:24 . 2009-11-11 02:14 79488 ----a-w- c:\documents and settings\Kyle Van Impe\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-07 20:20 . 2009-08-01 05:57 -------- d-----w- c:\program files\Image-Line
2010-02-22 02:04 . 2006-11-05 09:36 33088 -c--a-w- c:\documents and settings\Kyle Van Impe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-22 01:58 . 2006-12-27 06:50 -------- d-----w- c:\program files\MSN Messenger
2010-02-15 04:37 . 2006-10-10 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-12 05:10 . 2006-10-12 23:00 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-12 03:03 . 2006-10-10 08:12 -------- d-----w- c:\program files\Symantec
2010-02-12 03:03 . 2010-02-12 03:03 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-12 03:03 . 2010-02-12 03:03 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-12 03:03 . 2010-02-12 03:03 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-12 03:03 . 2010-02-12 03:03 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-12 03:03 . 2006-10-10 08:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-12 02:52 . 2010-02-12 03:03 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-12 02:52 . 2008-01-29 18:01 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-12 02:52 . 2010-02-12 02:52 1291104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-02-12 02:52 . 2010-02-12 02:52 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-02-12 02:51 . 2009-08-15 06:40 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-12 02:51 . 2010-02-12 02:51 771440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-02-12 02:51 . 2010-02-12 02:51 -------- d-----w- c:\program files\Norton 360
2010-02-12 02:51 . 2010-02-12 02:51 -------- d-----w- c:\program files\Windows Sidebar
2010-02-12 02:48 . 2010-02-12 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-12 02:48 . 2010-02-12 02:48 -------- d-----w- c:\program files\NortonInstaller
2010-02-12 02:48 . 2010-02-12 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-29 15:03 . 2009-08-01 06:00 -------- d-----w- c:\program files\VstPlugins
2010-01-23 00:25 . 2009-05-16 13:07 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-05 10:00 . 2006-01-29 21:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-01-29 21:54 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-01-29 21:54 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2006-01-29 21:54 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2006-01-29 23:05 343040 ----a-w- c:\windows\system32\mspaint.exe
2006-10-17 03:27 . 2006-10-17 02:44 684 -c--a-w- c:\program files\MIB2ROM.TXT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 356352]
"TFncKy"="TFncKy.exe" [BU]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-04 16206848]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"NDSTray.exe"="NDSTray.exe" [BU]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88204]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
IEHOME.LNK - c:\documents and settings\Default User\Local Settings\Temp\iehome.bat [2006-10-9 298]

c:\documents and settings\Kyle Van Impe\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2009-5-16 368640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-4 176128]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-10-11 118784]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-29 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/14/2010 10:39 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/14/2010 10:39 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/14/2010 10:39 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSXpx86.sys [3/11/2010 6:13 PM 329592]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/14/2010 10:37 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/11/2010 11:57 AM 102448]
S3 f1db375d-790b-4821-8a07-09171ba2a9ff;f1db375d-790b-4821-8a07-09171ba2a9ff;\??\e:\cds300\cds300.dll --> e:\cds300\cds300.dll [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kyle Van Impe\Application Data\Mozilla\Firefox\Profiles\bcwy5iuu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Kyle Van Impe\Application Data\Mozilla\Firefox\Profiles\bcwy5iuu.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-14 17:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1016)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\TPSMain.exe
c:\windows\RTHDCPL.EXE
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2010-03-14 17:54:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-14 23:54

Pre-Run: 59,798,519,808 bytes free
Post-Run: 59,718,598,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 3064E44A8319E4C5D9EE8E81A902B5FC
User avatar
emoulding
Regular Member
 
Posts: 134
Joined: March 7th, 2010, 5:55 pm
Location: Vancouver, Canada

Re: Spyware issues including search engine redirect

Unread postby emoulding » March 14th, 2010, 8:00 pm

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:52 PM, on 3/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0699245605
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by134fd.bay134.hotmail.msn.com/a ... Atchmt.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 10888 bytes
User avatar
emoulding
Regular Member
 
Posts: 134
Joined: March 7th, 2010, 5:55 pm
Location: Vancouver, Canada

Re: Spyware issues including search engine redirect

Unread postby Dakeyras » March 15th, 2010, 7:13 pm

Hi. :)

I wasn't able to download on his computer, same issue.
OK ComboFix managed to download and install the Recovery Console as part of its procedure.

So see if you can download and run the following application on your husbands laptop please:-

Download SystemLook from one of the links below and save it to the laptops Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    atapi.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Spyware issues including search engine redirect

Unread postby emoulding » March 16th, 2010, 2:56 am

This one downloaded!

log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 00:50 on 16/03/2010 by Kyle Van Impe (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [06:59 14/11/2008] [06:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [23:53 14/03/2010] [23:20 14/03/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [18:28 18/09/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [22:59 03/08/2004] [18:17 03/02/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [22:59 03/08/2004] [23:20 14/03/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys --a--c 95360 bytes [00:49 30/01/2006] [12:00 10/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-
User avatar
emoulding
Regular Member
 
Posts: 134
Joined: March 7th, 2010, 5:55 pm
Location: Vancouver, Canada
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 287 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware