lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Re: Another Microsoft sabotage victim needs help

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules

Register


 Default 

Re: Another Microsoft sabotage victim needs help




Reply
Page 1 of 2 1 2
 
Thread Tools
  #1  
Old 27th Jan 2008, 13:28
New Member Group
  
Default Re: Another Microsoft sabotage victim needs help

Thanx 4 replying Fant.

was going great until I got to Eset. sadly it's only compatible with Windows Vista.

A more informative version of my problem is in the Computer Software/ Web browsers & FTP clients forum, titled
Can no longer upload photos by IE or Firefox
Best read that!

I have a HiJack this I did before I read your reply anyway.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:05:35, on 27/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Autodesk\3ds Max

9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/...://www.yahoo.c

om
O2 - BHO: (no name) - {018D5343-A32C-4FCE-90AA-EEF4F92E0F97} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {045a5cd4-a372-4f79-9af4-80090d02b6d4} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06A5ED63-3165-4DDC-82A0-0DB7103B310B} - (no file)
O2 - BHO: (no name) - {1240956F-9D1B-441C-855C-305E956C7512} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program

Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {2bd4d144-f5af-40bf-9cff-78a0c7649cac} - (no file)
O2 - BHO: (no name) - {34239D2C-3C66-4A00-924E-B69D2223D3B7} - (no file)
O2 - BHO: (no name) - {3980BCAA-41AD-4DAE-9F54-369575967600} - (no file)
O2 - BHO: (no name) - {4428DA14-6F1D-44F2-84CA-0BC595710FB9} - (no file)
O2 - BHO: (no name) - {498C5D22-8AAA-4C19-9C8F-2D7CD70F689D} - (no file)
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58D1FF78-BB42-491A-9968-7D4B6140BD26} - (no file)
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} -

C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: (no name) - {6b2664c4-9f60-45da-a8d2-7b150d84a950} - (no file)
O2 - BHO: (no name) - {70B67070-7112-4412-BDF4-44CDDDFA4A9E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7B8C1D92-DB32-43B2-A3A9-3CEB22A3E0A1} - (no file)
O2 - BHO: (no name) - {820218FA-17C3-4BC4-BC9A-1C5F96B70B72} - (no file)
O2 - BHO: (no name) - {89a895a6-5db3-489c-969c-53951826e64f} - (no file)
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A431DDA0-2B7B-4B0A-AB00-5A7F2F4C2BB9} - (no file)
O2 - BHO: (no name) - {A534B67D-CE62-4786-887B-6E72B013F1DF} - (no file)
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O2 - BHO: (no name) - {BB91B339-AB0B-47B3-8466-97EBD9F5D839} - (no file)
O2 - BHO: (no name) - {CA17C51D-E34E-41C8-B99E-93E7395F4CA3} - (no file)
O2 - BHO: (no name) - {D1779F6F-631C-4C98-A30D-CED0D736D831} - (no file)
O2 - BHO: (no name) - {EB065E8B-229D-44E4-B1E6-37C830111CB0} - (no file)
O2 - BHO: (no name) - {F42E012B-E661-4D5F-8B9E-94D9F8180F66} - (no file)
O3 - Toolbar: Show Norton Toolbar -

{90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common

Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common

Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m

"C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BM9f987237] Rundll32.exe

"C:\WINDOWS\system32\pyboqtff.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft

ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

(User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

(User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} -

C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support)

- C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo

Uploader 4 Control) -

http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

Object) -

http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags

Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program

Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# #

(Bonjour Service) - Apple Computer, Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) -

Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology

Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -

C:\Program Files\Common Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program

Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) -

Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) -

Unknown owner - C:\Program Files\Autodesk\3ds Max

9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation

- C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: STI Simulator - Unknown owner -

C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12606 bytes




Quote:
Originally Posted by evilfantasy View Post
The mouse is the culprit not the OS.


Look here >> Malware Removal - Please Read Before Posting Then post the logs in that forum.


Welcome to TCF.
  #2  
Old 27th Jan 2008, 13:46
Moderator Group
  
Default Re: Another Microsoft sabotage victim needs help

Moved to Virus, Spyware & Security.

The ESET scan is not only compatible with vista. It works fine on XP. As the instructions state you must use Internet Explorer.

What about the SuperAntispyware log?

Looking at the log.........
__________________
  #3  
Old 27th Jan 2008, 14:07
Moderator Group
  
Default Re: Another Microsoft sabotage victim needs help

Disable Spybots Tea Timer so it does not block any of the following fixes.

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

First:
  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident
Second:
  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Third:

With both Tea timer and SpyBot closed download ResetTeaTimer.zip
  • Unzip the file.
  • Double click ResetTeaTimer.bat to remove all entries set by SpyBot's TeaTimer.
  • Once it's ran, you can delete it. It will not be needed again.
Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

Leave Tea Time turned OFF until we are completely done.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries:

O2 - BHO: (no name) - {018D5343-A32C-4FCE-90AA-EEF4F92E0F97} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {045a5cd4-a372-4f79-9af4-80090d02b6d4} - (no file)
O2 - BHO: (no name) - {06A5ED63-3165-4DDC-82A0-0DB7103B310B} - (no file)
O2 - BHO: (no name) - {1240956F-9D1B-441C-855C-305E956C7512} - (no file)
O2 - BHO: (no name) - {2bd4d144-f5af-40bf-9cff-78a0c7649cac} - (no file)
O2 - BHO: (no name) - {34239D2C-3C66-4A00-924E-B69D2223D3B7} - (no file)
O2 - BHO: (no name) - {3980BCAA-41AD-4DAE-9F54-369575967600} - (no file)
O2 - BHO: (no name) - {4428DA14-6F1D-44F2-84CA-0BC595710FB9} - (no file)
O2 - BHO: (no name) - {498C5D22-8AAA-4C19-9C8F-2D7CD70F689D} - (no file)
O2 - BHO: (no name) - {58D1FF78-BB42-491A-9968-7D4B6140BD26} - (no file)
O2 - BHO: (no name) - {6b2664c4-9f60-45da-a8d2-7b150d84a950} - (no file)
O2 - BHO: (no name) - {70B67070-7112-4412-BDF4-44CDDDFA4A9E} - (no file)
O2 - BHO: (no name) - {7B8C1D92-DB32-43B2-A3A9-3CEB22A3E0A1} - (no file)
O2 - BHO: (no name) - {820218FA-17C3-4BC4-BC9A-1C5F96B70B72} - (no file)
O2 - BHO: (no name) - {89a895a6-5db3-489c-969c-53951826e64f} - (no file)
O2 - BHO: (no name) - {A431DDA0-2B7B-4B0A-AB00-5A7F2F4C2BB9} - (no file)
O2 - BHO: (no name) - {A534B67D-CE62-4786-887B-6E72B013F1DF} - (no file)
O2 - BHO: (no name) - {BB91B339-AB0B-47B3-8466-97EBD9F5D839} - (no file)
O2 - BHO: (no name) - {CA17C51D-E34E-41C8-B99E-93E7395F4CA3} - (no file)
O2 - BHO: (no name) - {D1779F6F-631C-4C98-A30D-CED0D736D831} - (no file)
O2 - BHO: (no name) - {EB065E8B-229D-44E4-B1E6-37C830111CB0} - (no file)
O2 - BHO: (no name) - {F42E012B-E661-4D5F-8B9E-94D9F8180F66} - (no file)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)

Close all windows except for HijackThis and click Fix checked.

Exit Hijackthis.

----------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard).
  • Finally add the contents of the Report.txt in your next post.
----------

Run a new HJT scan and post the log also.

----------

Next post please include
SDFix log
New Hijackthis log
__________________
  #4  
Old 3rd Feb 2008, 14:04
New Member Group
  
Default Re: Another Microsoft sabotage victim needs help

Hey E-Fantasy

I'd already removed Spybot in a fit of pique.

So I followed your instructions.

The SDFix report is as follows:

SDFix: Version 1.136

Run by John on 03/02/2008 at 20:27

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found






Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 20:48:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000000
"TracesSuccessful"=dword:00000000
"LastTraceFailure"=dword:00000000

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"="C :\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe:*:E nabled:PowerCinema"
"C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"="C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe:*:Enabled:DarkCrusade"
"C:\\Documents and Settings\\Kellyn\\Dawn of War\\LimeWire.exe"="C:\\Documents and Settings\\Kellyn\\Dawn of War\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\ \Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Ena bled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Progra m Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
"C:\\Documents and Settings\\Kellyn\\My Documents\\Last.fm\\LastFM.exe"="C:\\Documents and Settings\\Kellyn\\My Documents\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"C:\\Program Files\\Microsoft games\\EXE\\Freelancer.exe"="C:\\Program Files\\Microsoft games\\EXE\\Freelancer.exe:*:Enabled:Freelancer"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ashwin75\\counter-strike source\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\ashwin75\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\javaw.exe"="C:\\Pro gram Files\\Java\\jre1.5.0_10\\bin\\javaw.exe:*:Enabled :Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"="C:\\Program Files\\Pando Networks\\Pando\\pando.exe:*:Enabled:pando"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"="C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat:*:Enabled:The Battle for Middle-earth (tm)"
"C:\\games\\RedFaction\\rf.exe"="C:\\games\\RedFac tion\\rf.exe:*:Disabled:Red Faction"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe:*:Enabled:Star Wars: Empire at War"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss"
"C:\\Documents and Settings\\Kellyn\\Dawn of War\\LimeWire\\LimeWire.exe"="C:\\Documents and Settings\\Kellyn\\Dawn of War\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjou r"
"C:\\DOCUME~1\\Kellyn\\LOCALS~1\\Temp\\win3CB.exe" ="C:\\DOCUME~1\\Kellyn\\LOCALS~1\\Temp\\win3CB.exe :*:Enabled:win3CB"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\ system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C :\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:E nabled:LaunchPad"
"C:\\Documents and Settings\\Kellyn\\Dawn of War\\Azureus\\Azureus.exe"="C:\\Documents and Settings\\Kellyn\\Dawn of War\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk.exe:*:Enabled:Paltalk 9.1"
"C:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"="C:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe:*:Enabled:Camfrog Client Module"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"="C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe:*:Enabled:Mozilla Thunderbird"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpac eIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files:
---------------


Files with Hidden Attributes:

Tue 4 Dec 2007 56 ..SHR --- "C:\WINDOWS\system32\529D1CB3A1.sys"
Wed 19 Dec 2007 1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Fri 22 Dec 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 29 Aug 2005 121,240 A..H. --- "C:\Program Files\THQ\Dawn Of War\Disk1CheckW40k.EXE"
Thu 1 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e 78b88fd8276fd7d29cb7e4eb\BIT1.tmp"
Sun 2 Dec 2007 216,954 ...HR --- "C:\WINDOWS\system32\drivers\etc\Hosts.bak"

Finished!


The new HJT report is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:02:51, on 03/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [BM9f987237] Rundll32.exe "C:\WINDOWS\system32\pyboqtff.dll",s
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9797 bytes

What do you make of it?

JonDe
  #5  
Old 3rd Feb 2008, 16:15
Moderator Group
  
Default Re: Another Microsoft sabotage victim needs help

Open Hijackthis and place a check mark next to

O4 - HKLM\..\Run: [BM9f987237] Rundll32.exe "C:\WINDOWS\system32\pyboqtff.dll",s

Close all windowas and click Fix checked.

----------

Now download The Avenger By Swandog46, and save it to your Desktop.
  • Extract avenger.exe from the Zip file and save it to your desktop
  • Run avenger.exe by double-clicking on it.
  • Check the Input script manually box.
  • Click on the Magnifying Glass Icon which will open a new window titled View/edit script
  • Copy everything in the Quote box below, and paste it in the box that opens:
Drivers to unload:

Code:
Files to delete:
C:\WINDOWS\system32\pyboqtff.dll
Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
  • Now click the 'Done' button.
  • Click on the Green Light and OK the prompt.
  • You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
  • A log file from Avenger will be produced at C:\avenger.txt
The Avenger will automatically do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions.
  • This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  • Please attach the C:\avenger.txt in your next post.

----------

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)Important! Combofix.exe MUST be saved to and ran from the Desktop.
  • Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
  • Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
    • Click this link to see a list of security programs that should be disabled and how to disable them.
    • If yours is not listed and you don't know how to disable it, please ask.
  • Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  • Double click combofix.exe & follow the prompts.
    • From the keyboard select 1 and press Enter
  • When finished, it will produce a log for you.
  • Post that log in your next reply.
Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
  • If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  • Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

----------

Next post
Avenger log
Combofix log
__________________
  #6  
Old 4th Feb 2008, 16:37
New Member Group
  
Default Re: Another Microsoft sabotage victim needs help

Evilfantasy, before I do any more stuff, I need to tell yyou everything has got worse.

FIRSTLY there was the uploading problem.

SECONDLY: 2 days ago the screen definitions stretched without prompting. Square photos are now horizontal rectangles, round icons are ovoid and Ariel narrow is Ariel Wide. I cannot change it back. My only definitions are 800x600, 1024x768, 1280x1024, 1400x1050, 1600x1200, 2048x1536. None of them correct the horizontal stretching.

THIRDLY Now: Scrolling up and down, the screen "ripples" or "unrolls" and is unbearably slow. My 228GB PC with 1GB of RAM is running like an Amstrad.

Should I restore? Is there anything that can save me from doing that?
  #7  
Old 4th Feb 2008, 17:07
Moderator Group
  
Default Re: Another Microsoft sabotage victim needs help

Unless I see the logs I request I can't tell if there is any malware that is causing this.
__________________
  #8  
Old 4th Feb 2008, 17:13
New Member Group
  
Default Re: Another Microsoft sabotage victim needs help

Er actually Evi I can now upload pix from Firefox, so whatever you did was the trip. A Mrs Lovett meat pie as reward!

But where the f@*k did this screen stretch come from? And the rippling screen when scrolling?

It never rains but it pours!

JonDe
  #9  
Old 4th Feb 2008, 17:16
Moderator Group
  
Default Re: Another Microsoft sabotage victim needs help

Can you npost the combofix log.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)Important! Combofix.exe MUST be saved to and ran from the Desktop.
  • Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
  • Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
    • Click this link to see a list of security programs that should be disabled and how to disable them.
    • If yours is not listed and you don't know how to disable it, please ask.
  • Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  • Double click combofix.exe & follow the prompts.
    • From the keyboard select 1 and press Enter
  • When finished, it will produce a log for you.
  • Post that log in your next reply.
Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
  • If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  • Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.
__________________
  #10  
Old 9th Feb 2008, 14:43
New Member Group
  
Default Re: Another Microsoft sabotage victim needs help

ComboFix 08-02.05.3 - John 2008-02-09 21:22:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.537 [GMT 0:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 14:56 . 2008-02-09 14:56 <DIR> d-------- C:\Program Files\Bullfrog
2008-02-05 23:08 . 2008-02-05 23:08 <DIR> d-------- C:\Program Files\Jnes 0.6
2008-02-05 21:13 . 2008-02-05 21:13 <DIR> d-------- C:\Program Files\Azureus
2008-02-05 03:14 . 2008-02-05 03:14 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-02-04 05:38 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-04 05:38 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-04 05:38 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-03 22:52 . 2008-02-03 22:52 16 --a------ C:\WINDOWS\system32\coh.cache
2008-02-03 22:42 . 2008-02-03 23:00 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-03 22:42 . 2008-02-03 23:00 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-03 22:42 . 2008-02-03 23:00 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-03 22:42 . 2008-02-03 23:00 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-03 21:18 . 2008-01-21 22:34 69,765 --a------ C:\12-EternalYouth.jpg
2008-02-03 20:25 . 2008-02-03 20:25 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-03 20:02 . 2008-02-03 20:55 <DIR> d-------- C:\SDFix
2008-02-03 12:59 . 2008-02-03 22:09 <DIR> d-------- C:\Program Files\The Weather Channel FW
2008-02-03 12:57 . 2008-02-03 12:57 <DIR> d-------- C:\WINDOWS\PaltalkScene
2008-02-03 00:33 . 2008-02-03 00:33 <DIR> d-------- C:\Documents and Settings\Anita\Application Data\vlc
2008-01-30 07:54 . 2008-01-30 07:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-30 07:52 . 2008-01-30 07:52 <DIR> d-------- C:\Program Files\Namco Bandai
2008-01-30 07:52 . 2006-03-20 17:33 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-01-30 07:51 . 2008-01-30 08:03 <DIR> d-------- C:\WHM
2008-01-30 00:33 . 2008-02-03 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-01-30 00:33 . 2006-03-29 08:50 671,744 --a------ C:\WINDOWS\system32\DolbyHph.dll
2008-01-30 00:33 . 2006-03-29 08:51 60,416 --a------ C:\WINDOWS\system32\DSETUP.dll
2008-01-30 00:33 . 2006-03-29 08:49 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-01-30 00:08 . 2008-01-30 00:08 <DIR> d-------- C:\DECCHECK
2008-01-29 23:59 . 2008-01-29 23:59 36 ---h----- C:\WINDOWS\system32\swk.ini
2008-01-29 23:58 . 2008-01-29 23:59 <DIR> d-------- C:\Program Files\Power DVD Player
2008-01-29 14:17 . 2008-02-07 02:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-29 14:17 . 2008-01-29 14:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-29 10:00 . 2008-01-29 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-27 18:57 . 2008-01-27 18:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-27 18:46 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-27 18:27 . 2008-01-27 19:45 <DIR> d-------- C:\Documents and Settings\John\.SunDownloadManager
2008-01-27 14:15 . 2008-02-09 21:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-27 14:15 . 2008-01-27 14:15 <DIR> d-------- C:\Documents and Settings\John\Application Data\SUPERAntiSpyware.com
2008-01-27 14:15 . 2008-01-27 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-27 04:29 . 2008-01-27 04:29 <DIR> d-------- C:\Documents and Settings\John\Application Data\InstallShield
2008-01-22 23:17 . 2008-01-23 00:23 1,883,276 ---hs---- C:\WINDOWS\system32\qsedesrs.ini
2008-01-21 22:27 . 2008-01-22 23:08 1,836,941 ---hs---- C:\WINDOWS\system32\baxfuidi.ini
2008-01-18 11:39 . 2008-01-19 11:56 1,552,136 ---hs---- C:\WINDOWS\system32\liniklxa.ini
2008-01-11 01:21 . 2008-02-09 18:14 16,516 --a------ C:\WINDOWS\BM9f987237.xml
2008-01-11 01:21 . 2008-02-09 20:57 21 --a------ C:\WINDOWS\pskt.ini
2008-01-09 11:18 . 2008-01-09 11:18 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-09 11:18 . 2008-01-09 11:18 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-01-09 11:18 . 2008-01-09 11:18 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-01-09 11:18 . 2008-01-09 11:18 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-01-09 11:18 . 2008-01-09 11:18 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-01-09 11:16 . 2008-01-09 11:16 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-01-09 11:16 . 2008-01-09 11:16 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-01-09 11:16 . 2008-01-09 11:16 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-01-09 11:16 . 2008-01-09 11:16 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-01-09 11:16 . 2008-01-09 11:16 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2008-01-09 11:16 . 2008-01-09 11:16 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2008-01-09 11:16 . 2008-01-09 11:16 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-01-09 11:16 . 2008-01-09 11:16 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-02-09 21:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-09 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-09 19:59 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-09 18:13 --------- d-----w C:\Documents and Settings\Kellyn\Application Data\Azureus
2008-02-09 16:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-09 13:53 --------- d-----w C:\Program Files\SP2 Connection Patcher
2008-02-07 00:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 07:50 --------- d-----w C:\Program Files\Norton 360
2008-02-05 03:30 --------- d-----w C:\Program Files\Mesh Online
2008-02-03 23:00 --------- d-----w C:\Program Files\Symantec
2008-02-03 22:23 --------- d-----w C:\Program Files\VideoLAN
2008-02-03 22:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-03 22:10 --------- d-----w C:\Program Files\StarWarsGalaxies
2008-02-03 19:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-03 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 12:59 --------- d-----w C:\Program Files\Yahoo!
2008-02-03 12:57 --------- d-----w C:\Program Files\Paltalk Messenger
2008-02-03 12:57 --------- d-----w C:\Documents and Settings\John\Application Data\Paltalk
2008-02-02 14:10 --------- d-----w C:\Documents and Settings\Kellyn\Application Data\LimeWire
2008-02-02 12:16 --------- d-----w C:\Program Files\DivX
2008-01-30 07:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-27 18:53 --------- d-----w C:\Program Files\Java
2008-01-27 14:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-27 14:01 --------- d-----w C:\Program Files\Sony Ericsson
2008-01-27 13:55 --------- d-----w C:\Program Files\Risk II
2008-01-27 13:50 --------- d-----w C:\Program Files\CyberLink
2008-01-27 13:37 --------- d-----w C:\Program Files\Sony
2008-01-27 13:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\OD2
2008-01-27 13:26 --------- d-----w C:\Program Files\Morgan
2008-01-27 13:22 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-27 13:22 --------- d-----w C:\Program Files\iTunes
2008-01-27 13:21 --------- d-----w C:\Program Files\Hero Editor
2008-01-27 13:17 --------- d-----w C:\Program Files\greenstreet
2008-01-27 13:11 --------- d-----w C:\Program Files\Divine Divinity
2008-01-27 13:10 --------- d-----w C:\Program Files\Dark Basic Software
2008-01-27 13:09 --------- d-----w C:\Program Files\Sytexis Software
2008-01-27 13:06 --------- d-----w C:\Program Files\Apple Software Update
2008-01-27 12:27 --------- d-----w C:\Program Files\Camfrog
2008-01-27 04:52 --------- d-----w C:\Program Files\WebEye
2008-01-27 04:49 --------- d-----w C:\Program Files\Astraware
2008-01-27 04:47 --------- d-----w C:\Program Files\Autodesk
2008-01-27 04:42 --------- d-----w C:\Program Files\Acala DVD to Pocket PC movie
2008-01-27 04:38 --------- d-----w C:\Program Files\Dealio
2008-01-27 04:36 --------- d--h--w C:\Program Files\Zero G Registry
2008-01-27 04:35 --------- d-----w C:\Documents and Settings\John\Application Data\ICQ
2008-01-27 04:33 --------- d-----w C:\Program Files\InterActual
2008-01-27 04:31 --------- d-----w C:\Program Files\Klondike WAP Browser
2008-01-27 04:30 --------- d-----w C:\Program Files\mIRC
2008-01-27 04:28 --------- d-----w C:\Program Files\MySpace
2008-01-27 04:14 --------- d-----w C:\Program Files\Skype
2008-01-27 04:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-01-27 04:12 --------- d-----w C:\Program Files\TryFastMessenger
2008-01-27 04:12 --------- d-----w C:\Program Files\TibEd
2008-01-27 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-23 00:02 --------- d--h--r C:\Documents and Settings\John\Application Data\yahoo!
2008-01-23 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-01-23 00:00 --------- d-----w C:\Program Files\ICQToolbar
2008-01-23 00:00 --------- d-----w C:\Program Files\Google
2008-01-22 00:16 --------- d-----w C:\Program Files\Uxtevorr
2008-01-22 00:16 --------- d-----w C:\Program Files\Fhqvluaw
2008-01-22 00:16 --------- d-----w C:\Program Files\Drmtytus
2008-01-21 23:57 --------- d-----w C:\Program Files\vidypmrk
2008-01-20 21:31 --------- d-----w C:\Documents and Settings\Kellyn\Application Data\IMVU
2008-01-19 18:46 --------- d-----w C:\Documents and Settings\Kellyn\Application Data\dvdcss
2008-01-11 23:23 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-01-03 01:00 --------- d--h--r C:\Documents and Settings\Kellyn\Application Data\SecuROM
2008-01-01 20:51 --------- d-----w C:\Program Files\EA GAMES
2007-12-30 17:14 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-30 17:14 --------- d--h--r C:\Documents and Settings\Anita\Application Data\SecuROM
2007-12-16 14:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-16 14:00 --------- d-----w C:\Program Files\ReflexiveArcade
2007-12-14 13:29 --------- d-----w C:\Program Files\Wizards of the Coast
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 19:43 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-07 01:05 532,480 ----a-w C:\WINDOWS\system32\Marie Antoinette.scr
2007-05-08 18:10 24,192 ----a-w C:\Documents and Settings\John\usbsermptxp.sys
2007-05-08 18:10 22,768 ----a-w C:\Documents and Settings\John\usbsermpt.sys
2007-03-11 09:56 664 ----a-w C:\Documents and Settings\Ashwin\Application Data\wklnhst.dat
2007-01-02 04:15 92,064 ----a-w C:\Documents and Settings\Kellyn\mqdmmdm.sys
2007-01-02 04:15 9,232 ----a-w C:\Documents and Settings\Kellyn\mqdmmdfl.sys
2007-01-02 04:15 79,328 ----a-w C:\Documents and Settings\Kellyn\mqdmserd.sys
2007-01-02 04:15 66,656 ----a-w C:\Documents and Settings\Kellyn\mqdmbus.sys
2007-01-02 04:15 6,208 ----a-w C:\Documents and Settings\Kellyn\mqdmcmnt.sys
2007-01-02 04:15 5,936 ----a-w C:\Documents and Settings\Kellyn\mqdmwhnt.sys
2007-01-02 04:15 4,048 ----a-w C:\Documents and Settings\Kellyn\mqdmcr.sys
2007-01-02 04:15 25,600 ----a-w C:\Documents and Settings\Kellyn\usbsermptxp.sys
2007-01-02 04:15 22,768 ----a-w C:\Documents and Settings\Kellyn\usbsermpt.sys
2007-01-01 14:04 0 ----a-w C:\Documents and Settings\John\Application Data\wklnhst.dat
2002-04-10 19:17 20,280,855 ----a-w C:\Program Files\CEPSETUP.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 18:44 1200128]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 19:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-03-30 23:17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 19:00 15360]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 08:52 218232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9cab41ab]
C:\WINDOWS\system32\cepyreej.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 23:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
C:\Program Files\Dealio\DealioAU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bkvkzgne]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\bkvkzgne.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullGuard]
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camfrog]
--a------ 2003-09-29 06:22 36352 C:\Program Files\Camfrog\Camfrog Video Chat\CamfrogNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CityNameTransGrim]
C:\Documents and Settings\All Users\Application Data\SafeBashCityName\bash bags.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 19:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dalchefi]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\dalchefi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2005-11-15 18:44 1200128 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\CyberLink\PowerCinema\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ptipbmf]
--a------ 2003-06-20 14:06 118784 C:\WINDOWS\system32\ptipbmf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2007-09-13 00:15 214296 C:\Program Files\Real\RealOne Player\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remoteinfo]
C:\DOCUME~1\John\APPLIC~1\ROAMHO~1\Frag Cash.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\Program Files\SecCenter\scprot4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
--a------ 2005-10-26 15:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-03-11 07:08 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]
--a------ 2005-11-11 16:47 290816 C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-03-30 23:17 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-13 00:15 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Defender]
C:\Program Files\Ultimate Defender\UltimateDefender.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vidypmrk]
C:\Program Files\vidypmrk\lqtuhgnc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yjcrihgr]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\yjcrihgr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BsMailProxy"=2 (0x2)
"BsFirewall"=2 (0x2)
"BsFileSpy"=2 (0x2)
"BGMainSvc"=2 (0x2)
"BGLiveSvc"=2 (0x2)

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-10 19:00]
S3 bfastfao;bfastfao;C:\DOCUME~1\Kellyn\LOCALS~1\Temp \bfastfao.sys []
S3 PAC207;SoC PC-Camer@;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-05-27 14:57]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S4 m5287;m5287;C:\WINDOWS\system32\DRIVERS\m5287.sys [2005-02-05 07:00]
S4 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys [2004-12-01 10:49]

*Newly Created Service* - COMHOST
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 21:23:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-02-09 21:23:58
ComboFix-quarantined-files.txt 2008-02-09 21:23:56
ComboFix2.txt 2008-02-09 21:03:46
.
2008-01-09 20:49:25 --- E O F ---
Reply
Page 1 of 2 1 2

Register

Bookmarks

Similar Threads
Thread Thread Starter Forum Replies Last Post
Moving from Microsoft Office 2007 Outlook on PC 2 Microsoft Office X Entoutage on MAC jjuli Office Suites & Applications 0 11th Jun 2009 15:52
10 Facts You Didn't Know About Microsoft Hybr!d Windows Operating Systems 11 3rd Nov 2008 11:51
Vista, sabotage gintherman Multimedia & Codecs 4 19th Apr 2008 19:44
Another Microsoft sabotage victim needs help jondemassey Introduce Yourself Here 3 30th Jan 2008 12:50
You May Be a Victim of Software Counterfeiting! johnnyd0247 Windows Operating Systems 7 6th Aug 2007 04:19
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.