1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: what is sys33.exe?

Discussion in 'Virus & Other Malware Removal' started by Smokes, Jan 29, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Smokes

    Smokes Thread Starter

    Joined:
    May 11, 2006
    Messages:
    237
    i open task manager and firefox.exe is running and i dont have it open so i end that and sys33.exe pops up and reopens firefox and then sys33.exe closes down leaving the firefox open in the background sucking up memory is there a fix for this?

    the sys.exe file was with a sys33 install in the c:windows/prefetch so i deleted these files. the installer was in c:/windows/system32 i deleted that file too,also deleted the registry entrys
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    sys33 = "Sys33.exe"

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices
    sys33 = "Sys33.exe"

    and removed it with hijackthis but it just goes right back in all the same places... so how do you get rid of this? my spyware doesnt detect it nither will the anti-virus
     
  2. Smokes

    Smokes Thread Starter

    Joined:
    May 11, 2006
    Messages:
    237
    oops for got about HJT log

    Logfile of HijackThis v1.99.1
    Scan saved at 6:17:01 PM, on 1/29/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    C:\Program Files\ETrust\CA Anti-Virus\ISafe.exe
    C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ETrust\CA Anti-Virus\VetMsg.exe
    C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\ETrust\CA Personal Firewall\capfsem.exe
    C:\WINDOWS\SYSTEM32\NETCMD.EXE
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\REGMec6.0\RegMech.exe
    C:\Program Files\ETrust\cctray\cctray.exe
    C:\Program Files\ETrust\CA Anti-Virus\CAVRID.exe
    C:\Program Files\ETrust\CA Personal Firewall\capfaem.exe
    C:\Program Files\ETrust\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\ETrust\CA Anti-Spyware\CAPPActiveProtection.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\REGMec6.0\RegMech.exe /H
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\ETrust\cctray\cctray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\ETrust\CA Anti-Virus\CAVRID.exe"
    O4 - HKLM\..\Run: [cafwc] C:\Program Files\ETrust\CA Personal Firewall\cafw.exe -cl
    O4 - HKLM\..\Run: [capfaem] C:\Program Files\ETrust\CA Personal Firewall\capfaem.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\ETrust\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe"
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
    O4 - HKLM\..\RunOnce: [*sys33] C:\WINDOWS\system32\sys33.exe
    O4 - HKCU\..\Run: [sys33] C:\WINDOWS\system32\sys33.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157522165628
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157570551406
    O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab53984.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
    O16 - DPF: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} (DVCDownloaderControl Object) - http://www.sonypictures.com/games/thedavincicode/DVCDownloaderControl.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\ETrust\CA Anti-Virus\ISafe.exe
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\ETrust\CA Anti-Virus\VetMsg.exe
     
  3. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download Combofix to your desktop:

    * Double-click Combofix.exe and follow the prompts.
    * When finished, it shall produce a log for you. Post that log in your next reply.


    Note: Do not mouse click Combofix's window while it's running. That may cause it to stall.
     
  4. Smokes

    Smokes Thread Starter

    Joined:
    May 11, 2006
    Messages:
    237
    "Administrator" - 07-01-29 19:17:33 Service Pack 2
    ComboFix 07-01-25 - Running from: "C:\Program Files\Mozilla Firefox"

    ((((((((((((((((((((((((((((((( Files Created from 2006-12-29 to 2007-01-29 ))))))))))))))))))))))))))))))))))


    2007-01-29 14:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Camfrog
    2007-01-29 14:43 <DIR> d-------- C:\Program Files\Camfrog
    2007-01-29 13:19 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Uniblue
    2007-01-29 13:18 <DIR> d-------- C:\Program Files\Uniblue
    2007-01-29 02:56 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
    2007-01-29 02:51 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2007-01-29 02:51 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
    2007-01-29 02:51 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
    2007-01-28 17:19 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2007-01-28 15:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
    2007-01-28 11:31 <DIR> d-------- C:\counterstrikesourceFULL
    2007-01-26 20:43 <DIR> d-------- C:\Program Files\Save
    2007-01-26 19:45 142,336 --a------ C:\WINDOWS\system32\sys33.exe
    2007-01-26 19:37 33,952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
    2007-01-23 23:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Microsoft Corporation
    2007-01-16 22:17 <DIR> d-------- C:\Program Files\Elite Bling-Bling
    2007-01-16 18:15 <DIR> d--h----- C:\WINDOWS\HUL
    2007-01-15 11:19 119,816 --a------ C:\WINDOWS\system32\drivers\KmxCF.sys
    2007-01-14 03:33 <DIR> d-------- C:\Program Files\Common Files\xing shared
    2007-01-14 03:32 <DIR> d-------- C:\Program Files\Real
    2007-01-14 03:32 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Real
    2007-01-12 17:06 111,624 --a------ C:\WINDOWS\system32\drivers\KmxFw.sys
    2007-01-11 18:11 <DIR> d-------- C:\Program Files\iPod
    2007-01-10 17:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\awc_Hot111
    2007-01-09 08:38 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
    2007-01-09 08:38 111,227 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
    2007-01-09 08:31 <DIR> d-------- C:\ijji
    2007-01-08 15:41 102,408 --a------ C:\WINDOWS\system32\drivers\KmxStart.sys
    2007-01-06 01:00 36,224 --a------ C:\WINDOWS\system32\drivers\an983.sys
    2007-01-05 15:01 86,016 --a------ C:\WINDOWS\unvise32.exe
    2007-01-05 15:00 <DIR> d-------- C:\Program Files\PCRescue4.0
    2007-01-05 10:19 80,776 --a------ C:\WINDOWS\system32\drivers\KmxCfg.sys
    2007-01-03 21:20 <DIR> d-------- C:\Program Files\Winamp
    2007-01-03 04:23 <DIR> d-------- C:\Program Files\Incomplete
    2007-01-03 04:17 <DIR> d-------- C:\Program Files\ares
    2007-01-01 03:50 <DIR> d-------- C:\WINDOWS\CAVTemp
    2007-01-01 03:30 95,760 --a------ C:\WINDOWS\system32\isafeif.dll
    2007-01-01 03:30 75,280 --a------ C:\WINDOWS\system32\vetredir.dll
    2007-01-01 03:30 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
    2007-01-01 03:30 629,216 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
    2007-01-01 03:30 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
    2007-01-01 03:30 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
    2007-01-01 03:30 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
    2007-01-01 03:30 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
    2007-01-01 03:30 108,544 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
    2007-01-01 03:30 <DIR> d-------- C:\Program Files\Common Files\Scanner
    2007-01-01 03:30 <DIR> d-------- C:\Program Files\CA
    2007-01-01 03:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\CA
    2007-01-01 03:23 <DIR> d-------- C:\Program Files\ETrust
    2007-01-01 03:15 <DIR> d-------- C:\Program Files\ATF-cleaner
    2006-12-31 08:17 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\acccore
    2006-12-31 08:09 <DIR> d-------- C:\Program Files\PlayLinc
    2006-12-31 07:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SonyPicturesGames
    2006-12-30 18:30 1,138 --a------ C:\WINDOWS\system32\tmp.reg
    2006-12-30 18:28 <DIR> d-------- C:\Program Files\SmitfraudFix
    2006-12-29 16:24 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\MySpace
    2006-12-29 16:22 <DIR> d-------- C:\Program Files\MySpace


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-01-29 19:16 -------- d-------- C:\Program Files\mozilla firefox
    2007-01-29 17:42 -------- d-------- C:\Program Files\frostwire
    2007-01-29 15:55 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\frostwire
    2007-01-29 13:56 -------- d-------- C:\Program Files\regmec6.0
    2007-01-29 02:35 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\azureus
    2007-01-26 19:29 -------- d-------- C:\Program Files\azureus
    2007-01-26 17:08 -------- d--h----- C:\Program Files\installshield installation information
    2007-01-26 17:04 -------- d---s---- C:\DOCUME~1\ADMINI~1\Application Data\microsoft
    2007-01-26 17:04 -------- d-------- C:\Program Files\microsoft games
    2007-01-23 11:54 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
    2007-01-14 10:58 -------- d-------- C:\Program Files\yahelite
    2007-01-14 03:33 -------- d-------- C:\Program Files\Common Files\real
    2007-01-12 06:09 -------- d-------- C:\Program Files\anywebcam
    2007-01-11 00:02 -------- d-------- C:\Program Files\alcohol soft
    2007-01-08 04:33 -------- d-------- C:\Program Files\itunes
    2007-01-01 20:55 -------- d-------- C:\Program Files\wintasks
    2007-01-01 03:53 -------- d-------- C:\Program Files\windows media connect 2
    2007-01-01 00:19 -------- d-------- C:\Program Files\Common Files\panda software
    2006-12-31 07:46 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\msn6
    2006-12-30 00:22 -------- d-------- C:\Program Files\msn messenger
    2006-12-26 21:51 -------- d-------- C:\Program Files\pool buddy yahoo
    2006-12-26 19:49 -------- d-------- C:\Program Files\grisoft
    2006-12-26 17:47 -------- d-------- C:\Program Files\Common Files\esellerate
    2006-12-23 21:56 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\iolo
    2006-12-23 21:49 -------- d-------- C:\Program Files\Common Files\authentium
    2006-12-23 21:18 -------- d-------- C:\Program Files\raxco
    2006-12-23 21:18 -------- d-------- C:\Program Files\Common Files\raxco
    2006-12-23 21:17 -------- d-------- C:\Program Files\rpd
    2006-12-20 12:17 227856 --a------ C:\WINDOWS\system32\pdboot.exe
    2006-12-16 22:18 -------- d-------- C:\Program Files\java
    2006-12-16 22:17 -------- d-------- C:\Program Files\lavasoft
    2006-12-14 07:36 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\apple computer
    2006-12-12 19:09 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\lavasoft
    2006-12-12 17:41 107016 --a------ C:\WINDOWS\system32\drivers\KmxIds.sys
    2006-12-12 00:01 -------- d-------- C:\Program Files\Common Files\java
    2006-12-10 16:00 38069 --a------ C:\WINDOWS\system32\z2717.exe
    2006-12-10 13:59 38069 --a------ C:\WINDOWS\system32\z2867.exe
    2006-12-10 13:12 38069 --a------ C:\WINDOWS\system32\z2345.exe
    2006-12-10 12:56 161280 --a------ C:\WINDOWS\system32\kerkr.dll
    2006-12-10 11:45 161280 --a------ C:\WINDOWS\system32\jqqtllv.dll
    2006-12-10 11:13 161280 --a------ C:\WINDOWS\system32\krutgi.dll
    2006-12-09 16:08 -------- d-------- C:\Program Files\quicktime
    2006-12-09 15:59 49 --a------ C:\DOCUME~1\ADMINI~1\Application Data\internaldb41.dat
    2006-12-09 15:59 337 --a------ C:\DOCUME~1\ADMINI~1\Application Data\internaldb1942.dat
    2006-12-04 18:22 -------- d-------- C:\Program Files\Common Files\directx
    2006-12-03 20:53 -------- d-------- C:\Program Files\techsmith
    2006-12-03 20:52 -------- d-------- C:\Program Files\Common Files\wise installation wizard
    2006-12-03 17:33 -------- d-------- C:\Program Files\yahoo!
    2006-12-02 23:32 9216 --a------ C:\DOCUME~1\ADMINI~1\Application Data\internaldb8467.dat
    2006-12-02 23:32 417792 --a------ C:\WINDOWS\system32\tcbloczd.dll
    2006-12-02 23:32 36864 --a------ C:\WINDOWS\system32\slimqmvi.exe
    2006-12-02 23:32 24576 --a------ C:\WINDOWS\system32\msxml3a.dll
    2006-12-02 23:32 23 --a------ C:\DOCUME~1\ADMINI~1\Application Data\inifile41.ini
    2006-12-02 23:32 20480 --a------ C:\DOCUME~1\ADMINI~1\Application Data\internaldb4827.dat
    2006-12-02 23:32 0 --a------ C:\DOCUME~1\ADMINI~1\Application Data\internaldb6334.dat
    2006-12-02 23:32 0 --a------ C:\DOCUME~1\ADMINI~1\Application Data\internaldb5436.dat
    2006-12-01 04:35 921 --a------ C:\WINDOWS\qsfvexit.bat
    2006-12-01 04:35 -------- d-------- C:\Program Files\magiciso
    2006-12-01 03:55 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
    2006-11-30 22:52 -------- d-------- C:\Program Files\quicksfv
    2006-11-26 12:34 85 ---hs---- C:\DOCUME~1\ADMINI~1\Application Data\.zreglib
    2006-11-20 19:45 21840 --a------ C:\WINDOWS\system32\sintfnt.dll
    2006-11-20 19:45 17212 --a------ C:\WINDOWS\system32\sintf32.dll
    2006-11-20 19:45 12067 --a------ C:\WINDOWS\system32\sintf16.dll
    2006-11-20 03:42 33280 --a------ C:\WINDOWS\system32\snmp.exe
    2006-11-20 03:42 33280 --a------ C:\WINDOWS\system32\snmp(2)(2).exe
    2006-11-20 00:01 233472 --a------ C:\WINDOWS\system32\yacscom.dll
    2006-11-14 17:31 126976 --a------ C:\WINDOWS\system32\iavlsp.dll
    2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
    2006-10-19 14:52 774144 --a------ C:\Program Files\rnginterstitial.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "sys33"="C:\\WINDOWS\\system32\\sys33.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
    "NvMediaCenter"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
    "RegistryMechanic"="C:\\Program Files\\REGMec6.0\\RegMech.exe /H"
    "cctray"="\"C:\\Program Files\\ETrust\\cctray\\cctray.exe\""
    "CAVRID"="\"C:\\Program Files\\ETrust\\CA Anti-Virus\\CAVRID.exe\""
    "cafwc"="C:\\Program Files\\ETrust\\CA Personal Firewall\\cafw.exe -cl"
    "capfaem"="C:\\Program Files\\ETrust\\CA Personal Firewall\\capfaem.exe"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "QOELOADER"="\"C:\\Program Files\\ETrust\\CA Anti-Spam\\QSP-5.0.419.0\\QOELoader.exe\""
    "UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\" -H"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
    "*sys33"="C:\\WINDOWS\\system32\\sys33.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
    "backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
    "item"="Logitech Desktop Messenger"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gnetmous]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="gnetmous"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\COMPAQ\\Scroll Mouse\\gnetmous.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="iTunesHelper"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="BackWeb-8876480"
    "hkey"="HKCU"
    "command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="LVCOMS"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Common Files\\Logitech\\QCDriver\\LVCOMS.EXE"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nord]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"=""
    "hkey"="HKLM"
    "command"=""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="nwiz"
    "hkey"="HKLM"
    "command"="nwiz.exe /install"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qfyqakn.dll]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="qfyqakn"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\system32\\rundll32.exe \"C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\qfyqakn.dll\",xysmkvf"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="qttask"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCamRT.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"=""
    "hkey"="HKCU"
    "command"=""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="winampa"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Winamp\\winampa.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="iTouch"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "SharedAccess"=dword:00000002
    "TermService"=dword:00000003
    "TapiSrv"=dword:00000003
    "Spooler"=dword:00000002

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    Usnsvc REG_MULTI_SZ usnsvc\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\CAAntiSpywareScan_Daily as Administrator at 3 30 AM.job

    Completion time: 07-01-29 19:28:42
     
  5. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    There's definitely some suspicious files there
    Let's give this a shot...

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  6. Smokes

    Smokes Thread Starter

    Joined:
    May 11, 2006
    Messages:
    237
    OK. done and right when the scan finished 2 small box's popped up on top left they went kinda fast but i managed to catch the files it was dealing with and the first box did something this netcmd.exe then the other bobx poped up and did something with sys33.exe they poped up said creating something and went away to fast but it seems like that scan removed it but this sys33.exe just seems to find a way to put it self back. :( anyway heres the log ( in this log it may show that the sys33.exe got removed but like i said i think it just put ut self back) and a new HJT log


    SDFix: Version 1.63

    Mon 01/29/2007 - 19:59:23.06

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:

    Path:


    Restoring Windows Registry Entries
    Restoring Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\WINDOWS\PART0100.DAT - Deleted
    C:\WINDOWS\system32\plugin1.dat - Deleted
    C:\WINDOWS\system32\spool\cmd.exe - Deleted



    ADS Check:

    C:\WINDOWS\system32
    No streams found.

    Final Check:

    Remaining Services:
    ------------------


    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\ijji\\ENGLISH\\Gunz\\BAReport.exe"="C:\\ijji\\ENGLISH\\Gunz\\BAReport.exe:*:Enabled:BAReport MFC ?? ????"


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"


    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip


    Checking For Files with Hidden Attributes :

    C:\Documents and Settings\Administrator\My Documents\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\netconfig.exe
    C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp

    Finished

    Logfile of HijackThis v1.99.1
    Scan saved at 8:20:34 PM, on 1/29/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    C:\Program Files\ETrust\CA Anti-Virus\ISafe.exe
    C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ETrust\CA Anti-Virus\VetMsg.exe
    C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\ETrust\CA Personal Firewall\capfsem.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\SYSTEM32\notepad.exe
    C:\WINDOWS\SYSTEM32\NETCMD.EXE
    C:\Program Files\REGMec6.0\RegMech.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\ETrust\cctray\cctray.exe
    C:\Program Files\ETrust\CA Anti-Virus\CAVRID.exe
    C:\Program Files\ETrust\CA Personal Firewall\capfaem.exe
    C:\Program Files\ETrust\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\ETrust\CA Anti-Spyware\CAPPActiveProtection.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\REGMec6.0\RegMech.exe /H
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\ETrust\cctray\cctray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\ETrust\CA Anti-Virus\CAVRID.exe"
    O4 - HKLM\..\Run: [cafwc] C:\Program Files\ETrust\CA Personal Firewall\cafw.exe -cl
    O4 - HKLM\..\Run: [capfaem] C:\Program Files\ETrust\CA Personal Firewall\capfaem.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\ETrust\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe"
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
    O4 - HKLM\..\RunOnce: [*sys33] C:\WINDOWS\system32\sys33.exe
    O4 - HKCU\..\Run: [sys33] C:\WINDOWS\system32\sys33.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157522165628
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157570551406
    O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab53984.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
    O16 - DPF: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} (DVCDownloaderControl Object) - http://www.sonypictures.com/games/thedavincicode/DVCDownloaderControl.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\ETrust\CA Anti-Virus\ISafe.exe
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\ETrust\CA Anti-Virus\VetMsg.exe
     
  7. Smokes

    Smokes Thread Starter

    Joined:
    May 11, 2006
    Messages:
    237
    /bump
     
  8. Lacunas

    Lacunas

    Joined:
    Jan 30, 2007
    Messages:
    5
    i found quite new and interesting website. you put your proceses and it shows which ones are bad and wichones are good.It is still in beta, but for me it worked quite well already for couple of times.
    http://www.2-spyware.com/hjt.php
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  10. Lacunas

    Lacunas

    Joined:
    Jan 30, 2007
    Messages:
    5
    ups... sory for that.. :(
     
  11. Smokes

    Smokes Thread Starter

    Joined:
    May 11, 2006
    Messages:
    237
    ohhh cheeeesssballl :p
     
  12. Smokes

    Smokes Thread Starter

    Joined:
    May 11, 2006
    Messages:
    237
    /bump
     
  13. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Okay there are many suspicious files that need to be analyzed so let's take one step at a time.

    First,

    Please download the Killbox by Option^Explicit.

    Note: In the event you already have Killbox, this is a new version that I need you to download.
    • Save it to your desktop.
    • Please double-click Killbox.exe to run it.
    • Select:
      • Delete on Reboot
      • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


      C:\WINDOWS\system32\sys33.exe
      C:\WINDOWS\unvise32.exe
      C:\ijji


    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

    Second,

    Go to the forum here: http://www.thespykiller.co.uk/forum/index.php?board=1.0
    Upload this (these) file(s):

    Here are the directions for uploading the following files:

    C:\WINDOWS\system32\z2717.exe
    C:\WINDOWS\system32\z2867.exe
    C:\WINDOWS\system32\z2345.exe
    C:\WINDOWS\system32\kerkr.dll
    C:\WINDOWS\system32\jqqtllv.dll
    C:\WINDOWS\system32\krutgi.dll
    C:\WINDOWS\system32\tcbloczd.dll
    C:\WINDOWS\system32\slimqmvi.exe
    C:\WINDOWS\qsfvexit.bat


    Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the files on your computer. When the files are listed in the window click "Post" to upload the files.
     
  14. Smokes

    Smokes Thread Starter

    Joined:
    May 11, 2006
    Messages:
    237
    ok done and i dident put the c:ijji in the kill box because that my gunz game from http://www.ijji.com also after i used kill box it re booted and gave me a box pop up that said can not find file c:windows/system32/sys33.exe so i clicked ok then a lil box poped up in the top left that said "setting up personalized settings for netconfig.exe" then the box went away. heres the link to the thread u wanted me to upload them files to but idk if they uploaded properly
    http://www.thespykiller.co.uk/forum/index.php?topic=3528.0
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    this one is harmless C:\WINDOWS\qsfvexit.bat and belongs to

    http://www.download.com/QuickSFV/3000-2248_4-10521469.html

    C:\WINDOWS\system32\tcbloczd.dll is adware comaid

    :\WINDOWS\system32\z2717.exe
    C:\WINDOWS\system32\z2867.exe
    C:\WINDOWS\system32\z2345.exe are all downloaders according to kaspersky

    I'm still checking the others but they look bad so delete the lot

    Edit:

    the others seem to be spambots but virus total keeps crashing on me so I am having trouble scanning tonight
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/539433

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice