1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

trojan removed. now repairing.

Discussion in 'Virus & Other Malware Removal' started by flexorcist, Jul 26, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. flexorcist

    flexorcist Thread Starter

    Joined:
    Apr 28, 2007
    Messages:
    6
    I had a trojan that was re-appearing after deletion.

    so i removed the services and services32 exe programs that kept reinstalling it.

    problem is - i can access google.com by ip address and not by name. i tried several things on here to fix it and i can't.

    it also removed the search function on my computer. i tried reinstalling things like microsofts webpage told me to, if the patch didn't work.

    if i can get help with those that'd be great, but if not i have another problem

    i can type in 34810481jhfsafsd.com anything .com and instead of 404 page not found, it takes me to a porno or a search website. how can i reset my default 404???
     
  2. CrazyComputerMan

    CrazyComputerMan

    Joined:
    Apr 16, 2007
    Messages:
    13,768
    First Name:
    Robert
    Is this problem same happen as before in DNS flush?
     
  3. flexorcist

    flexorcist Thread Starter

    Joined:
    Apr 28, 2007
    Messages:
    6
    no. i used to get a virus message come up EVERY time saying infected/deleted

    they were in winxp services.exe and services32.exe
    i've deleted those.

    i also had some .exe files under documents and settings that i've deleted that virus scan, (was vet is now CA security center) wasn't picking up.

    i have flushed the DNS, and when i try to access google.com i get the firefox Unable to connect page. however, any other page that's non existent takes me to a websheart.com titled porno search page, searchathand page, or yahoo something or other advertising pages.

    and you can't tell me that http://4234j3l2jklsajdflsajsadljl3nk4rl2knfd3l2nfdklsn.com/ is a legitimate website

    i'm now following the procedures on
    http://www.precisesecurity.com/blogs/2007/07/02/browser-hijacker-removal-procedure/#more-715
    to remove it
    but i still want to access google, as i paid money to get an email afdress that runs of gmail and i can't access it from home!!
     
  4. CrazyComputerMan

    CrazyComputerMan

    Joined:
    Apr 16, 2007
    Messages:
    13,768
    First Name:
    Robert
    You paid Gmail address? :eek:, i get it for free
     
  5. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
     
  6. flexorcist

    flexorcist Thread Starter

    Joined:
    Apr 28, 2007
    Messages:
    6
    i don't pay for a gmail address. i paid for an email account with a motorcycle club i'm a member of but it's run by gmail
     
  7. flexorcist

    flexorcist Thread Starter

    Joined:
    Apr 28, 2007
    Messages:
    6
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:00:43 AM, on 7/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)
    Boot mode: Normal

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\csrss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\Ati2evxx.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\system32\spoolsv.exe
    C:\Vet\ISafe.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINXP\system32\svchost.exe
    C:\Vet\VetMsg.exe
    C:\WINXP\System32\alg.exe
    C:\WINXP\system32\Ati2evxx.exe
    C:\WINXP\Explorer.EXE
    C:\WINXP\SOUNDMAN.EXE
    C:\WINXP\AGRSMMSG.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\Vet\CAVRID.exe
    C:\WINXP\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINXP\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: UserInit=C:\WINXP\SYSTEM32\Userinit.exe,,C:\WINXP\SERVICES.EXE
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Netrider toolbar - {694332b0-a3fb-4f8c-838b-4ea0e7cd3d93} - C:\Program Files\Netrider\tbNet0.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Netrider toolbar - {694332b0-a3fb-4f8c-838b-4ea0e7cd3d93} - C:\Program Files\Netrider\tbNet0.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINXP\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE /FU "C:\WINXP\TEMP\E_S8F.tmp" /EF "HKLM"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Vet\CAVRID.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINXP\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINXP\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINXP\bdoscandel.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141436212125
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
    O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherAccounts/portfoliomanagerwt.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA4897C-EC1F-4754-9277-9DA4135483A2}: NameServer = 85.255.115.6,85.255.112.20
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: pasksa - pasksa.dll (file missing)
    O20 - Winlogon Notify: rpcc - C:\WINXP\
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINXP\system32\ati2sgag.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Vet\ISafe.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Vet\VetMsg.exe

    --
    End of file - 9704 bytes
     
  8. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

    Download this file :

    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
    or
    http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall
    ============

    Download Superantispyware (SAS) free home version

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.

    This will take some time!!!!!!!!
     
  9. flexorcist

    flexorcist Thread Starter

    Joined:
    Apr 28, 2007
    Messages:
    6
    here are the logs before the superspyware


    combo

    "user" - 2007-07-27 12:33:28 [GMT 10:00] - ComboFix 07-07-24 - Service Pack 2 NTFS

    /wow section - STAGE #3
    /wow section not completed

    ((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))


    2007-07-27 12:17 0 --a------ C:\WINXP\system32\sfsync02.dll
    2007-07-27 12:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-07-27 12:08 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\SUPERAntiSpyware.com
    2007-07-27 12:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SUPERAntiSpyware.com
    2007-07-27 12:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-07-27 11:56 51,200 --a------ C:\WINXP\nircmd.exe
    2007-07-27 10:05 <DIR> d-------- C:\DOCUME~1\Tabs\APPLIC~1\AdobeUM
    2007-07-26 23:14 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Buddi
    2007-07-26 21:27 262,144 --a------ C:\DOCUME~1\BEN~1.USE\ntuser.dat
    2007-07-24 11:22 <DIR> d-------- C:\DOCUME~1\Tabs\APPLIC~1\OpenOffice.org2
    2007-07-24 10:37 879,832 --a------ C:\WINXP\system32\drivers\vetefile.sys
    2007-07-24 10:37 108,360 --a------ C:\WINXP\system32\drivers\veteboot.sys
    2007-07-17 14:04 159,744 --a------ C:\WINXP\system32\lfpng13n.dll
    2007-07-17 12:07 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\OpenOffice.org2
    2007-07-17 12:01 <DIR> d-------- C:\Program Files\OpenOffice.org 2.2
    2007-07-17 11:33 <DIR> d-------- C:\Program Files\Notepad++
    2007-07-17 11:33 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Notepad++
    2007-07-12 12:17 75,280 --a------ C:\WINXP\system32\isafprod.dll
    2007-07-12 12:17 32,528 --a------ C:\WINXP\system32\drivers\vetmonnt.sys
    2007-07-12 12:17 26,640 --a------ C:\WINXP\system32\drivers\vet-filt.sys
    2007-07-12 12:17 21,648 --a------ C:\WINXP\system32\drivers\vetfddnt.sys
    2007-07-12 12:17 21,392 --a------ C:\WINXP\system32\drivers\vet-rec.sys
    2007-07-12 12:17 <DIR> d-------- C:\Program Files\CA
    2007-07-12 12:12 99,904 --a------ C:\WINXP\system32\isafeif.dll
    2007-07-12 12:12 79,424 --a------ C:\WINXP\system32\vetredir.dll
    2007-07-12 12:12 46,632 --a------ C:\WINXP\system32\ISafeProduct.dll
    2007-07-12 12:12 42,536 --a------ C:\WINXP\AVShlExt.dll
    2007-07-12 12:12 116,264 --a------ C:\WINXP\UnVet32.exe
    2007-07-12 12:12 <DIR> d-------- C:\Vet
    2007-07-08 21:35 1,760 --a------ C:\WINXP\system32\tmp.reg
    2007-07-08 21:34 53,248 --a------ C:\WINXP\system32\Process.exe
    2007-07-08 21:34 51,200 --a------ C:\WINXP\system32\dumphive.exe
    2007-07-08 21:34 288,417 --a------ C:\WINXP\system32\SrchSTS.exe
    2007-07-08 17:20 <DIR> d-------- C:\DOCUME~1\Tabs\APPLIC~1\Help
    2007-06-29 19:35 <DIR> d-------- C:\Program Files\FileMaker
    2007-06-29 18:42 16,384 --a------ C:\WINXP\system32\FileOps.exe


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-27 01:49:14 -------- d-----w C:\Program Files\HollywoodPoker
    2007-07-27 01:00:23 -------- d-----w C:\Program Files\Trend Micro
    2007-07-26 13:13:16 -------- d-----w C:\Program Files\ewido anti-spyware 4.0
    2007-07-17 11:44:42 -------- d-----w C:\Program Files\Poker Indicator
    2007-07-12 03:16:52 1,536 ----a-w C:\WINXP\svcq16.exe
    2007-06-29 09:35:51 -------- d-----w C:\Program Files\Common Files\ODBC
    2007-06-02 07:16:17 -------- d-----w C:\Program Files\Netrider
    2007-05-16 15:12:02 683,520 ----a-w C:\WINXP\system32\inetcomm.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{694332b0-a3fb-4f8c-838b-4ea0e7cd3d93}]
    2007-06-02 17:16 1326104 --a------ C:\Program Files\Netrider\tbNet0.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{694332b0-a3fb-4f8c-838b-4ea0e7cd3d93}"= C:\Program Files\Netrider\tbNet0.dll [2007-06-02 17:16 1326104]

    [HKEY_CLASSES_ROOT\CLSID\{694332b0-a3fb-4f8c-838b-4ea0e7cd3d93}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{694332B0-A3FB-4F8C-838B-4EA0E7CD3D93}"= C:\Program Files\Netrider\tbNet0.dll [2007-06-02 17:16 1326104]

    [-HKEY_CLASSES_ROOT\CLSID\{694332B0-A3FB-4F8C-838B-4EA0E7CD3D93}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Cmaudio"="cmicnfg.cpl" []
    "SoundMan"="SOUNDMAN.EXE" [2004-02-26 15:53 C:\WINXP\SOUNDMAN.EXE]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-26 01:53]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 08:06 C:\WINXP\AGRSMMSG.exe]
    "@"="" []
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-04-04 22:30]
    "cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-07-12 12:20]
    "CAVRID"="C:\Vet\CAVRID.exe" [2007-05-09 07:17]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 22:00]
    "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-12-09 14:38]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
    EPSON Status Monitor 3 Environment Check.lnk - C:\WINXP\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [1999-10-22 11:10:00]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "NoDispAppearancePage"=0 (0x0)
    "NoColorChoice"=0 (0x0)
    "NoSizeChoice"=0 (0x0)
    "NoDispBackgroundPage"=0 (0x0)
    "NoDispScrSavPage"=0 (0x0)
    "NoDispCPL"=0 (0x0)
    "NoVisualStyleChoice"=0 (0x0)
    "NoDispSettingsPage"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSaveSettings"=0 (0x0)
    "NoThemesTab"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
    "ie.exe"=C:\WINXP\ie.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "System"="kdbmr.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=C:\Documents and Settings\user\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=C:\WINXP\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    AGRSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINXP\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINXP\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    R0 uagp35;Microsoft AGPv3.5 Filter;C:\WINXP\system32\DRIVERS\uagp35.sys
    R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    R3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINXP\system32\drivers\ALCXSENS.SYS
    R3 HidUsb;Microsoft HID Class Driver;C:\WINXP\system32\DRIVERS\hidusb.sys
    R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
    R3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINXP\system32\DRIVERS\usbccgp.sys
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINXP\system32\DRIVERS\usbehci.sys
    R3 usbhub;USB2 Enabled Hub;C:\WINXP\system32\DRIVERS\usbhub.sys
    R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINXP\system32\DRIVERS\usbohci.sys
    R3 usbprint;Microsoft USB PRINTER Class;C:\WINXP\system32\DRIVERS\usbprint.sys
    R3 usbscan;USB Scanner Driver;C:\WINXP\system32\DRIVERS\usbscan.sys
    S2 CCHYJYPX;CCHYJYPX;\??\C:\WINXP\system32\cchyjypx.qkq
    S3 cmuda;C-Media WDM Audio Interface;C:\WINXP\system32\drivers\cmuda.sys
    S3 k750bus;Sony Ericsson 750 driver (WDM);C:\WINXP\system32\DRIVERS\k750bus.sys
    S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter;C:\WINXP\system32\DRIVERS\k750mdfl.sys
    S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers;C:\WINXP\system32\DRIVERS\k750mdm.sys
    S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers;C:\WINXP\system32\DRIVERS\k750mgmt.sys
    S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers;C:\WINXP\system32\DRIVERS\k750obex.sys
    S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM);C:\WINXP\system32\DRIVERS\SE27bus.sys
    S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter;C:\WINXP\system32\DRIVERS\SE27mdfl.sys
    S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver;C:\WINXP\system32\DRIVERS\SE27mdm.sys
    S3 SE27mgmt;Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM);C:\WINXP\system32\DRIVERS\SE27mgmt.sys
    S3 se27nd5;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS);C:\WINXP\system32\DRIVERS\se27nd5.sys
    S3 SE27obex;Sony Ericsson Device 039 USB WMC OBEX Interface;C:\WINXP\system32\DRIVERS\SE27obex.sys
    S3 se27unic;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM);C:\WINXP\system32\DRIVERS\se27unic.sys
    S3 usbaudio;USB Audio Driver (WDM);C:\WINXP\system32\drivers\usbaudio.sys
    S3 usbstor;USB Mass Storage Driver;C:\WINXP\system32\DRIVERS\USBSTOR.SYS

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Usnsvc usnsvc


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ce74194-8329-11db-84a2-00016cbbe2f4}]
    AutoRun\command- RavMon.exe


    Contents of the 'Scheduled Tasks' folder
    2007-05-27 13:51:00 C:\WINXP\tasks\Disk Cleanup.job

    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-27 12:44:32
    Windows 5.1.2600 Service Pack 2 NTFS

    detected NTDLL code modification:
    ZwQueryDirectoryFile

    scanning hidden processes ...

    scanning hidden registry entries ...

    scanning hidden files ...

    C:\WINXP\system32\kdbmr.exe

    scan completed successfully
    hidden files: 1

    **************************************************************************

    Completion time: 2007-07-27 12:48:48 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-27 12:48

    --- E O F ---





    hijack this



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:54:11 PM, on 27/07/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)
    Boot mode: Normal

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\csrss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\Ati2evxx.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\system32\spoolsv.exe
    C:\WINXP\system32\Ati2evxx.exe
    C:\WINXP\Explorer.EXE
    C:\Vet\ISafe.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINXP\system32\svchost.exe
    C:\Vet\VetMsg.exe
    C:\WINXP\System32\alg.exe
    C:\WINXP\SOUNDMAN.EXE
    C:\WINXP\AGRSMMSG.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\Vet\CAVRID.exe
    C:\WINXP\ie.exe
    C:\WINXP\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINXP\System32\svchost.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\WINXP\system32\notepad.exe
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINXP\system32\wbem\wmiprvse.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R3 - URLSearchHook: Netrider toolbar - {694332b0-a3fb-4f8c-838b-4ea0e7cd3d93} - C:\Program Files\Netrider\tbNet0.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Netrider toolbar - {694332b0-a3fb-4f8c-838b-4ea0e7cd3d93} - C:\Program Files\Netrider\tbNet0.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Netrider toolbar - {694332b0-a3fb-4f8c-838b-4ea0e7cd3d93} - C:\Program Files\Netrider\tbNet0.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Vet\CAVRID.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Policies\Explorer\Run: [ie.exe] C:\WINXP\ie.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINXP\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINXP\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINXP\bdoscandel.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141436212125
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
    O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherAccounts/portfoliomanagerwt.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA4897C-EC1F-4754-9277-9DA4135483A2}: NameServer = 85.255.115.6,85.255.112.20
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINXP\system32\ati2sgag.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Vet\ISafe.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Vet\VetMsg.exe

    --
    End of file - 9053 bytes
     
  10. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Need the SuperAnti log and then run the following and then post the hijack log after doing it.

    Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    · Restart your computer
    · After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    · Instead of Windows loading as normal, the Advanced Options Menu should appear;
    · Select the first option, to run Windows in Safe Mode, then press Enter.
    · Choose your usual account.
    · Open the extracted SDFix folder and double click RunThis.bat to start the script.
    · Type Y to begin the cleanup process.
    · It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    · Press any Key and it will restart the PC.
    · When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    · Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    · Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/600798

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice