Computer = weird

So. I turn on my computer this afternoon and its acting kinda weird. iexplore.exe is randomly popping up on Task Manager processes, Google is redirecting me to random sites, and my theme got changed to like, windows classic :embarrassed:

0_o? Have you checked any anti-baddy stuff just to make sure that you don't have anything strange going on?

Sounds like a regular prank program. No idea which one.

Some prank programs are simply ended by putting the mouse in the top left corner of the screen. If a window pops up, then thats it. Probably not it though.

Ran ESET and it said I had like, 19 problems or whatever. Deleted them all.
My themes back to normal but Google is still redirecting me to weird shit.
I google "Hello", first result is Hello magazine. I click it I get http://encyclopedia.thefreedictionary.com/hello

Are you clicking 'I am feeling lucky'?

That brings you to the first option....so it would bring him there anyways....and its not.

System restored to last night. Now whenever I turn on the computer, it gets stuck on a black screen before it goes to the login screen. The only way that I'm posting this is because of safe mode :[

wow, thats fucked up. can't help you :(

Champ hacked it :(

Can you restore further back? It may help. Otherwise there's always the other option.

So when I click links on google, it first redirects to abcjmp.com/hdstjsdstdahsathtasdhstasbunchofrandomthings then goes to random horrible search sites. :|
I'll try restoring further back in a bit.

If this doesn't happen in SafeMode...

services.msc
msconfig

and check auto start in registry for unusual crap.

lol, sounds like a virus my friend got once. All it did was change the Start bar to "Stupid".

Quote:

---

So when I click links on google, it first redirects to abcjmp.com/hdstjsdstdahsathtasdhstasbunchofrandomthings then goes to random horrible search sites. :|

---

Thats exactly what happens with me when I use Firefox but I switched to Safari and its fine(up to now).

Try running CWShredder for your Google search problem. It sounds like you might have a version of the CoolWebSearch malware.

You could also post a HijackThis log, so that we get a better idea of what's happening.

~*thA_PuPPeTMaSTa*~ hAs ReTuRnED UnDeR A seCrET aLIas tO aSsiST tHE pOStEr KnOWn As BlInD

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:00 PM, on 28/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOW\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOW\Explorer.EXE
C:\WINDOW\system32\taskmgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:8888;https=127.0.0.1:8888
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\RYAN\Application Data\Mozilla\Profiles\default\4s4fviwn.slt\prefs.j s)
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {3AA15550-DE7E-7515-21E5-007B746C9458} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOW\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire2\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (file missing)
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} -
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOW\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOW\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOW\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOW\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOW\system32\YPCSER~1.EXE

--
End of file - 11653 bytes



He IZ uNaBlE tO pOsT

Do a backup of data, then remove the following items:

O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {3AA15550-DE7E-7515-21E5-007B746C9458} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -


Your log also appears to show that you have both NOD32 Antivirus and CA Antivirus; these may conflict or slow your computer down, so try uninstalling one.

As well as this, your log shows an installation of "Fiddler2," their homepage is here. It is a program that can intercept and modify HTTP(S) data, possibly redirecting you from Google like you described, and shouldn't be on your computer unless you put it there. Try uninstallng it through Add/Remove programs.

After you've finished with all that, restart your computer.

I still can't login to my account unless I'm in safe mode. It just gets stuck on Loading Personal Settings. I left it there for a long ass time but it still wouldn't continue.
Anything else I can doooo :[

edit; google works now tho

K so.
Google is back to redirecting to weird shit.
Login screen stays on the "Starting up Windows" screen unless its in Safe mode.
When I FINALLY got into my account without using safe mode, it was fine for about an hour and then MSN and Task manager randomly froze and then about a minute later Firefox froze too.

Currently, I'd say to backup whatever you need and reformat. However, there's a much better forum for security-related things over at BleepingComputer. Register there, and post information about what's happening, as well as a HijackThis log, in their HijackThis Logs and Malware Removal forum. If your computer can be salvaged, I'd say they're your best bet.

Won't let me connect to it.
Its just not loading the pages of computer help websites.
Sweet.

I could post on behalf of you, as a kind of proxy. Do another Hijackthis log and post it here, and I will put it on the BleepingComputer forums. They should be able to tell what malware you have, and I'll post the instructions for removal back here.

wtf i cant post it!!!!!
we;lp

So whenever I try to make a post with the log in it it doesn't work.
???
.
.
.

Alright, since Blind can't post anymore, he asked me to post this log in the thread.

Quote:

---

Originally Posted by blind

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:48 PM, on 30/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\csrss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\WINDOW\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOW\Explorer.EXE
C:\WINDOW\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\RYAN\Application Data\Mozilla\Profiles\default\4s4fviwn.slt\prefs.j s)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {5C9DD472-6E0E-D741-C444-09655A1519B9} - C:\Program Files\Apaflbcv\kircwljm.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Xfire Music] "C:\Program Files\Xfire\xfiremusic.exe"
O4 - HKLM\..\Run: [wxyripyr] rundll32.exe "C:\Program Files\wxyripyr\gbqrorqf.dll",Init
O4 - HKLM\..\Run: [velqrmlo] rundll32.exe "C:\Program Files\velqrmlo\ngbyhsby.dll",Init
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TFGcm] C:\WINDOW\sunqu.exe
O4 - HKLM\..\Run: [tekucvbd] c:\window\system32\tekucvbd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [PdPYgu] C:\WINDOW\sunqu.exe
O4 - HKLM\..\Run: [pclsdanc] rundll32.exe "C:\Program Files\pclsdanc\rslunmps.dll",Init
O4 - HKLM\..\Run: [gvjymwnm] C:\Program Files\Vwbyprah\gvjymwnm.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOW\dinst.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [BHOZapper] C:\Program Files\BHOZapper\BHOZapper.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [adorttdl] C:\Program Files\Vbijgjng\adorttdl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ynozujiz] regsvr32 /u "C:\Documents and Settings\All Users.WINDOW\Application Data\ynozujiz.dll"
O4 - HKLM\..\Run: [uxfmhxpl] C:\Program Files\Bhddeivz\uxfmhxpl.exe
O4 - HKLM\..\Run: [lphc5ahj0encj] C:\WINDOW\system32\lphc5ahj0encj.exe
O4 - HKLM\..\Run: [odejetob] regsvr32 /u "C:\Documents and Settings\All Users.WINDOW\Application Data\odejetob.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [zvvktswg] C:\Program Files\Uvonsmcn\zvvktswg.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Ultimate Cleaner] "C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe" hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'Default user')
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: MOG-O-MATIC.lnk = C:\Program Files\MOG-O-MATIC\MogClient.exe
O4 - Startup: World Community Grid Agent.lnk = C:\Program Files\WorldCommunityGrid\UD.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire2\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (file missing)
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} -
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - (no file)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOW\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOW\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOW\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOW\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOW\system32\YPCSER~1.EXE

--
End of file - 12032 bytes

---

Alright, posted at BleepingComputer. One problem I immediately see in that log, though, is the following line:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://localhost:9100/proxy.pac

Something is monitoring you, it may be the Fiddler program I talked about earlier, or it may be malware. Don't do anything yet, though, until I get a reply to the thread at BleepingComputer.

EDIT: Reply times are quite slow on BleepingComputer, even though it is a very active forum. They do log analysis in order, so don't worry if there are no replies for a few days, they're getting to you.

EDIT PART 2: Did you recently install Daemon Tools? You seem to have their search site as your homepage.

Also, the Hijackthis.de analysis tool is highlighting a bunch of new executable files and DLLs in the system32 and Windows folder.

Thanks for the help Jelly, Trinx and ~*thA_PuPPeTMaSTa*~!

I Swear I had dislexia for a second there when I looked at Blinds Title danneb, Maybe im somewhat dislexic, I remember when i was young, I had problems with the difference between b and d

Yes. I recently installed Daemon tools. JELLY

Did you take care to uncheck the Toolbar and Homepage options during the installation?

If you let the installation go ahead as default, check around in Add/Remove programs for an entry like "Daemon Tools Toolbar" or something similar. Remove it. Daemon tools will still work after.

You can change the Internet Explorer homepage manually by going into Internet Options.

This is only a minor problem though, as far as I can tell, compared to the state of the rest of your computer. I'm still waiting for a reply to the BleepingComputer thread, so I can't tell you to change too much or the HijackThis log that I posted will be less accurate.

Any news yet my gelatinous friend?

Not yet; they look pretty busy so it might be another few days. Sorry about the wait, but they'll know more about what you've got than I do.

Thanks Gelatinous!

Nvm...

Ad-Aware is a legitimate process; his computer is being slowed by malware, not anti-malware.

Oh, sorry, I thought it was spyware for a minute...

I'll tell you a secret Blind: the people at BleepingComputer are being a bit slow. It is entirely up to you whether you do this, but I've created a little archive with Combofix and Stinger and put it on Rapidshare. You can follow the instructions in the archive to run Combofix, and Stinger should be simple enough to figure out.

Run it in Safe Mode WITHOUT network support.

This may fix your main problems, and allow you to solve the lesser ones using traditional Anti-Virus programs. It may also not help at all or it could cause data loss or corruption. Do this only if you need a solution quickly.

Enough deterrents, the archive is here: http://rapidshare.com/files/14265466...-_Possibly.zip

I'll still keep an eye on the BleepingComputer thread, but doing this will make the HijackThis log pretty obselete if you remove something. That said, I think it's the thing they'll recommend you do anyway.

I shall wait until they respond! And I'll do that as a second last resort, last being a reformat which I really do not want to do :[

:? :(!

inorite. 10 days so far, no reply :/

Made a post drawing attention to it in the relevant topic, but nothing yet.

Those bitches best hurry up or I'm bound to blast them with my bazooka.

OMG JELLY :|~~

my cousin just had the same problem, fake antivirus popping up all the time, google search redirect, disabled task manager and internet.

ran a scan with Malwarebytes' Anti-Malware and it fixed it all after one scan.

Maybe if I check the thread more than twice a day they will pay more attention to it?

The thread link is on the first page of the "Not had a reply in five days?" topic, so we should be seen to soon enough.

Or they may forget :3

Firefox can't establish a connection to the server at www.malwarebytes.org.

So, can't connect to that. Most computer help websites, and can't download anything from Microsoft.com.

Yeah, if they tell you to download anything I'll make a Rapidshare mirror. Unless that's blocked too?

EDIT: Try this link

Rapidshare is a-ok.

http://rapidshare.com/files/144776970/mbam-setup.exe

That's Malwarebytes' setup file.

syk (L)

UPDATE: REPLY

Quote:

---

Hello, Jelly_man.
:welcome: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you would still like help, please post a new HiJack This log below, as things may have changed on your system.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:

• While a HJT Team member is working with you, please refrain from making any changes to your computer.
• Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Please reply using the http://www.bleepingcomputer.com/foru...bc/t_reply.gif button in the lower left hand corner of your screen.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :wink:.

Billy3

---

So basically, post a new Hijackthis log so they can see what's happened in the ~2 weeks it took for them to reply.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:45 AM, on 14/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)
Boot mode: Normal

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\Ati2evxx.exe
C:\WINDOW\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOW\system32\LEXBCES.EXE
C:\WINDOW\system32\spoolsv.exe
C:\WINDOW\system32\LEXPPS.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOW\system32\PnkBstrA.exe
C:\WINDOW\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOW\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOW\Explorer.EXE
C:\WINDOW\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOW\system32\taskmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\RYAN\Application Data\Mozilla\Profiles\default\4s4fviwn.slt\prefs.j s)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {5C9DD472-6E0E-D741-C444-09655A1519B9} - (no file)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (file missing)
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} -
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} -
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - (no file)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOW\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOW\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOW\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOW\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOW\system32\YPCSER~1.EXE

--
End of file - 8632 bytes

this might be n00bish but i run spybot S&D and it clears all all spyware, adware and all that other crap. By the way, what .exe did u try to run that caused all of this

I ran yourmom.exe and it did all of this.
Yeah.

Finally a possible solution:

Quote:

---

Originally Posted by Billy O'Neal

Hello, Jelly_man.
Viewpoint is considered foistware instead of malware because it is installed without users approval, but doesn't spy or do anything "bad". You may like to read this article about the potential of this Viewpoint software here:
http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on Start > Run... > and then paste the following into the "Open" field: "appwiz.cpl" and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, and/or Viewpoint Media Player.

We have to remove some entries in HiJack This

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:
   R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
   R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
   O2 - BHO: (no name) - {5C9DD472-6E0E-D741-C444-09655A1519B9} - (no file)
   O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} -
   O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} -
   O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
   O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
   O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
   O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
   O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
   O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
   O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - (no file)
2. Close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
2. Scroll down to where it says "Java Runtime Environment (JRE)6 Update 7...allows end-users to run Java applications".
3. Click the "Download" button to the right.
4. Select your Platform: "Windows".
5. Select your Language: "Multi-Language".
6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
7. Click Continue and the page will refresh.
8. Click on the link to download Windows Offline Installation and save the file to your desktop.
9. Close any programs you may have running - especially your web browser.
10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
11. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
12. Click the Remove or Change/Remove button.
13. Follow the onscreen instructions for the Java uninstaller.
14. Repeat as many times as necessary to remove each Java version.
15. Reboot your computer once all Java components are removed.
16. Then from your desktop double-click on jre-6u7-windows-i586-p.exe
17. Follow the on screen instructions to install the latest Java version.

I would like us to use ESET (NOD32)'s Online Scanner

1. Please go to ESET OnlineScan (NOD32)
2. You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
3. Now click Start
4. Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
5. Click Start
   • Note: (the Onlinescanner will now prepare itself for running on your pc)
6. To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
7. Press Scan
8. The Onlinescan will now start and scan your pc (this could take a while)
9. When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
10. Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
11. The Scanresults will now open in Notepad
12. Click into the text area, right-click and chose "select all" (or use <Control>+A)
13. Right-click again and chose "Copy" (or <Control>+C)
14. Close/Exit Notepad
15. Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.

Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:

• ESET OnlineScan's Log
• A new HJT Log

Billy3

---

Failed to Connect













Firefox can't establish a connection to the server at www.eset.com.







Though the site seems valid, the browser was unable to establish a connection.

* Could the site be temporarily unavailable? Try again later.
* Are you unable to browse other sites? Check the computer's network connection.
* Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.

:|

... so why not just reformat and be done with this?

im sure you can backup anything you need onto a flash drive.

Did you close all other programs while removing the relevant entrys? Did you restart after removing them?

Yes.
Yes I did.

Quote:

---

Originally Posted by Billy O'Neal

Hello, Jelly_man.
We need to run OTScanIt
Before running a new scan let's clean out the temporary folders.
Download ATF Cleaner to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Close ALL Internet browsers (very important).
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• In the Drivers section click on Non-Microsoft.
• In the Rootkit Search area select Yes
• Under Additional Scans click the checkboxes in front of the following items to select them:
  • Reg - BotCheck
    Reg - Disabled MS Config Items
    Reg - File Associations
    Reg - Uninstall List
    File - Additional Folder Scans
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
• Save the file to your desktop or other location where you can find it back.

Use the Add Reply button and attach the file in your next post.

In your next reply, please include the following:

• OTScanIt Report

Billy3

---

Rapidshare downloads for the relevant files:

http://rapidshare.com/files/14662269...ware_stuff.rar

Unrar and both of the executables should be there.

Quote:

---

Originally Posted by StankBacon™

... so why not just reformat and be done with this?

im sure you can backup anything you need onto a flash drive.

---

*cough*

I gave this route as the other option to reformatting. He took it; he doesn't want to reformat.

and its been what, 2 weeks?

reformat would take 20 minutes...

But counting Windows updates (if he's running XP)and such, it could take forever, I remember having to reformat my computer every 2 weeks...

Anyways, reformating sounds like the best idea, but make sure to backup important files to another computer, just make sure nothing will infect the other computer while copying the files over.

DVD's are a wonderful thing :) Just don't make the same mistake I did and copy your documents and settings too (my IE scripts were fucked up beyond repair after I tried that, making me glad that I have a laptop to use now...)

Quote:

---

Originally Posted by Billy O'Neal

Hello, Jelly_man.
You have a Peer-To-Peer program installed.
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case uTorrent). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

We need to run an OTScanIt Fix

1. Please reopen http://billy-oneal.com/Canned%20Spee...derdesktop.png
2. Click on http://billy-oneal.com/Canned%20Spee...itinfolder.png
3. In the http://billy-oneal.com/Canned%20Spee...s/pastefix.png area copy and paste in the following (Do not include the word CODE)
   
   Code:

   ---

   [Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{2499216C-4BA5-11D5-BD9C-000103C116D5} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{3369AF0D-62E9-4bda-8103-B4C75499B578} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{44226DFF-747E-4edc-B30C-78752E50CD0C} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{461CC20B-FB6E-4f16-8FE8-C29359DB100E} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{6224f700-cba3-4071-b251-47cb894244cd} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{669695BC-A811-4A9D-8CDF-BA8C795F261C} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{B13B4423-2647-4cfc-A4B3-C7D56CB83487} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> Á³#  L"h'þ9ÓÅ“ð3rÅWC: hkey= key= ->
YN -> adorttdl hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Vbijgjng\adorttdl.exe
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
YN -> .com [@ = comfile] -> Reg Error: Value  does not exist or could not be read.
YN -> .js [@ = JSFile] -> Reg Error: Key does not exist or could not be opened.
[Files/Folders - Created Within 30 days]
NY -> 1 C:\WINDOW\System32\*.tmp files -> C:\WINDOW\System32\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]

   ---

4. Press the http://billy-oneal.com/Canned%20Spee...anitrunfix.png button.
5. Copy/Paste the resultant report in a reply here

We need to repair your Hosts file

1. Download HostsXpert.zip
2. Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
3. Double-click HostsXpert.exe to run the program.
4. Click "Make Hosts Writable?" in the upper right corner (If available).
5. Click "Restore Microsoft's Hosts file" and then click "OK".
6. Click the X to exit the program.

Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Please let me know if ESET works now :)

In your next reply, please include the following:

• OtScanIt Fix Report
• A new HJT Log

Billy3

---

HostsXpert rapidshare mirror: http://rapidshare.com/files/147068758/HostsXpert.zip

Quote:

---

Originally Posted by OTScan

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{2499216C-4BA5-11D5-BD9C-000103C116D5} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2499216 C-4BA5-11D5-BD9C-000103C116D5}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{3369AF0D-62E9-4bda-8103-B4C75499B578} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3369AF0 D-62E9-4bda-8103-B4C75499B578}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{44226DFF-747E-4edc-B30C-78752E50CD0C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44226DF F-747E-4edc-B30C-78752E50CD0C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{461CC20B-FB6E-4f16-8FE8-C29359DB100E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{461CC20 B-FB6E-4f16-8FE8-C29359DB100E}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{6224f700-cba3-4071-b251-47cb894244cd} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6224f70 0-cba3-4071-b251-47cb894244cd}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{669695BC-A811-4A9D-8CDF-BA8C795F261C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{669695B C-A811-4A9D-8CDF-BA8C795F261C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC9E254 1-2814-11d5-BC6D-00B0D0A1DE45}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{B13B4423-2647-4cfc-A4B3-C7D56CB83487} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B13B442 3-2647-4cfc-A4B3-C7D56CB83487}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF819DA 3-9882-4944-ADF5-6EF17ECF3C6E}\ not found.
[Registry - Additional Scans - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Á³# L"h'þ9ÓÅ“ð3rÅWC: hkey= key=\ not found.
File not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\adorttdl hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com\\'' updated successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\\'' updated successfully.
[Files/Folders - Created Within 30 days]
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\ryan\Local Settings\Temp\etilqs_KkJrZ0WQfwc6sRPZikph scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOW\temp\ scheduled to be deleted on reboot.
File delete failed. C:\WINDOW\temp\ scheduled to be deleted on reboot.
File delete failed. C:\WINDOW\temp\ scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 09212008_142414

Files moved on Reboot...
File C:\Documents and Settings\ryan\Local Settings\Temp\etilqs_KkJrZ0WQfwc6sRPZikph not found!
Folder move failed. C:\WINDOW\temp\ scheduled to be moved on reboot.

---

Quote:

---

Originally Posted by HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:27 PM, on 21/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)
Boot mode: Normal

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\Ati2evxx.exe
C:\WINDOW\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOW\system32\LEXBCES.EXE
C:\WINDOW\system32\spoolsv.exe
C:\WINDOW\system32\LEXPPS.EXE
C:\WINDOW\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOW\system32\PnkBstrA.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOW\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOW\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOW\system32\mdm.exe
C:\WINDOW\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOW\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOW\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\RYAN\Application Data\Mozilla\Profiles\default\4s4fviwn.slt\prefs.j s)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (file missing)
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOW\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOW\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOW\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOW\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOW\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOW\system32\YPCSER~1.EXE

--
End of file - 7712 bytes

---

And still can't get to ESET.
sup page load errors

Did you restart after doing those things? Were all browsers closed?

Does this link load for you, or does it fail to load as before?

Yes I did Jelly.
And no it does not.
But I'll try again?

Quote:

---

Originally Posted by Billy O'Neal

Hello, Jelly_man.
We need to run ComboFix.

1. Please disable any running anti-virus programs.
   
   If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html
2. Please visit the following page for instructions on running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix
3. Please ensure you read this guide carefully and install the Recovery Console first.
   Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
4. After you install the recovery console, will see this window.
   http://billy-oneal.com/BleepingCompu...Shots/cfrc.png
   Please select Yes.
5. When the tool is finished, it will produce a report for you. Copy and paste that report in a reply here.

In your next reply, please include the following:

• ComboFix.txt

Billy3

---

ComboFix files and tutorial HTML pages:
http://rapidshare.com/files/14743950...ofix_files.rar

Blind wru!

OKAY.
When I tried to do the part of installing that shit where you drag the one file onto the other one, it didn't work.


But.
I can go to the ESET site and BleepingComputer now.

Oh good.

Will tell the guy.

He wants the ComboFix log, Blind. You still got it?

This is just checking you're not infected any more, I'm guessing.

Quote:

---

ComboFix 08-09-03.06 - ryan 2008-09-22 16:59:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.162 [GMT -4:00]
Running from: C:\Documents and Settings\ryan\Desktop\Anti-Malware_stuff\Combofix_files\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ntldr.exe
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
C:\WINDOW\system32\actskn43.ocx
C:\WINDOW\system32\cache329
C:\WINDOW\system32\cache329\B_329_0_0_106800.htm
C:\WINDOW\system32\cache329\B_329_0_0_107400.htm
C:\WINDOW\system32\cache329\B_329_1_0_449200.gif
C:\WINDOW\system32\cache329\B_329_1_0_449600.gif
C:\WINDOW\system32\cache329\B_329_1_0_454300.gif
C:\WINDOW\system32\cache329\B_329_2_0_106800.htm
C:\WINDOW\system32\cache329\B_329_2_0_107400.htm
C:\WINDOW\system32\cache329\B_329_3_0_106800.htm
C:\WINDOW\system32\cache329\B_329_3_0_107400.htm
C:\WINDOW\system32\cache329\B_329_4_0_111600.htm
C:\WINDOW\system32\cache329\B_329_4_0_152400.htm
C:\WINDOW\system32\cache329\B_329_4_0_155300.htm
C:\WINDOW\system32\cache329\B_329_4_0_164100.htm
C:\WINDOW\system32\cache329\t_B_329_0_0_106800.htm
C:\WINDOW\system32\cache329\t_B_329_0_0_107400.htm
C:\WINDOW\system32\cache329\t_B_329_2_0_106800.htm
C:\WINDOW\system32\cache329\t_B_329_2_0_107400.htm
C:\WINDOW\system32\cache329\t_B_329_3_0_106800.htm
C:\WINDOW\system32\cache329\t_B_329_3_0_107400.htm
C:\WINDOW\system32\cache329\t_B_329_4_0_111600.htm
C:\WINDOW\system32\cache329\t_B_329_4_0_152400.htm
C:\WINDOW\system32\cache329\t_B_329_4_0_155300.htm
C:\WINDOW\system32\cache329\t_B_329_4_0_164100.htm
C:\WINDOW\system32\mdm.exe
C:\WINDOW\system32\tdssadw.dll
C:\WINDOW\system32\tdssinit.dll
C:\WINDOW\system32\tdssl.dll
C:\WINDOW\system32\tdsslog.dll
C:\WINDOW\system32\tdssmain.dll
C:\WINDOW\system32\tdssservers.dat

.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-21 14:40 . 2008-09-21 14:40 <DIR> d-------- C:\HostsXpert
2008-09-21 14:24 . 2008-09-21 14:24 <DIR> d-------- C:\_OTScanIt
2008-09-18 16:24 . 2008-09-18 16:24 <DIR> d-------- C:\Program Files\LimeWire
2008-09-16 11:19 . 2008-09-16 11:19 <DIR> d-------- C:\Program Files\Sun
2008-09-12 17:05 . 2008-09-12 17:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-12 17:05 . 2008-09-12 17:05 <DIR> d-------- C:\Documents and Settings\ryan\Application Data\Malwarebytes
2008-09-12 17:05 . 2008-09-12 17:05 <DIR> d-------- C:\Documents and Settings\All Users.WINDOW\Application Data\Malwarebytes
2008-09-12 17:05 . 2008-09-10 00:04 38,528 --a------ C:\WINDOW\system32\drivers\mbamswissarmy.sys
2008-09-12 17:05 . 2008-09-10 00:03 17,200 --a------ C:\WINDOW\system32\drivers\mbam.sys
2008-09-02 09:06 . 2008-09-02 09:06 158,556 --a------ C:\Vtks Revolt.ttf
2008-08-31 21:05 . 2008-08-31 21:05 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-30 16:07 . 2008-09-07 18:38 <DIR> d-------- C:\fixwareout
2008-08-30 15:29 . 2008-08-30 15:29 <DIR> d-------- C:\Program Files\AIM6
2008-08-30 15:29 . 2008-08-30 15:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOW\Application Data\acccore
2008-08-30 15:03 . 2008-08-30 15:03 <DIR> d-------- C:\Program Files\Uvonsmcn2
2008-08-30 15:03 . 2008-08-30 15:03 <DIR> d-------- C:\Program Files\Uvonsmcn
2008-08-30 15:02 . 2008-09-11 09:52 <DIR> d-------- C:\Program Files\Apaflbcv
2008-08-30 13:36 . 2008-08-30 13:36 5,069,649 --a------ C:\Documents and Settings\All Users.aawqff
2008-08-30 12:34 . 2008-08-30 12:34 <DIR> d-------- C:\WINDOW\system32\unnefmim
2008-08-30 12:34 . 2008-08-30 12:34 <DIR> d-------- C:\Program Files\Bhddeivz2
2008-08-30 12:34 . 2008-08-30 12:34 <DIR> d-------- C:\Program Files\Bhddeivz
2008-08-30 12:33 . 2008-08-30 12:33 <DIR> d-------- C:\Program Files\Macclkop
2008-08-30 11:52 . 2008-08-30 11:52 <DIR> d-------- C:\WINDOW\system32\scripting
2008-08-30 11:52 . 2008-08-30 11:52 <DIR> d-------- C:\WINDOW\system32\en
2008-08-30 11:52 . 2008-08-30 11:52 <DIR> d-------- C:\WINDOW\l2schemas
2008-08-28 23:28 . 2008-04-13 20:12 69,120 --------- C:\WINDOW\system32\wlanapi.dll
2008-08-28 23:28 . 2008-04-13 20:12 53,248 --------- C:\WINDOW\system32\tsgqec.dll
2008-08-28 23:28 . 2008-04-13 20:12 50,688 --------- C:\WINDOW\system32\tspkg.dll
2008-08-28 23:26 . 2008-04-13 20:11 397,312 --------- C:\WINDOW\system32\mmcex.dll
2008-08-28 23:25 . 2008-04-13 20:11 650,752 --------- C:\WINDOW\system32\dot3ui.dll
2008-08-28 19:18 . 2008-08-28 19:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-28 16:52 . 2008-08-28 16:52 12,288 --------- C:\WINDOW\system32\tdssserf.dll
2008-08-27 17:03 . 2008-08-27 17:03 42,320 --a------ C:\WINDOW\system32\xfcodec.dll
2008-08-25 19:10 . 2008-08-25 19:10 <DIR> d-------- C:\Program Files\YouTube Downloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-22 19:14 --------- d-----w C:\Program Files\mIRC
2008-09-21 22:03 --------- d-----w C:\Documents and Settings\ryan\Application Data\uTorrent
2008-09-21 19:45 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-09-18 22:14 --------- d-----w C:\Documents and Settings\ryan\Application Data\Xfire
2008-09-18 21:44 --------- d-----w C:\Program Files\Xfire2
2008-09-16 22:13 --------- d-----w C:\Program Files\Java
2008-09-16 15:03 --------- d-----w C:\Program Files\Viewpoint
2008-09-16 15:03 --------- d-----w C:\Documents and Settings\ryan\Application Data\Viewpoint
2008-09-16 15:03 --------- d-----w C:\Documents and Settings\All Users.WINDOW\Application Data\Viewpoint
2008-09-09 23:25 5,282 -c--a-w C:\Documents and Settings\ryan\Application Data\wklnhst.dat
2008-09-03 01:04 --------- d-----w C:\Documents and Settings\All Users.WINDOW\Application Data\Spybot - Search & Destroy
2008-09-02 21:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-31 15:55 --------- d-----w C:\Program Files\Avi2Dvd
2008-08-31 15:47 --------- d-----w C:\Program Files\Sony
2008-08-30 22:17 --------- d-----w C:\Documents and Settings\All Users.WINDOW\Application Data\WLInstaller
2008-08-30 19:29 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-30 17:36 --------- d-----w C:\Program Files\Utility
2008-08-30 14:38 --------- d-----w C:\Program Files\Image-Line
2008-08-27 23:50 --------- d-----w C:\Program Files\Ulnanshb2
2008-08-27 23:29 --------- d-----w C:\Program Files\Ersaxcgx2
2008-08-25 06:34 --------- d-----w C:\Program Files\Flock
2008-08-21 22:24 --------- d-----w C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\Application Data\Viewpoint
2008-08-20 23:31 --------- d-----w C:\Program Files\DAEMON Tools
2008-08-20 23:20 717,296 ----a-w C:\WINDOW\system32\drivers\sptd.sys
2008-08-20 23:19 --------- d-----w C:\Documents and Settings\ryan\Application Data\DAEMON Tools
2008-08-15 11:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-12 23:39 --------- d-----w C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\Application Data\acccore
2008-08-12 20:33 --------- d-----w C:\Program Files\iTunes
2008-08-12 20:33 --------- d-----w C:\Program Files\iPod
2008-08-12 20:21 --------- d-----w C:\Program Files\QuickTime
2008-08-12 02:46 --------- d-----w C:\Program Files\Audiosurf
2008-08-10 01:38 --------- d-----w C:\Program Files\EA GAMES
2008-08-09 17:47 86,024 ----a-w C:\Documents and Settings\ryan\Application Data\GDIPFONTCACHEV1.DAT
2008-08-09 14:09 --------- d-----w C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\Application Data\MSN6
2008-08-09 13:00 --------- d-----w C:\Program Files\Last.fm
2008-08-09 13:00 --------- d-----w C:\Program Files\GSC
2008-08-09 13:00 --------- d-----w C:\Documents and Settings\ryan\Application Data\InstallShield
2008-08-09 12:59 --------- d-----w C:\Documents and Settings\All Users.WINDOW\Application Data\Last.fm
2008-08-09 12:14 --------- d-----w C:\Program Files\VstPlugins
2008-08-08 04:41 --------- d-----w C:\Program Files\Trillian
2008-07-24 19:51 --------- d-----w C:\Program Files\Microsoft Games
2008-07-19 02:10 94,920 ----a-w C:\WINDOW\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOW\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOW\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOW\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOW\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOW\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOW\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOW\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOW\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOW\system32\muweb.dll
2008-07-18 18:34 586,240 ----a-w C:\WINDOW\WLXPGSS.SCR
2008-07-13 00:02 23 -c--a-w C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\jagex_runescape_preferences.dat
2008-07-07 20:26 253,952 ----a-w C:\WINDOW\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOW\system32\mscms.dll
2007-09-10 22:34 22,328 -c--a-w C:\Documents and Settings\ryan\Application Data\PnkBstrK.sys
2006-08-03 21:16 449 -c--a-w C:\Program Files\Shortcut to 1964.lnk
2005-08-11 16:25 0 -c--a-w C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\Application Data\wklnhst.dat
2005-04-18 17:51 5,096 -c--a-w C:\Documents and Settings\All Users.WINDOW\Application Data\ypinfo.bin
2005-02-28 22:40 68 -c--a-w C:\Documents and Settings\Unknown User\Application Data\tvmuknwrd.dll
2005-02-28 21:44 35 -c--a-w C:\Documents and Settings\Jesse\Application Data\tvmcwrd.dll
2005-02-28 21:44 103 -c--a-w C:\Documents and Settings\Jesse\Application Data\tvmuknwrd.dll
2005-02-28 21:39 60 -c--a-w C:\Documents and Settings\Jesse\Application Data\tvmdmns.dll
2005-02-28 21:26 63 -c--a-w C:\Documents and Settings\david\Application Data\tvmuknwrd.dll
2005-02-28 21:26 28 -c--a-w C:\Documents and Settings\david\Application Data\tvmcwrd.dll
2005-02-28 20:49 37 -c--a-w C:\Documents and Settings\DAVS\Application Data\tvmcwrd.dll
2005-02-28 02:56 0 -c--a-w C:\Documents and Settings\DAVS\Application Data\wklnhst.dat
2005-02-26 20:36 151 -c--a-w C:\Documents and Settings\dfdavid\Application Data\tvmuknwrd.dll
2005-02-14 19:43 5,684 -c--a-w C:\Documents and Settings\dfdavid\Application Data\wklnhst.dat
2004-12-17 00:49 0 -csha-r C:\Program Files\q330994.exe
2004-11-02 18:34 0 -c--a-w C:\Documents and Settings\david\Application Data\wklnhst.dat
2004-10-10 15:59 59,776 -c--a-w C:\Documents and Settings\dfdavid\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 22:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
2005-07-21 01:14 10,856 -csha-w C:\WINDOW\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-14 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

C:\Documents and Settings\jesse.DAVID-REPZ4PHA9\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-11-24 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= jl_mjpg2.drv
"VIDC.PIM1"= pclepim1.dll
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOW^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOW\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOW^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOW\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOW^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=C:\WINDOW\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^ryan^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=C:\Documents and Settings\ryan\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=C:\WINDOW\pss\Anapod Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ryan^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\ryan\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOW\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ryan^Start Menu^Programs^Startup^MOG-O-MATIC.lnk]
path=C:\Documents and Settings\ryan\Start Menu\Programs\Startup\MOG-O-MATIC.lnk
backup=C:\WINDOW\pss\MOG-O-MATIC.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ryan^Start Menu^Programs^Startup^World Community Grid Agent.lnk]
path=C:\Documents and Settings\ryan\Start Menu\Programs\Startup\World Community Grid Agent.lnk
backup=C:\WINDOW\pss\World Community Grid Agent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ryan^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\ryan\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOW\pss\Xfire.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2005-06-07 00:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 11:21 50472 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
--a--c--- 2006-04-11 11:49 230512 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
--a--c--- 2006-04-11 11:49 185456 C:\Program Files\Yahoo!\Antivirus\CAVRid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 08:11 490952 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gvjymwnm]
--a--c--- 2007-08-03 15:52 46080 C:\Program Files\Vwbyprah\gvjymwnm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-13 01:22 57344 C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-08-18 18:41 1832272 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-14 18:22 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uxfmhxpl]
--a------ 2008-08-30 12:34 41984 C:\Program Files\Bhddeivz\uxfmhxpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wxyripyr]
--a--c--- 2007-08-03 15:52 65536 C:\Program Files\wxyripyr\gbqrorqf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xfire Music]
--a--c--- 2006-04-13 20:12 246201 C:\Program Files\Xfire\xfiremusic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-09-14 13:26 3084288 C:\Program Files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2005-06-17 00:30 401408 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zvvktswg]
--a------ 2008-08-30 15:03 41984 C:\Program Files\Uvonsmcn\zvvktswg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOW\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloceded.exe"=
"C:\\WINDOW\\system32\\rtcshare.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\StubInstaller.exe"=
"C:\\SNES\\zsnesw.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOW\\system32\\dpvsetup.exe"=
"C:\\WINDOW\\system32\\rundll32.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Last.fm\\LastFM.exe"=
"C:\\WINDOW\\system32\\PnkBstrA.exe"=
"C:\\WINDOW\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Xfire2\\xfire.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\ryan\\Desktop\\MSN Lite 7.5.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"22478:TCP"= 22478:TCP:BitComet 22478 TCP
"22478:UDP"= 22478:UDP:BitComet 22478 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3007:UDP"= 3007:UDP:Windows Media Format SDK (Iexplore.exe)
"3006:UDP"= 3006:UDP:Windows Media Format SDK (Iexplore.exe)
"3011:UDP"= 3011:UDP:Windows Media Format SDK (Iexplore.exe)

S3 JL2005;JL2005A Toy Camera;C:\WINDOW\system32\Drivers\toywdm.sys [2003-11-14 70472]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOW\system32\dri vers\mbamswissarmy.sys [2008-09-10 38528]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOW\system32\drivers\npf.sys [2005-08-02 32512]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-iLike - C:\Program Files\iLike\1.1.41\ilikesidebar.exe
MSConfigStartUp-adorttdl - C:\Program Files\Vbijgjng\adorttdl.exe
MSConfigStartUp-AppleSyncNotifier - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-ATI Launchpad - C:\Program Files\ATI Multimedia\main\launchpd.exe
MSConfigStartUp-ATI Remote Control - C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
MSConfigStartUp-ATICCC - C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
MSConfigStartUp-BHOZapper - C:\Program Files\BHOZapper\BHOZapper.exe
MSConfigStartUp-Dinst - C:\WINDOW\dinst.exe
MSConfigStartUp-lphc5ahj0encj - C:\WINDOW\system32\lphc5ahj0encj.exe
MSConfigStartUp-odejetob - C:\Documents and Settings\All Users.WINDOW\Application Data\odejetob.dll
MSConfigStartUp-pclsdanc - C:\Program Files\pclsdanc\rslunmps.dll
MSConfigStartUp-PdPYgu - C:\WINDOW\sunqu.exe
MSConfigStartUp-PicasaNet - C:\Program Files\Hello\Hello.exe
MSConfigStartUp-SC2 - C:\Program Files\SecCenter\scprot4.exe
MSConfigStartUp-SemanticInsight - C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
MSConfigStartUp-Steam - c:\program files\steam\steam.exe
MSConfigStartUp-STYLEXP - C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
MSConfigStartUp-tekucvbd - c:\window\system32\tekucvbd.exe
MSConfigStartUp-TFGcm - C:\WINDOW\sunqu.exe
MSConfigStartUp-Ultimate Cleaner - C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe
MSConfigStartUp-Uniblue Registry Booster - C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe
MSConfigStartUp-velqrmlo - C:\Program Files\velqrmlo\ngbyhsby.dll
MSConfigStartUp-ynozujiz - C:\Documents and Settings\All Users.WINDOW\Application Data\ynozujiz.dll
MSConfigStartUp-istsvc - C:\WINDOW\sunqu.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\ryan\Application Data\Mozilla\Firefox\Profiles\26ukzymq.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?hl=en&gl=
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npvlc.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - C:\WINDOW\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 17:03:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\P SSdk21]
"ImagePath"="\??\C:\WINDOW\system32\Drivers\HNPsSd k.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\P SSdk23]
"ImagePath"="\??\C:\WINDOW\system32\Drivers\PsSdk2 3.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\t dssserv]
"imagepath"="\systemroot\system32\drivers\TDSSserv .sys"
.
Completion time: 2008-09-22 17:12:59
ComboFix-quarantined-files.txt 2008-09-22 21:12:19

Pre-Run: 62,857,252,864 bytes free
Post-Run: 64,988,688,384 bytes free

355 --- E O F --- 2008-09-19 11:14:03

---

i luh da pussy

Quote:

---

Originally Posted by Billy O'Neal

Hello, Jelly_man.

Quote:

---

- REDUCED FUNCTIONALITY MODE -

---

When you run ComboFix, you MUST download a new copy. Your copy is expired. This is likely why the console installation failed.

It should also be noted that the RC filename must be left intact. Please do not rename the file when you download it.

Please delete any existing copies of ComboFix on your system, redownload it, re-run, and post a fresh log here :)

Billy3

---

Since the sites work now, you can find links to ComboFix.exe downloads here.

Blindddd. Update?

Quote:

---

Originally Posted by blind

K so.
Google is back to redirecting to weird shit.
Login screen stays on the "Starting up Windows" screen unless its in Safe mode.
When I FINALLY got into my account without using safe mode, it was fine for about an hour and then MSN and Task manager randomly froze and then about a minute later Firefox froze too.

---

Yea you got a BUNCH of serious shit in your computer...

You're going to need to backup your files and reinstall Windows.

Even if you get rid of all the visible shit (including "ilikesearchbar") there's no guarantee that there isn't a rootkit with a higher admin status than you are... and there's no guarantee that the virus didn't unpatch Windows making it easier to get further infections.

Backup and format's the only way to go now... you could keep trying to manually uninstall stuff... but these days there's too much money in keeping your computer infected it's just plain not feasible. You never know if you got everything, you never know what security holes were created/unpatched, and you never know if there's a rootkit playing with your admin levels to keep MORE shit hidden or a hacker's way in.

I get people all the time who say "I'd know if I had a virus!" And those are the people who are the most clueless...

But who's to say the rootkit hasn't infected his motherboard's BIOS?! What if he's a testbed for all of the hacker's new exploits?! Stay away from me Blind, you filthy unclean!

Seriously, he's not got a rootkit from a simple infection like this. Modified HOSTS file, new startup objects and a false proxy, all of which have been fixed. Probably.

Blind where's my update!

reformat and be done with this.

Quote:

---

Originally Posted by Jelly

But who's to say the rootkit hasn't infected his motherboard's BIOS?! What if he's a testbed for all of the hacker's new exploits?! Stay away from me Blind, you filthy unclean!

Seriously, he's not got a rootkit from a simple infection like this. Modified HOSTS file, new startup objects and a false proxy, all of which have been fixed. Probably.

Blind where's my update!

---

If you say you don't have a rootkit you have no idea about modern-day malware.

If you were so sure you didn't have a rootkit... ever install Norton or McAfee? Yea, you have a rootkit. Didn't know they install one {albeit for "good" purposes... essentially is a hacky way to force people to run in a somewhat limited user mode while still outwardly-appearing like an Admin.}? Go figure. A rootkit you didn't know about...

I knew Kaspersky and McAfee and most other security suites use kernel hooks and rootkits. That isn't a bad thing.

Quote:

---

Originally Posted by Jelly

I knew Kaspersky and McAfee and most other security suites use kernel hooks and rootkits. That isn't a bad thing.

---

Oh I know... they use it for good reasons.

The problem is:
1) Obviously this makes it hard for Microsoft to patch.
2) (and most relevant) -- It's not that it's good or bad, it's that it's in your system and you had no clue. Well I mean, you do -- but the thing is -- it's next-to-impossible to know there's a rootkit installed on your system.

kthx Blind, the BleepingComputer topic has been closed due to inactivity.

finally, now just reformat and end this shit.

My suggestion. Download AnVir Task Manager. When you run it, AnVir shows you all startup programs and Windows processes, so you’ll find harmful file in a minute. I always use it when I clean one’s PC. Sorry for the offtopic.

Quote:

---

Originally Posted by inspectorweb

My suggestion. Download AnVir Task Manager. When you run it, AnVir shows you all startup programs and Windows processes, so you’ll find harmful file in a minute. I always use it when I clean one’s PC. Sorry for the offtopic.

---

I love it when bots/spammers bump 2 year old threads started by banned members, anyone else?