Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Pipas.A problem too!

  1. #1
    Junior Member
    Join Date
    Feb 2006
    Posts
    9

    Default Pipas.A problem too!

    Like many before I have been trying to fix a Pipas.A problem with no success. Kinda learning as I go. Able to clean my system with Spybot, ran Norton AV and Adware, but after each boot it comes back. Down loaded the Fixwareout suggestion (included Log below) and ran it, but Pipas.A came back. Attached the SpybotSD report (I had to cut some of the data to fit on the thread, but can resend if needed). Not sure what else might be needed to help.


    --- Search result list ---
    Pipas.A: Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins


    --- Spybot - Search && Destroy version: 1.3 ---
    2006-02-24 Includes\Cookies.sbi
    2006-02-24 Includes\Dialer.sbi
    2006-02-24 Includes\Hijackers.sbi
    2006-02-24 Includes\Keyloggers.sbi
    2004-11-29 Includes\LSP.sbi
    2006-02-24 Includes\Malware.sbi
    2006-02-24 Includes\PUPS.sbi
    2006-02-24 Includes\Revision.sbi
    2006-02-24 Includes\Security.sbi
    2006-02-24 Includes\Spybots.sbi
    2005-02-17 Includes\Tracks.uti
    2006-02-24 Includes\Trojans.sbi


    --- System information ---
    Windows XP (Build: 2600) Service Pack 2
    / DataAccess: Patch Available For XMLHTTP Vulnerability
    / DataAccess: Patch Available For XMLHTTP Vulnerability
    / DataAccess: Security Update for Microsoft Data Access Components
    / Internet Explorer 6 / SP0: Windows XP Hotfix - KB834707
    / Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
    / Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
    / Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
    / Windows Media Player: Windows Media Update 320920
    / Windows XP / SP2: Windows XP Service Pack 2
    / Windows XP / SP3: Windows XP Hotfix - KB834707
    / Windows XP / SP3: Windows XP Hotfix - KB867282
    / Windows XP / SP3: Windows XP Hotfix - KB873333
    / Windows XP / SP3: Windows XP Hotfix - KB873339
    / Windows XP / SP3: Security Update for Windows XP (KB883939)
    / Windows XP / SP3: Windows XP Hotfix - KB885250
    / Windows XP / SP3: Windows XP Hotfix - KB885835
    / Windows XP / SP3: Windows XP Hotfix - KB885836
    / Windows XP / SP3: Windows XP Hotfix - KB886185
    / Windows XP / SP3: Windows XP Hotfix - KB887472
    / Windows XP / SP3: Windows XP Hotfix - KB887742
    / Windows XP / SP3: Windows XP Hotfix - KB888113
    / Windows XP / SP3: Windows XP Hotfix - KB888302
    / Windows XP / SP3: Security Update for Windows XP (KB890046)
    / Windows XP / SP3: Windows XP Hotfix - KB890047
    / Windows XP / SP3: Windows XP Hotfix - KB890175
    / Windows XP / SP3: Windows XP Hotfix - KB890859
    / Windows XP / SP3: Windows XP Hotfix - KB890923
    / Windows XP / SP3: Windows XP Hotfix - KB891781
    / Windows XP / SP3: Security Update for Windows XP (KB893066)
    / Windows XP / SP3: Windows XP Hotfix - KB893086
    / Windows XP / SP3: Security Update for Windows XP (KB893756)
    / Windows XP / SP3: Windows Installer 3.1 (KB893803)
    / Windows XP / SP3: Windows Installer 3.1 (KB893803)
    / Windows XP / SP3: Update for Windows XP (KB894391)
    / Windows XP / SP3: Security Update for Windows XP (KB896358)
    / Windows XP / SP3: Security Update for Windows XP (KB896422)
    / Windows XP / SP3: Security Update for Windows XP (KB896423)
    / Windows XP / SP3: Security Update for Windows XP (KB896424)
    / Windows XP / SP3: Security Update for Windows XP (KB896428)
    / Windows XP / SP3: Security Update for Windows XP (KB896688)
    / Windows XP / SP3: Update for Windows XP (KB896727)
    / Windows XP / SP3: Update for Windows XP (KB898461)
    / Windows XP / SP3: Security Update for Windows XP (KB899587)
    / Windows XP / SP3: Security Update for Windows XP (KB899588)
    / Windows XP / SP3: Security Update for Windows XP (KB899591)
    / Windows XP / SP3: Security Update for Windows XP (KB900725)
    / Windows XP / SP3: Security Update for Windows XP (KB901017)
    / Windows XP / SP3: Security Update for Windows XP (KB901214)
    / Windows XP / SP3: Security Update for Windows XP (KB902400)
    / Windows XP / SP3: Security Update for Windows XP (KB903235)
    / Windows XP / SP3: Security Update for Windows XP (KB904706)
    / Windows XP / SP3: Security Update for Windows XP (KB905414)
    / Windows XP / SP3: Security Update for Windows XP (KB905749)
    / Windows XP / SP3: Security Update for Windows XP (KB905915)
    / Windows XP / SP3: Security Update for Windows XP (KB908519)
    / Windows XP / SP3: Update for Windows XP (KB910437)
    / Windows XP / SP3: Security Update for Windows XP (KB911927)
    / Windows XP / SP3: Security Update for Windows XP (KB912919)
    / Windows XP / SP3: Security Update for Windows XP (KB913446)


    --- Startup entries list ---
    Located: HK_LM:Run, ccApp
    command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    size: 59040
    MD5: 2a373cda6d5dced20ec56fe7d9e47e5c

    Located: HK_LM:Run, cmon14
    command: defect08.exe


    --
    --- Process list ---
    Spybot - Search && Destroy process list report, 2/27/2006 10:23:55 PM

    PID: 0 ( 0) [System]
    PID: 4 ( 0) System
    PID: 144 (1704) C:\Program Files\Norton AntiVirus\navapsvc.exe
    PID: 164 (1704) C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    PID: 168 (1704) C:\WINDOWS\System32\svchost.exe
    PID: 220 (1504) C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    PID: 236 (1704) C:\WINDOWS\System32\svchost.exe
    PID: 352 (1704) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    PID: 416 (1504) C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    PID: 456 (1504) C:\Program Files\Microsoft Office\Office\OSA.EXE
    PID: 460 (1704) C:\Program Files\Dantz\Retrospect\retrorun.exe
    PID: 484 (1704) C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    PID: 520 (1704) C:\WINDOWS\System32\svchost.exe
    PID: 672 (1704) C:\WINDOWS\system32\spoolsv.exe
    PID: 784 (1704) C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
    PID: 844 (1704) C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    PID: 928 (1704) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    PID: 944 (1504) C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    PID: 960 (1704) C:\WINDOWS\System32\svchost.exe
    PID: 1036 (1704) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    PID: 1052 (1704) C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
    PID: 1200 (1704) C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    PID: 1480 (1704) C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    PID: 1504 (1444) C:\WINDOWS\Explorer.EXE
    PID: 1528 (1704) C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    PID: 1572 ( 4) \SystemRoot\System32\smss.exe
    PID: 1636 (1572) \??\C:\WINDOWS\system32\csrss.exe
    PID: 1660 (1572) \??\C:\WINDOWS\system32\winlogon.exe
    PID: 1704 (1660) C:\WINDOWS\system32\services.exe
    PID: 1716 (1660) C:\WINDOWS\system32\lsass.exe
    PID: 1832 (1704) C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
    PID: 1872 (1704) C:\WINDOWS\system32\svchost.exe
    PID: 1928 (1704) C:\WINDOWS\system32\svchost.exe
    PID: 2020 (1704) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    PID: 2580 (1704) C:\WINDOWS\System32\alg.exe
    PID: 2748 (1504) C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
    PID: 2768 (1504) C:\WINDOWS\System32\ezSP_Px.exe
    PID: 3276 (1704) C:\WINDOWS\System32\svchost.exe
    PID: 3332 (1504) C:\Program Files\QuickTime\qttask.exe
    PID: 3372 (1504) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    PID: 3432 (1504) C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    PID: 3456 (1504) C:\WINDOWS\LTSMMSG.exe
    PID: 3492 (1504) C:\Program Files\Microsoft IntelliPoint\point32.exe
    PID: 3504 (1504) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    PID: 3512 (1504) C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    PID: 3520 (1504) C:\WINDOWS\system32\WDBtnMgr.exe
    PID: 3528 (1504) C:\Program Files\iTunes\iTunesHelper.exe
    PID: 3600 (1504) C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9ZA.EXE
    PID: 3624 (1504) C:\Program Files\Messenger\msmsgs.exe
    PID: 3696 (1504) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    PID: 3708 (1704) C:\Program Files\iPod\bin\iPodService.exe


    --- Browser start & search pages list ---
    Spybot - Search && Destroy browser pages report, 2/27/2006 10:23:55 PM

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
    C:\WINDOWS\system32\blank.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
    %SystemRoot%\system32\blank.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


    -
    Fixwareout ver 1.003
    Last edited 2/15/2006
    Post this report in the forums please

    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}268492614297-1EAB-21A4-CF50-D6123A7E{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nbilbaj
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
    ...

    Microsoft (R) Windows Script Host Version 5.6
    Random Runs removed from HKLM
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "dmfof.exe"=-
    ...

    PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    »»»»» Search by size and names...
    C:\WINDOWS\SYSTEM32\DMFOF.EXE
    C:\WINDOWS\SYSTEM32\CSFPF.EXE
    C:\WINDOWS\SYSTEM32\ENCODEX.EXE
    * csr.exe C:\WINDOWS\System32\CSFPF.EXE
    * csr.exe C:\WINDOWS\System32\ENCODEX.EXE

    »»»»» Misc files

    »»»»» Checking for older varients covered by the Rem3 tool

    Thanks for any help,

    Stress

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Manualy delete these two files
    C:\WINDOWS\SYSTEM32\DMFOF.EXE
    C:\WINDOWS\SYSTEM32\CSFPF.EXE
    How did that go ?

    In windows addremove programs uninstall SpyBot then Restart the PC,
    and delete SpyBots folder in program files,
    usualy > C:\Program Files\Spybot - Search & Destroy
    Then download and install 1.4 once thats done, check for updates, then check for problems, fix everything found, always reboot if SpyBots needs to, to finish the cleanup.
    http://www.safer-networking.org/index.php?page=tutorial
    Download found here
    http://www.safer-networking.org/en/download/index.html

    Let us know if that Pipus key is still there and wont fix or comes back

  3. #3
    Junior Member
    Join Date
    Feb 2006
    Posts
    9

    Default follow up

    Lonny,

    Thanks for the advice and will try this later tonight. Had to get some sleep and go to work today. Will not be at the infected computer until late today.

    Stress

  4. #4
    Junior Member
    Join Date
    Feb 2006
    Posts
    9

    Unhappy tried with no success

    Hi Lonny,

    OK, I said I admit I am not sure what I am doing, but I think I followed your instructings,
    Here's what I did:
    1) used search function and deleted the files in your ealier email. Then went to the registry and search for the files and did not find.
    2) Deleted spybot from my system and rebooted. also re-ran Fixwareout,
    3) Do I need to remove Adware from the system?
    4) either pipas.A is still there and here is the latest log from spy bot. how much of the the log do you need to help trouble shoot. I keep hitting the window with too much data. If I don't respond tonight it's because it because I went to sleep.

    stress
    --- Search result list ---
    Pipas.A: Settings (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2006-02-28 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2005-05-31 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2005-05-31 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2006-02-24 Includes\Cookies.sbi (*)
    2006-02-24 Includes\Dialer.sbi (*)
    2006-02-24 Includes\Hijackers.sbi (*)
    2006-02-24 Includes\Keyloggers.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2006-02-24 Includes\Malware.sbi (*)
    2006-02-24 Includes\PUPS.sbi (*)
    2006-02-24 Includes\Revision.sbi (*)
    2006-02-24 Includes\Security.sbi (*)
    2006-02-24 Includes\Spybots.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2006-02-24 Includes\Trojans.sbi (*)



    --- System information ---
    Windows XP (Build: 2600) Service Pack 2
    / DataAccess: Patch Available For XMLHTTP Vulnerability
    / DataAccess: Patch Available For XMLHTTP Vulnerability
    / DataAccess: Security Update for Microsoft Data Access Components
    / Internet Explorer 6 / SP0: Windows XP Hotfix - KB834707
    / Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
    / Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
    / Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
    / Windows Media Player: Windows Media Update 320920
    / Windows XP / SP2: Windows XP Service Pack 2
    / Windows XP / SP3: Windows XP Hotfix - KB834707
    / Windows XP / SP3: Windows XP Hotfix - KB867282
    / Windows XP / SP3: Windows XP Hotfix - KB873333
    / Windows XP / SP3: Windows XP Hotfix - KB873339
    / Windows XP / SP3: Security Update for Windows XP (KB883939)
    / Windows XP / SP3: Windows XP Hotfix - KB885250
    / Windows XP / SP3: Windows XP Hotfix - KB885835
    / Windows XP / SP3: Windows XP Hotfix - KB885836
    / Windows XP / SP3: Windows XP Hotfix - KB886185
    / Windows XP / SP3: Windows XP Hotfix - KB887472
    / Windows XP / SP3: Windows XP Hotfix - KB887742
    / Windows XP / SP3: Windows XP Hotfix - KB888113
    / Windows XP / SP3: Windows XP Hotfix - KB888302
    / Windows XP / SP3: Security Update for Windows XP (KB890046)
    / Windows XP / SP3: Windows XP Hotfix - KB890047
    / Windows XP / SP3: Windows XP Hotfix - KB890175
    / Windows XP / SP3: Windows XP Hotfix - KB890859
    / Windows XP / SP3: Windows XP Hotfix - KB890923
    / Windows XP / SP3: Windows XP Hotfix - KB891781
    / Windows XP / SP3: Security Update for Windows XP (KB893066)
    / Windows XP / SP3: Windows XP Hotfix - KB893086
    / Windows XP / SP3: Security Update for Windows XP (KB893756)
    / Windows XP / SP3: Windows Installer 3.1 (KB893803)
    / Windows XP / SP3: Windows Installer 3.1 (KB893803)
    / Windows XP / SP3: Update for Windows XP (KB894391)
    / Windows XP / SP3: Security Update for Windows XP (KB896358)
    / Windows XP / SP3: Security Update for Windows XP (KB896422)
    / Windows XP / SP3: Security Update for Windows XP (KB896423)
    / Windows XP / SP3: Security Update for Windows XP (KB896424)
    / Windows XP / SP3: Security Update for Windows XP (KB896428)
    / Windows XP / SP3: Security Update for Windows XP (KB896688)
    / Windows XP / SP3: Update for Windows XP (KB896727)
    / Windows XP / SP3: Update for Windows XP (KB898461)
    / Windows XP / SP3: Security Update for Windows XP (KB899587)
    / Windows XP / SP3: Security Update for Windows XP (KB899588)
    / Windows XP / SP3: Security Update for Windows XP (KB899591)
    / Windows XP / SP3: Security Update for Windows XP (KB900725)
    / Windows XP / SP3: Security Update for Windows XP (KB901017)
    / Windows XP / SP3: Security Update for Windows XP (KB901214)
    / Windows XP / SP3: Security Update for Windows XP (KB902400)
    / Windows XP / SP3: Security Update for Windows XP (KB903235)
    / Windows XP / SP3: Security Update for Windows XP (KB904706)
    / Windows XP / SP3: Security Update for Windows XP (KB905414)
    / Windows XP / SP3: Security Update for Windows XP (KB905749)
    / Windows XP / SP3: Security Update for Windows XP (KB905915)
    / Windows XP / SP3: Security Update for Windows XP (KB908519)
    / Windows XP / SP3: Update for Windows XP (KB910437)
    / Windows XP / SP3: Security Update for Windows XP (KB911927)
    / Windows XP / SP3: Security Update for Windows XP (KB912919)
    / Windows XP / SP3: Security Update for Windows XP (KB913446)


    --- Startup entries list ---
    Located: HK_LM:Run, ccApp
    command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    size: 59040
    MD5: 2a373cda6d5dced20ec56fe7d9e47e5c

    Located: HK_LM:Run, cmon14
    command: defect08.exe
    file:

    Located: HK_LM:Run, EPSON PictureMate 2005
    command: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9ZA.EXE /P22 "EPSON PictureMate 2005" /O6 "USB002" /M "PictureMate 2005"
    file: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9ZA.EXE
    size: 98304
    MD5: b471eb3b1891821e1088e9f4de4604c1

    Located: HK_LM:Run, EPSON Stylus Photo R320 Series
    command: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
    file: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
    size: 98304
    MD5: fd81ef75770d341ce00485c9cba09f6b

    Located: HK_LM:Run, ezShieldProtector for Px
    command: C:\WINDOWS\System32\ezSP_Px.exe
    file: C:\WINDOWS\System32\ezSP_Px.exe
    size: 40960
    MD5: 60ba97a94ae9bd2a8e241ec44b807a76

    Located: HK_LM:Run, IntelliPoint
    command: "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    file: C:\Program Files\Microsoft IntelliPoint\point32.exe
    size: 163840
    MD5: f572c7aa83f7adfff6a6e10fea6bcc2f

    Located: HK_LM:Run, iTunesHelper
    command: "C:\Program Files\iTunes\iTunesHelper.exe"
    file: C:\Program Files\iTunes\iTunesHelper.exe
    size: 278528
    MD5: 8f5581d1be59577cacd5b43cfc5e4447

    Located: HK_LM:Run, jbuae.exe
    command: C:\WINDOWS\system32\jbuae.exe
    file: C:\WINDOWS\system32\jbuae.exe
    size: 0
    MD5: d41d8cd98f00b204e9800998ecf8427e ???

    Located: HK_LM:Run, LTSMMSG
    command: LTSMMSG.exe
    file: C:\WINDOWS\LTSMMSG.exe
    size: 32768
    MD5: 2d88d91f138512ff7e4aab66486ee051

    Located: HK_LM:Run, NeroCheck
    command: C:\WINDOWS\System32\NeroCheck.exe
    file: C:\WINDOWS\System32\NeroCheck.exe
    size: 155648
    MD5: 3e4c03cefad8de135263236b61a49c90

    Located: HK_LM:Run, NvCplDaemon
    command: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    file: C:\WINDOWS\system32\RUNDLL32.EXE
    size: 33280
    MD5: da285490bbd8a1d0ce6623577d5ba1ff

    Located: HK_LM:Run, Omnipage
    command: C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    file: C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    size: 49152
    MD5: 1d0f6aeaceddda839eeb6af0e9db9f9b

    Located: HK_LM:Run, QuickFinder Scheduler
    command: "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    file: C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE
    size: 77887
    MD5: 5121b7bc599d22d26b939c95196f507c

    Located: HK_LM:Run, QuickTime Task
    command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
    file: C:\Program Files\QuickTime\qttask.exe
    size: 98304
    MD5: 76a3a30b58405c2c6d833895253a51a9

    Located: HK_LM:Run, SiS Tray
    command:
    file:

    Located: HK_LM:Run, SiSUSBRG
    command: C:\WINDOWS\SiSUSBrg.exe
    file: C:\WINDOWS\SiSUSBrg.exe
    size: 102400
    MD5: 52ceb84ac83d8c7b0ac0c40a3b734d64

    Located: HK_LM:Run, ssweeper
    command: media64.exe
    file:

    Located: HK_LM:Run, StorageGuard
    command: "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    file: C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    size: 155648
    MD5: 68c91658a3cb6773ec79c90cc0ee6bc1

    Located: HK_LM:Run, SunJavaUpdateSched
    command: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    file: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    size: 36975
    MD5: 61a3a9d5d98bf0331df5b716144a8100

    Located: HK_LM:Run, Symantec NetDriver Monitor
    command: C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    file: C:\PROGRA~1\SYMNET~1\SNDMon.exe
    size: 100056
    MD5: f9418981ee4d7e995d359833adab59d5

    Located: HK_LM:Run, TkBellExe
    command: C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    file:

    Located: HK_LM:Run, WD Button Manager
    command: WDBtnMgr.exe
    file: C:\WINDOWS\system32\WDBtnMgr.exe
    size: 331776
    MD5: f76b442e5d0ca43b273f45c6e7441701

    Located: HK_LM:Run, ZTgServerSwitch
    command: c:\program files\support.com\client\lserver\server.vbs
    file:

    Located: HK_CU:Run, barint
    command: TemplateDongle.exe
    file:

    Located: HK_CU:Run, br0ken
    command: forces_elite.exe
    file:

    Located: HK_CU:Run, MSMSGS
    command: "C:\Program Files\Messenger\msmsgs.exe" /background
    file: C:\Program Files\Messenger\msmsgs.exe
    size: 1694208
    MD5: 74e6e96c6f0e2eca4edbb7f7a468f259

    Located: HK_CU:Run, new32
    command: corrida.exe
    file:

    Located: HK_CU:Run, SpybotSD TeaTimer
    command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    size: 1415824
    MD5: 70496eee0ddbe485f658693826f44d38

    Located: Startup (common), Adobe Gamma Loader.lnk
    command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    size: 113664
    MD5: c2ff17734176cd15221c10044ef0ba1a

    Located: Startup (common), Microsoft Find Fast.lnk
    command: C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    file: C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    size: 111376
    MD5: b0fad77f580d9948ef8d2a6a252adfe0

    Located: Startup (common), NkbMonitor.exe.lnk
    command: C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    file: C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    size: 118784
    MD5: 8c920dfe944b0dce788db3cb0320b336

    Located: Startup (common), Office Startup.lnk
    command: C:\Program Files\Microsoft Office\Office\OSA.EXE
    file: C:\Program Files\Microsoft Office\Office\OSA.EXE
    size: 51984
    MD5: d06276d4cad46cdceabefdeb1a0d3c0d

    Located: Startup (common), VAIO Action Setup (Server).lnk
    command: C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    file: C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    size: 40960
    MD5: aa01ad8d6c16bcbf0d89b93ecd72f68d

    Located: WinLogon, crypt32chain
    command: crypt32.dll
    file: crypt32.dll

    Located: WinLogon, cryptnet
    command: cryptnet.dll
    file: cryptnet.dll

    Located: WinLogon, cscdll
    command: cscdll.dll
    file: cscdll.dll

    Located: WinLogon, ScCertProp
    command: wlnotify.dll
    file: wlnotify.dll

    Located: WinLogon, Schedule
    command: wlnotify.dll
    file: wlnotify.dll

    Located: WinLogon, sclgntfy
    command: sclgntfy.dll
    file: sclgntfy.dll

    Located: WinLogon, SensLogn
    command: WlNotify.dll
    file: WlNotify.dll

    Located: WinLogon, termsrv
    command: wlnotify.dll
    file: wlnotify.dll

    Located: WinLogon, wlballoon
    command: wlnotify.dll
    file: wlnotify.dll




    ---

  5. #5
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Post logs from these tools
    Post a HijackThis 1.99.1 log
    First Make a new folder, example C:\AntiSpyWare
    and download/Save HijackThis, to that new folder.
    This is necessary to ensure you have backups should anything go wrong
    http://www.merijn.org/files/HijackThis.exe
    Double click HijackThis.exe, Hit None of the above, just start the program.
    Hit Scan When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log somewhere, and please show us its contents.
    Most of what it lists will be harmless or even required, so do NOT fix anything yet.

    Post a report from this tool if any files show
    F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
    Click the i accept button near the bottom of that page.
    Download and run blacklite click > scan then > next, next again then exit
    there will be a new txt near blacklite. post it please.
    Important: If any files show Do not rename them.....legitimate files can be listed.

  6. #6
    Junior Member
    Join Date
    Feb 2006
    Posts
    9

    Default

    Lonny,

    Thanks and will try later, tonight.

    Stress

  7. #7
    Junior Member
    Join Date
    Feb 2006
    Posts
    9

    Default HijackThis you requested

    Lonny,

    Here is the file from HijackThis you requested.

    Logfile of HijackThis v1.99.1
    Scan saved at 7:09:42 PM, on 3/1/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\WINDOWS\LTSMMSG.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\WDBtnMgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9ZA.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\DOCUMENTS AND SETTINGS\B. SCOTT SPITZER\DESKTOP\HijackThis.exe

    R3 - URLSearchHook: (no name) - {87CC5114-9364-96C2-F467-D773BE141265} - syspanel.dll (file missing)
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [EPSON PictureMate 2005] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9ZA.EXE /P22 "EPSON PictureMate 2005" /O6 "USB002" /M "PictureMate 2005"
    O4 - HKLM\..\Run: [ssweeper] media64.exe
    O4 - HKLM\..\Run: [cmon14] defect08.exe
    O4 - HKLM\..\Run: [jbfsv.exe] C:\WINDOWS\system32\jbfsv.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [barint] TemplateDongle.exe
    O4 - HKCU\..\Run: [new32] corrida.exe
    O4 - HKCU\..\Run: [br0ken] forces_elite.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.esi.na.baesystems.com/iNotes6.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/nets...l/gtdownls.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{09A6116E-5382-4919-942D-8B7393CE205C}: NameServer = 85.255.116.134,85.255.112.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0A031A02-1CF7-4DFA-9E14-AE7543C980FD}: NameServer = 85.255.116.134,85.255.112.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4A0C0581-3366-4F4A-858C-E6A0228932F9}: NameServer = 85.255.116.134,85.255.112.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{52DEE13A-934D-48D8-9D30-590F2FE09CC6}: NameServer = 85.255.116.134,85.255.112.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9EF12A7-9B99-46AA-B358-81CB0E1BC87C}: NameServer = 85.255.116.134,85.255.112.5
    O17 - HKLM\System\CS1\Services\Tcpip\..\{09A6116E-5382-4919-942D-8B7393CE205C}: NameServer = 85.255.116.134,85.255.112.5
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
    O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
    O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
    O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
    O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
    O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    No files shown in the blacklite scan ?

    Does this file exist ?
    C:\WINDOWS\system32\jbfsv.exe If so zip up a copy and Send it to submitlonny AT subratam.org
    Replace AT and spaces with @ and include a link back to this thread.


    Start Hijackthis and place a check next to these items If there.
    Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
    R3 - URLSearchHook: (no name) - {87CC5114-9364-96C2-F467-D773BE141265} - syspanel.dll (file missing)
    F2 - REG:system.ini: UserInit=userinit.exe
    O4 - HKLM\..\Run: [ssweeper] media64.exe
    O4 - HKLM\..\Run: [cmon14] defect08.exe
    O4 - HKLM\..\Run: [jbfsv.exe] C:\WINDOWS\system32\jbfsv.exe
    O4 - HKCU\..\Run: [barint] TemplateDongle.exe
    O4 - HKCU\..\Run: [new32] corrida.exe
    O4 - HKCU\..\Run: [br0ken] forces_elite.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{09A6116E-5382-4919-942D-8B7393CE205C}: NameServer = 85.255.116.134,85.255.112.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0A031A02-1CF7-4DFA-9E14-AE7543C980FD}: NameServer = 85.255.116.134,85.255.112.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4A0C0581-3366-4F4A-858C-E6A0228932F9}: NameServer = 85.255.116.134,85.255.112.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{52DEE13A-934D-48D8-9D30-590F2FE09CC6}: NameServer = 85.255.116.134,85.255.112.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9EF12A7-9B99-46AA-B358-81CB0E1BC87C}: NameServer = 85.255.116.134,85.255.112.5
    O17 - HKLM\System\CS1\Services\Tcpip\..\{09A6116E-5382-4919-942D-8B7393CE205C}: NameServer = 85.255.116.134,85.255.112.5
    ====================================
    Hit fix checked and close Hijackthis.
    Restart the PC
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Note:
    If You have connection problems or those 017's ~ 85.255.116.134,85.255.112.5, return >
    Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
    In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
    Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be avaiable one some systems

    Post a fresh hijackthis log please,

  9. #9
    Junior Member
    Join Date
    Feb 2006
    Posts
    9

    Default

    Lonny,

    Sorry forgot, Blacklite came back with no files found and this report:

    03/01/06 21:58:14 [Info]: BlackLight Engine 1.0.33 initialized
    03/01/06 21:58:14 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    03/01/06 21:58:14 [Note]: 7019 4
    03/01/06 21:58:14 [Note]: 7005 0
    03/01/06 21:58:18 [Note]: 7006 0
    03/01/06 21:58:18 [Note]: 7011 1192
    03/01/06 21:58:19 [Note]: FSRAW library version 1.7.1015
    03/01/06 22:02:21 [Note]: 7007 0

    I will capture the C:\WINDOWS\system32\jbfsv.exe and send, but I think I need to log in as the admin. Also, run the Hijackthis again.

    Stress

  10. #10
    Junior Member
    Join Date
    Feb 2006
    Posts
    9

    Default follow up

    Lonny,

    Made changes suggested and ran Hijack again. File below.

    Regarding the C:WINDOWS\system32\jbfsv.exe, I was able to find the file, only had 1KB of data and when I tried to copy to send the file it seemed to disappear altogether. Told you I didn't know what I was doing, but that was strange.

    Logfile of HijackThis v1.99.1
    Scan saved at 11:07:06 PM, on 3/1/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\WINDOWS\LTSMMSG.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\WDBtnMgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9ZA.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
    C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Documents and Settings\B. Scott Spitzer\Desktop\AntiSpyWare\HijackThis.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [EPSON PictureMate 2005] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9ZA.EXE /P22 "EPSON PictureMate 2005" /O6 "USB002" /M "PictureMate 2005"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.esi.na.baesystems.com/iNotes6.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/nets...l/gtdownls.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
    O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
    O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
    O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
    O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
    O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •