# What is the Very BEST current ROOT KIT remover?



## joshzz (Sep 16, 2005)

Hi,

I'm having problems with a root kit that seems to be detected by Spysweeper and Superantispyware but not by Norton. When I reboot oftentimes I'll get a display error... a blue box travels around the black background screen that says something to this effect "change PC display settings" and then sometimes my system will reboot and the characters will be set at a very low setting.. I don't want to touch the display setting on the control panel as I am concerned it may allow the root kit to go further.

your advice on a root kit removal program is highly appreciated. joe


----------



## Cookiegal (Aug 27, 2003)

*Click here* and then scroll down to and click on *hijackthis self installer* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## joshzz (Sep 16, 2005)

hi >>

here is the hijack file i saved>>>

Logfile of HijackThis v1.99.1
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lift985.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Burke\Application Data\Mozilla\Profiles\default\18yuphz8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Burke\Application Data\Mozilla\Profiles\default\18yuphz8.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Visioneer OneTouch\OneTouchMon.exe"
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE" /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [UVS10 Preload] "C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edg...ex-2.0.6.0.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098742614340
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} (IOBIVMUtil.VMDecoder) - https://www36.verizon.com/voip/downloads/IOBIVMUtil.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/pro...tor/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/inc...ivePreQual.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://edirol.webex.com/client/v_my...rt/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup161.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by16fd.bay16.hotmail.msn.com/...x/HMAtchmt.ocx
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


----------



## joshzz (Sep 16, 2005)

NEWEST hijack this file ( i SWITCHED MY VIRUS PROTECTION ETC)>>

Logfile of HijackThis v1.99.1
Scan saved at 0:36:42 AM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yah

oo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yah

oo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.lift985.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage",

"http://www.yahoo.com"); (C:\Documents and Settings\Burke\Application

Data\Mozilla\Profiles\default\18yuphz8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%

5CSBWeb_01.src"); (C:\Documents and Settings\Burke\Application

Data\Mozilla\Profiles\default\18yuphz8.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no

file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD

Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Visioneer

OneTouch\OneTouchMon.exe"
O4 - HKLM\..\Run: [EPSON Stylus C84 Series]

"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE" /P23 "EPSON

Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common

Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UVS10 Preload] "C:\Program Files\Ulead Systems\Ulead

VideoStudio 10\uvPL.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common

Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m

"C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure

Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet

Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [SpyKiller] C:\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program

Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program

Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program

Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00}

- C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} -

C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... -

{200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure

Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure internet

security\fsps\program\fslsp.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online

Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan

Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager

Control) -

http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activ

ex/dlm-activex-2.0.6.0.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID

Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsc

tl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/clie

nt/wuweb_site.cab?1098742614340
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/

housecall/xscan53.cab
O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17}

(IOBIVMUtil.VMDecoder) -

https://www36.verizon.com/voip/downloads/IOBIVMUtil.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller

Class) -

http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses

Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr

.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class)

- http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime

Environment 1.4.1_02) - 
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class)

- http://www.live365.com/players/play365.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class)

- https://edirol.webex.com/client/v_mywebex/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -

http://download.abacast.com/download/files/abasetup161.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments

Control) - http://by16fd.bay16.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4

Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner -

C:\WINDOWS\CDProxyServ.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) -

Unknown owner - C:\Program Files\Common Files\Symantec

Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure

Corporation - C:\Program Files\F-Secure Internet

Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure

Corporation - C:\Program Files\F-Secure Internet

Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure

Corporation - C:\Program Files\F-Secure Internet

Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation

- C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service

(LightScribeService) - Hewlett-Packard Company - C:\Program

Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) -

Unknown owner - C:\Program Files\Common Files\Symantec

Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program

Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m

"C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file

missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead

Systems, Inc. - C:\Program Files\Common Files\Ulead

Systems\DVD\ULCDRSvr.exe


----------



## Cookiegal (Aug 27, 2003)

You have the Sony rootkit.

Download and run this removal tool:

http://securityresponse.symantec.com/avcenter/FixRyknos.exe

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4
Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe*

Reboot and post a new HijackThis log but this time be sure that "word wrap" is turned off in Notepad under Format.


----------

