[krmooo]

ok thats normal, tell me just where in your registry are these unknown user located please

[Advertisements]

They are located in:
HKEY_USERS
.Default
S-1-5-18
S-1-5-19
S-1-5-19_CLASSES
S-1-5-20
S-1-5-20_CLASSES
S-1-5-21

[cbt1124]

They are located in:
HKEY_USERS
.Default
S-1-5-18
S-1-5-19
S-1-5-19_CLASSES
S-1-5-20
S-1-5-20_CLASSES
S-1-5-21

[cbt1124]

Here is more info for you to look at.

"Owner" - 2007-06-03 19:56:42 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Owner\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 ))))))))))))))))))))))))))))))))))


2007-06-03 15:17 <DIR> d-------- C:\Program Files\Microsoft Easy Assist
2007-06-03 01:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-02 23:59 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-06-02 23:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-02 23:41 <DIR> d-------- C:\Program Files\SpywareGuard
2007-06-02 10:30 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-01 00:12 <DIR> d-------- C:\Program Files\Security Task Manager
2007-06-01 00:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-05-31 22:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Kodak
2007-05-31 20:24 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2007-05-31 00:06 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-05-31 00:02 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2007-05-31 00:02 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SuperAdBlocker.com
2007-05-31 00:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-30 23:36 <DIR> d-------- C:\Deckard
2007-05-30 20:36 <DIR> d-------- C:\Program Files\Lavalys
2007-05-30 20:07 <DIR> d-------- C:\WINSSLog
2007-05-27 22:15 548 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-27 22:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-27 22:13 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-27 22:13 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-27 20:25 <DIR> d-------- C:\Emergency room only
2007-05-24 22:11 <DIR> d-------- C:\SQLCheckPkg
2007-05-20 00:33 <DIR> d-------- C:\Program Files\Anonymizer
2007-05-16 22:31 30,601 --a------ C:\Documents and Settings\Owner\x.exe
2007-05-16 22:31 30,601 --a------ C:\DOCUME~1\Owner\x.exe
2007-05-14 23:45 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-14 23:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-05-13 22:37 <DIR> d-------- C:\TEMP
2007-05-13 00:11 <DIR> d-------- C:\Program Files\ACW
2007-05-13 00:09 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-05-13 00:09 208,248 --a------ C:\WINDOWS\system32\muweb.dll
2007-05-12 23:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-05-12 21:23 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-05-08 21:10 4,608 --a------ C:\WINDOWS\system32\W95INF32.DLL
2007-05-08 21:10 2,272 --a------ C:\WINDOWS\system32\W95INF16.DLL
2007-05-07 22:35 113,128 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2007-05-07 22:35 <DIR> d-------- C:\Program Files\KeyScrambler
2007-05-03 23:51 <DIR> d-------- C:\Program Files\AnalogX


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 22:36:16 -------- d-----w C:\Program Files\Yahoo!
2007-06-03 22:35:56 -------- d--h--r C:\DOCUME~1\Owner\APPLIC~1\yahoo!
2007-06-01 04:04:52 -------- d-----w C:\Program Files\Messenger
2007-06-01 02:09:50 -------- d-----w C:\Program Files\Kodak
2007-05-31 23:15:09 -------- d-----w C:\Program Files\Google
2007-05-31 03:27:48 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-31 03:27:36 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Google
2007-05-31 03:27:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-17 02:31:01 -------- d-----w C:\Program Files\MySpeed PC
2007-05-13 01:39:25 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-01 00:52:49 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Help
2007-04-30 02:16:48 -------- d---a-w C:\Program Files\Chilkat Software Inc
2007-04-27 02:37:02 -------- d-----w C:\Program Files\HP
2007-04-22 22:31:20 -------- d-----w C:\Program Files\VisualRoute
2007-04-20 03:14:30 -------- d-----w C:\Program Files\Picasa
2007-04-18 03:16:03 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\PC Tools
2007-04-16 03:34:36 -------- d-----w C:\Program Files\Comodo
2007-04-14 12:56:23 -------- d-----w C:\Program Files\Common Files\BeaconSoftware
2007-04-13 23:55:45 -------- d-----w C:\Program Files\SupportSoft
2007-04-12 22:52:07 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-04-10 22:48:09 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Comodo
2007-04-10 21:51:17 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 01:32:06 1,177 ----a-w C:\WINDOWS\mozver.dat
2007-03-05 01:44:34 0 ----a-w C:\WINDOWS\nsreg.dat
2007-03-04 17:42:32 0 --sha-r C:\MSDOS.SYS
2007-03-04 17:42:32 0 --sha-r C:\IO.SYS
2007-03-04 17:42:32 0 ----a-w C:\CONFIG.SYS
2007-03-04 17:42:32 0 ----a-w C:\AUTOEXEC.BAT
2007-03-04 17:39:55 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{00000000-6C30-11D8-9363-000AE6309654}=C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll [2007-02-20 15:02]
{2B9F5787-88A5-4945-90E7-C4B18563BC5E}=C:\Program Files\KeyScrambler\KeyScramblerIE.dll [2007-04-03 10:44]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"="C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 11:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=C:\WINDOWS\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneCareUI]
"C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SuperAdBlocker]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"WinDefend"=2 (0x2)
"SABSVC"=2 (0x2)
"gusvc"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Launch.exe


Contents of the 'Scheduled Tasks' folder
2007-05-25 23:17:07 C:\WINDOWS\tasks\MP Scheduled Quick Scan.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-03 19:57:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-03 19:58:06
C:\ComboFix2.txt ... 2007-06-02 10:35

--- E O F ---

[krmooo]

well then... i have the same users as you the exact same thing is in my registry. i dont think theres any need to worry about this

[cbt1124]

I have looked at other win xp sp2 machines and their registry do not show the added users

Edited by cbt1124, 03 June 2007 - 07:25 PM.

[krmooo]

i dont know what to tell you cbt. i guess you and i are just infiltrated. oh and the other 3 computers i just looked at none of which are mine, but i repaired, they have those very same settings as we do. perhaps someone with more understanding is needed now.

[cbt1124]

I for the life of me do not know what to say. I do know that there is something inside this pc that is preventing me from downloading certain programs and also altering programs that I do download. I spent 1 hour on the phone today with a tech from Microsoft Live OneCare and he also agrees with me that there is something wrong with my system.

Here is the last emails from the tech:
Hi Stephen,



This is Chris, with Windows Live OneCare.



I am following up regarding your case 1035669152.



Let me know if your issue is resolved. If your issue is not resolved and you need further technical assistance, please reply to this email. When replying, include your preferred callback time, day(s) and time zone. My goal is to ensure that your experience with Windows Live OneCare leaves you very satisfied with our products and services.



If you have any feedback regarding Microsoft support, we would be glad to hear from you. If you would feel more comfortable speaking with someone else regarding my service, Sujit Pillai, my manager, would be very happy to hear your comments and suggestions. You may reach my manager by sending an email to removed email address



Thank you for contacting Windows Live OneCare support.



Sincerely,



Chris Mathews

removed email address

9am to 6pm PST



*When replying, please include your case number, name, email address and phone number. Thank you.*




Hey Steve, am sorry I wont be able to call you now since am already on a
call now. However you can try Uninstalling Onecare and reinstalling windows
onecare....

-----Original Message-----
From: Steve Dunn [mailto:removed email address]
Sent: Monday, June 04, 2007 1:58 AM
To: Chris Mathews
Subject: Re: Onecare - 1035669152

It is still messed up. I can be reached at
845-926-2304 anytime

Edited by Ryan, 07 June 2007 - 10:27 PM.
Removed email addresses

[krmooo]

cbt if you feel youve been hacked and your machine taken over or have some type of virus or malware thing going on please by all means go to our malware forum an get help. all im saying is this. the registry settings you described to me and i looked at are not by any means proof that youve been hacked. not when i have the same settings the very same registry keys the very same policies. not only in my machine but 3 others that i looked at. if you feel ive done something wrong report me. ive spent hours trying to wade thru these logs you posted (and never said a word about posting hijack logs in this forum by the way) and for the life of me cant find anything wrong im going to have a moderator look at this topic because i feel it should be closed out. thanks and good luck

[cbt1124]

Thank you for your time and effort, I am very frustrated right now,malware forum sent me here to try to get my system corrected. I am not reporting anyone, I am here looking for help, why would I shoot myself in the foot?
Once again, Thank You

[krmooo]

cbt i promise you i will do everything, look at every tech book ,any web site on issues i can find ,to help you or anyone else here. please dont think i dont care because i do but honestly i dont see one thing wrong with the registry theres hasnt been one mention of any errors or crashes or anything of that nature ok? thanks so much for letting us try and help

[wannabe1]

Your registry settings under HKEY_USERS is normal. I've attached a screenshot of my XP machine with a recent fresh install of XPSP2...as you can see, they are the same as yours...

The router issues might be better discussed with the folks in the Networking forum...they're better versed with routers and switches and stuff.

[cbt1124]

Thanx a bunch guy's I am back at malware forum to try to get this issue resolved. I still have 2 more pc's that are basically in the same boat. (please dont pull the plug) LOL

[DiggerP]

Hi cbt 1124,
I'm coming at the tail end of this,but allow my to put my 2 cents worth in it

IMHO,there is nothing wrong with your computer.

Where the problem lies ,is having too many programs start up
as well as too many protection scanning programs running at the same time.
You have
1)Windows Live One Care.
2)Windows Defender
3)Spybot S&D
4)Spybot S&D Teatimer
5)Spyware Blaster
6)Spyware Guard
7)Spyware Doctor
8)Super Adblocker
They are all on your startup.
Some like TeaTimer tend to hog CPU and Memory and all the others do too.

In my view this is a severe overuse of protection
It's not even duplication anymore.
Many of the programs do the same or similar things.

I thing I've learnt over time,is that you don't run more than ONE of each:
1 Antivirus
1 Firewall
1 Anti malware.
1 Ad blocker if you must
That's it.
If you want to use the other programs,fine, but don't run them from startup.
Just use them to run a scan (one at a time ) and close them.

In addition programs like Media Detect and Picasa Media detect don't need to be on
your startup either.
Nor does the Java jusched.exe have to be there either.
Actually just don't let it startup or run at all.

Your best bet is to get a startup manager
A simple one but effective is Startup CPL from Mike Lin
Startup Control Panel

There are many more (free ones)

I hope I don't tread on anyone's toes,but this is my assessment of it.

Pete.

[cbt1124]

here is a more recent h/t log, I have stopped quite a few startup entries

Log Removed.
If you think you are infected, please post in the Malware Forum. When you do so, please provide a link to this thread, and mention that you have disabled some of the startup entries.

[krmooo]

please do not post your hi-jack logs in this forum thanks