Need help with trojan horse

Maggot09 · Joined: Apr 25, 2008 Posts: 9

Symantec finds this under the file C:\WINDOWS\system32\cabine.dll
I've tried to remove it with many programs however all of them have failed. I have Windows XP Professional and I'm not good with computers please help

greyknight17 · Joined: Feb 03, 2003 Posts: 4864 Location: Brooklyn, NY

Welcome to Lockergnome.

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Download HijackThis at http://www.greyknight17.com/spy/HijackThis.exe Create a folder at C:\HJT and move HijackThis.exe there. Double-click on the program to run it.

1. If it gives you an intro screen, just choose Do a system scan and save a logfile.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

Maggot09 · Joined: Apr 25, 2008 Posts: 9

I cant shut off my symantec Antivirus auto protect

Maggot09 · Joined: Apr 25, 2008 Posts: 9

Here is the combo fix log

ComboFix 08-04-24.1 - John Bertucci 2008-04-26 10:48:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1119 [GMT -4:00]
Running from: C:\Documents and Settings\John Bertucci\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John Bertucci\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\John Bertucci\g2mdlhlpx.exe
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 10:14 . 2008-04-26 10:14 9,465,042 --a------ C:\WINDOWS\system32\SBSP.dat
2008-04-26 02:00 . 2008-04-26 10:14 104 --a------ C:\WINDOWS\system32\SBRC.dat
2008-04-26 02:00 . 2008-04-26 10:14 53 --a------ C:\WINDOWS\system32\SBFC.dat
2008-04-25 09:10 . 2008-04-25 09:10 <DIR> d-------- C:\Documents and Settings\John Bertucci\Application Data\Sunbelt Software
2008-04-25 09:10 . 2008-04-25 09:10 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-04-25 09:09 . 2008-04-25 09:09 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-04-25 09:09 . 2008-04-25 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-04-18 09:23 . 2008-04-18 09:23 <DIR> d-------- C:\Program Files\Citrix
2008-03-31 18:21 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-31 18:21 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-03-31 07:48 . 2008-03-31 07:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-31 07:48 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-03-31 07:48 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-03-31 07:48 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-03-31 07:48 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-03-31 07:48 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-03-31 07:42 . 2008-03-31 07:42 164 --a------ C:\install.dat
2008-03-28 15:15 . 2008-03-28 15:15 <DIR> d-------- C:\Program Files\Webroot
2008-03-28 15:15 . 2008-03-28 15:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-28 15:15 . 2008-03-28 15:15 <DIR> d-------- C:\Documents and Settings\John Bertucci\Application Data\Webroot
2008-03-28 15:15 . 2004-02-11 18:27 102,912 --a------ C:\WINDOWS\system32\islzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 14:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-26 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 11:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 17:36 --------- d-----w C:\Program Files\Lavasoft
2008-03-27 17:36 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Lavasoft
2008-03-25 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-03-14 17:29 --------- d-----w C:\Program Files\Google
2008-03-14 17:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 17:27 --------- d-----w C:\Program Files\GNU
2008-03-14 17:25 --------- d-----w C:\Program Files\WebEx
2008-03-14 17:23 --------- d-----w C:\Program Files\Common Files\Wextech Shared
2008-03-09 18:55 --------- d-----w C:\Documents and Settings\John Bertucci\Application Data\LimeWire
2008-03-06 21:02 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-06 13:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-05 14:18 110,080 ----a-w C:\WINDOWS\system32\cabine.dll
2006-10-12 19:21 10,964,992 ----a-w C:\Program Files\MAPcadduct16-2004.arx
2006-10-12 19:09 10,969,088 ----a-w C:\Program Files\MAPcadduct16.arx
2006-10-12 18:58 8,654,848 ----a-w C:\Program Files\MAPcadduct.arx
2006-10-12 18:54 4,440,064 ----a-w C:\Program Files\UMapBack.exe
2006-10-12 18:54 4,407,296 ----a-w C:\Program Files\mapback.exe
2006-10-12 18:54 1,114,112 ----a-w C:\Program Files\ViewHasp.exe
2006-10-12 18:54 1,024,000 ----a-w C:\Program Files\hupdate.exe
2006-10-12 18:53 823,296 ----a-w C:\Program Files\editmap.exe
2006-10-12 18:53 573,440 ----a-w C:\Program Files\umapuser.exe
2006-10-12 18:53 561,152 ----a-w C:\Program Files\mapuser.exe
2006-10-12 18:28 11,247,616 ----a-w C:\Program Files\MAPcadduct17.arx
2006-10-11 20:54 822 ------w C:\Program Files\HideVP.BMP
2006-10-11 20:51 822 ------w C:\Program Files\maskVP.BMP
2006-10-11 20:48 822 ------w C:\Program Files\ShowVP.BMP
2006-10-11 20:45 822 ------w C:\Program Files\Hide.BMP
2006-09-04 20:06 622,385 ----a-w C:\Program Files\Diction.ary
2006-08-10 17:42 5,465 ------w C:\Program Files\Readme.txt
2006-07-11 12:53 28,672 ----a-w C:\Documents and Settings\Kevin\atwbxdet.dll
2006-06-13 19:43 43,008 --sh--w C:\Program Files\Thumbs.db
2006-05-31 16:19 822 ------w C:\Program Files\SecnSize.BMP
2006-05-31 16:16 822 ------w C:\Program Files\eddesobj.BMP
2006-05-31 16:13 822 ------w C:\Program Files\desobj.BMP
2006-05-31 16:06 822 ------w C:\Program Files\DuctCalc.BMP
2006-05-11 15:55 3,117,212 ------w C:\Program Files\TS-Mechanical-Metric.iez
2006-01-17 15:49 507,989 ------w C:\Program Files\TS-Public-Health-Metric.iez
2006-01-12 21:21 355,284 ------w C:\Program Files\TS-Electrical-Metric.iez
2006-01-12 21:20 592,487 ------w C:\Program Files\TS-HVAC-Metric.iez
2005-09-28 18:24 2,177,351 ----a-w C:\Program Files\haspdinst.exe
2005-08-03 19:28 1,460,490 ------w C:\Program Files\Services.iez
2004-12-23 20:02 6,144 ----a-w C:\Program Files\MapHelper16.arx
2004-12-02 22:49 3,174,400 ----a-w C:\Program Files\hinstall.exe
2004-08-16 17:43 1,853,471 ----a-w C:\Program Files\haspds_windows.dll
2004-04-19 20:06 151,552 ----a-w C:\Program Files\MapLoader16.arx
2004-01-14 21:47 184,320 ----a-w C:\Program Files\MapLoader.arx
2003-10-22 14:06 774 ------w C:\Program Files\PlanView.BMP
2003-10-22 02:48 774 ------w C:\Program Files\LastView.BMP
2003-05-14 15:12 774 ------w C:\Program Files\purge.BMP
2003-05-14 14:51 774 ------w C:\Program Files\Length.BMP
2003-05-14 14:44 774 ------w C:\Program Files\sets.BMP
2003-05-14 14:32 774 ------w C:\Program Files\Alias.BMP
2003-05-14 14:16 774 ------w C:\Program Files\Show.BMP
2003-05-14 14:16 774 ------w C:\Program Files\mask.BMP
2003-05-14 14:08 774 ------w C:\Program Files\fulldb.BMP
2003-05-14 14:00 774 ------w C:\Program Files\Inspect.bmp
2003-01-27 15:52 774 ------w C:\Program Files\matchprp.BMP
2002-12-04 22:29 774 ------w C:\Program Files\Service.bmp
2002-12-04 22:22 774 ------w C:\Program Files\RotateT.BMP
2002-12-04 22:11 774 ------w C:\Program Files\search.BMP
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\audio3d.dll
2001-11-06 15:32 774 ------w C:\Program Files\Fill2Ends.BMP
2001-08-09 13:13 65,024 ----a-w C:\Program Files\bszip.dll
2001-08-06 19:00 774 ------w C:\Program Files\Size.bmp
2001-08-06 19:00 774 ------w C:\Program Files\Number.bmp
2001-08-06 19:00 774 ------w C:\Program Files\MoveT.bmp
2001-08-06 19:00 774 ------w C:\Program Files\Flex.bmp
2001-08-06 19:00 774 ------w C:\Program Files\FILL.BMP
2001-08-06 19:00 774 ------w C:\Program Files\Elev.bmp
2001-08-06 19:00 774 ------w C:\Program Files\EDIT.BMP
2001-08-06 17:56 774 ------w C:\Program Files\Sectional.BMP
2001-07-20 14:31 774 ------w C:\Program Files\Takeoff.BMP
2001-07-20 14:12 774 ------w C:\Program Files\mprop.BMP
2001-06-15 16:12 774 ------w C:\Program Files\ATTACHOFF.BMP
2001-06-15 16:12 774 ------w C:\Program Files\ATTACHER.BMP
2001-06-15 15:16 774 ------w C:\Program Files\Dbase.BMP
1999-12-29 21:43 774 ------w C:\Program Files\Specs.BMP
1999-08-04 13:44 193,402 ------w C:\Program Files\logo.bmp
2007-08-10 19:26 56 --sh--r C:\WINDOWS\system32\163AC82584.sys
2007-08-10 19:26 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{886483EE-B131-49A1-9065-5DA757F1C32F}]
2008-03-05 10:18 110080 --a------ C:\WINDOWS\system32\cabine.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MSI Configuration"="msiconf.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-01-24 16:58 104128]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-12-21 15:30 698864]
"SBRegRebootCleaner"="C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe" [2007-12-21 15:30 141808]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 05:35:22 10872]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-02-05 13:42:46 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workgroup Engine.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workgroup Engine.lnk
backup=C:\WINDOWS\pss\Pervasive.SQL Workgroup Engine.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\System32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2007-01-24 16:58 104128 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\PVSW\\Bin\\w3dbsmgr.exe"=

R0 bolliepy;bolliepy;C:\WINDOWS\system32\drivers\ywhpmryt.dat []
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-04-25 09:10]
R1 NEOFLTR_530_11613;Juniper Networks TDI Filter Driver (NEOFLTR_530_11613);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11613.SYS [2007-03-02 21:54]
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 18:36]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0;c:\program files\timberline office\shared\sage.servicehost.host.exe [2007-09-06 12:39]
R2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe" [2007-04-27 01:00]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 CBUSB;MARX CryptoTech LP;C:\WINDOWS\system32\drivers\CBUSB.sys [2007-03-08 15:28]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 09:28]

*Newly Created Service* - CATCHME
*Newly Created Service* - SBAPIFS
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 10:50:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bolliepy]
"ImagePath"="system32\drivers\ywhpmryt.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-26 10:52:31
ComboFix-quarantined-files.txt 2008-04-26 14:52:25

Pre-Run: 87,188,623,360 bytes free
Post-Run: 89,470,668,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

210 --- E O F --- 2008-04-11 20:11:19

and the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:54 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\timberline office\shared\sage.servicehost.host.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {886483EE-B131-49A1-9065-5DA757F1C32F} - C:\WINDOWS\system32\cabine.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Enterprise
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SBCSTray] "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe"
O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://egate.merck.com/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0) - Sage Software, Inc. - c:\program files\timberline office\shared\sage.servicehost.host.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

--
End of file - 6152 bytes

thanks for the help

greyknight17 · Joined: Feb 03, 2003 Posts: 4864 Location: Brooklyn, NY

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

Maggot09 · Joined: Apr 25, 2008 Posts: 9

Its running a little faster but the cabine.dll file has not been deleted.

ComboFix 08-04-24.1 - John Bertucci 2008-04-28 7:38:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1072 [GMT -4:00]
Running from: C:\Documents and Settings\John Bertucci\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John Bertucci\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\cabine.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cabine.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOLLIEPY
-------\Service_bolliepy

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-26 10:59 . 2008-04-28 07:36 <DIR> d-------- C:\HJT
2008-04-26 02:00 . 2008-04-26 10:14 104 --a------ C:\WINDOWS\system32\SBRC.dat
2008-04-25 09:10 . 2008-04-25 09:10 <DIR> d-------- C:\Documents and Settings\John Bertucci\Application Data\Sunbelt Software
2008-04-25 09:10 . 2008-04-25 09:10 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-04-25 09:09 . 2008-04-25 09:09 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-04-25 09:09 . 2008-04-25 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-04-18 09:23 . 2008-04-18 09:23 <DIR> d-------- C:\Program Files\Citrix
2008-03-31 18:21 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-31 18:21 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-03-31 07:48 . 2008-03-31 07:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-31 07:48 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-03-31 07:48 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-03-31 07:48 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-03-31 07:48 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-03-31 07:48 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-03-31 07:42 . 2008-03-31 07:42 164 --a------ C:\install.dat
2008-03-28 15:15 . 2008-03-28 15:15 <DIR> d-------- C:\Program Files\Webroot
2008-03-28 15:15 . 2008-03-28 15:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-28 15:15 . 2008-03-28 15:15 <DIR> d-------- C:\Documents and Settings\John Bertucci\Application Data\Webroot
2008-03-28 15:15 . 2004-02-11 18:27 102,912 --a------ C:\WINDOWS\system32\islzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 14:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-26 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 11:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 17:36 --------- d-----w C:\Program Files\Lavasoft
2008-03-27 17:36 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Lavasoft
2008-03-25 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-03-14 17:29 --------- d-----w C:\Program Files\Google
2008-03-14 17:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 17:27 --------- d-----w C:\Program Files\GNU
2008-03-14 17:25 --------- d-----w C:\Program Files\WebEx
2008-03-14 17:23 --------- d-----w C:\Program Files\Common Files\Wextech Shared
2008-03-09 18:55 --------- d-----w C:\Documents and Settings\John Bertucci\Application Data\LimeWire
2008-03-06 21:02 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-06 13:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2006-10-12 19:21 10,964,992 ----a-w C:\Program Files\MAPcadduct16-2004.arx
2006-10-12 19:09 10,969,088 ----a-w C:\Program Files\MAPcadduct16.arx
2006-10-12 18:58 8,654,848 ----a-w C:\Program Files\MAPcadduct.arx
2006-10-12 18:54 4,440,064 ----a-w C:\Program Files\UMapBack.exe
2006-10-12 18:54 4,407,296 ----a-w C:\Program Files\mapback.exe
2006-10-12 18:54 1,114,112 ----a-w C:\Program Files\ViewHasp.exe
2006-10-12 18:54 1,024,000 ----a-w C:\Program Files\hupdate.exe
2006-10-12 18:53 823,296 ----a-w C:\Program Files\editmap.exe
2006-10-12 18:53 573,440 ----a-w C:\Program Files\umapuser.exe
2006-10-12 18:53 561,152 ----a-w C:\Program Files\mapuser.exe
2006-10-12 18:28 11,247,616 ----a-w C:\Program Files\MAPcadduct17.arx
2006-10-11 20:54 822 ------w C:\Program Files\HideVP.BMP
2006-10-11 20:51 822 ------w C:\Program Files\maskVP.BMP
2006-10-11 20:48 822 ------w C:\Program Files\ShowVP.BMP
2006-10-11 20:45 822 ------w C:\Program Files\Hide.BMP
2006-09-04 20:06 622,385 ----a-w C:\Program Files\Diction.ary
2006-08-10 17:42 5,465 ------w C:\Program Files\Readme.txt
2006-07-11 12:53 28,672 ----a-w C:\Documents and Settings\Kevin\atwbxdet.dll
2006-06-13 19:43 43,008 --sh--w C:\Program Files\Thumbs.db
2006-05-31 16:19 822 ------w C:\Program Files\SecnSize.BMP
2006-05-31 16:16 822 ------w C:\Program Files\eddesobj.BMP
2006-05-31 16:13 822 ------w C:\Program Files\desobj.BMP
2006-05-31 16:06 822 ------w C:\Program Files\DuctCalc.BMP
2006-05-11 15:55 3,117,212 ------w C:\Program Files\TS-Mechanical-Metric.iez
2006-01-17 15:49 507,989 ------w C:\Program Files\TS-Public-Health-Metric.iez
2006-01-12 21:21 355,284 ------w C:\Program Files\TS-Electrical-Metric.iez
2006-01-12 21:20 592,487 ------w C:\Program Files\TS-HVAC-Metric.iez
2005-09-28 18:24 2,177,351 ----a-w C:\Program Files\haspdinst.exe
2005-08-03 19:28 1,460,490 ------w C:\Program Files\Services.iez
2004-12-23 20:02 6,144 ----a-w C:\Program Files\MapHelper16.arx
2004-12-02 22:49 3,174,400 ----a-w C:\Program Files\hinstall.exe
2004-08-16 17:43 1,853,471 ----a-w C:\Program Files\haspds_windows.dll
2004-04-19 20:06 151,552 ----a-w C:\Program Files\MapLoader16.arx
2004-01-14 21:47 184,320 ----a-w C:\Program Files\MapLoader.arx
2003-10-22 14:06 774 ------w C:\Program Files\PlanView.BMP
2003-10-22 02:48 774 ------w C:\Program Files\LastView.BMP
2003-05-14 15:12 774 ------w C:\Program Files\purge.BMP
2003-05-14 14:51 774 ------w C:\Program Files\Length.BMP
2003-05-14 14:44 774 ------w C:\Program Files\sets.BMP
2003-05-14 14:32 774 ------w C:\Program Files\Alias.BMP
2003-05-14 14:16 774 ------w C:\Program Files\Show.BMP
2003-05-14 14:16 774 ------w C:\Program Files\mask.BMP
2003-05-14 14:08 774 ------w C:\Program Files\fulldb.BMP
2003-05-14 14:00 774 ------w C:\Program Files\Inspect.bmp
2003-01-27 15:52 774 ------w C:\Program Files\matchprp.BMP
2002-12-04 22:29 774 ------w C:\Program Files\Service.bmp
2002-12-04 22:22 774 ------w C:\Program Files\RotateT.BMP
2002-12-04 22:11 774 ------w C:\Program Files\search.BMP
2001-11-06 15:32 774 ------w C:\Program Files\Fill2Ends.BMP
2001-08-09 13:13 65,024 ----a-w C:\Program Files\bszip.dll
2001-08-06 19:00 774 ------w C:\Program Files\Size.bmp
2001-08-06 19:00 774 ------w C:\Program Files\Number.bmp
2001-08-06 19:00 774 ------w C:\Program Files\MoveT.bmp
2001-08-06 19:00 774 ------w C:\Program Files\Flex.bmp
2001-08-06 19:00 774 ------w C:\Program Files\FILL.BMP
2001-08-06 19:00 774 ------w C:\Program Files\Elev.bmp
2001-08-06 19:00 774 ------w C:\Program Files\EDIT.BMP
2001-08-06 17:56 774 ------w C:\Program Files\Sectional.BMP
2001-07-20 14:31 774 ------w C:\Program Files\Takeoff.BMP
2001-07-20 14:12 774 ------w C:\Program Files\mprop.BMP
2001-06-15 16:12 774 ------w C:\Program Files\ATTACHOFF.BMP
2001-06-15 16:12 774 ------w C:\Program Files\ATTACHER.BMP
2001-06-15 15:16 774 ------w C:\Program Files\Dbase.BMP
1999-12-29 21:43 774 ------w C:\Program Files\Specs.BMP
1999-08-04 13:44 193,402 ------w C:\Program Files\logo.bmp
2007-08-10 19:26 56 --sh--r C:\WINDOWS\system32\163AC82584.sys
2007-08-10 19:26 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot.TakeThisOut@2008-04-26_10.52.12.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-25 14:55:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-28 11:53:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{886483EE-B131-49A1-9065-5DA757F1C32F}]
2008-03-05 10:18 110080 --a------ C:\WINDOWS\system32\cabine.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-01-24 16:58 104128]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-12-21 15:30 698864]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 05:35:22 10872]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-02-05 13:42:46 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workgroup Engine.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workgroup Engine.lnk
backup=C:\WINDOWS\pss\Pervasive.SQL Workgroup Engine.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\System32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2007-01-24 16:58 104128 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\PVSW\\Bin\\w3dbsmgr.exe"=

R0 bolliepy;bolliepy;C:\WINDOWS\system32\drivers\ywhpmryt.dat []
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-04-25 09:10]
R1 NEOFLTR_530_11613;Juniper Networks TDI Filter Driver (NEOFLTR_530_11613);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11613.SYS [2007-03-02 21:54]
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 18:36]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0;c:\program files\timberline office\shared\sage.servicehost.host.exe [2007-09-06 12:39]
R2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe" [2007-04-27 01:00]
S3 CBUSB;MARX CryptoTech LP;C:\WINDOWS\system32\drivers\CBUSB.sys [2007-03-08 15:28]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 09:28]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

*Newly Created Service* - BOLLIEPY
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 07:55:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Program Files\Common Files\Symantec Shared\IDS\DefUtDcd.dll 722136 bytes executable
C:\Program Files\Common Files\Symantec Shared\IDS\IDSaux.dll 177856 bytes executable
C:\Program Files\Common Files\Symantec Shared\IDS\IDSSettg.BAK 1212 bytes
C:\Program Files\Common Files\Symantec Shared\IDS\IDSSettg.dat 1212 bytes
C:\Program Files\Common Files\Symantec Shared\IDS\Patch25.dll 91232 bytes executable
C:\Program Files\Common Files\Symantec Shared\IDS\SymIDSLU.dll 59000 bytes executable
C:\Program Files\Common Files\Symantec Shared\SPManifests\CIDS.GRD 230 bytes
C:\Program Files\Common Files\Symantec Shared\SPManifests\CIDS.SIG 2225 bytes
C:\Program Files\Common Files\Symantec Shared\SPManifests\CIDS.SPM 1936 bytes

scan completed successfully
hidden files: 9

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="\"C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bolliepy]
"ImagePath"="system32\drivers\ywhpmryt.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-04-28 8:01:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 12:01:07
ComboFix2.txt 2008-04-26 14:52:32

Pre-Run: 89,265,397,760 bytes free
Post-Run: 90,139,607,040 bytes free

226 --- E O F --- 2008-04-11 20:11:19

Thanks for all your help

greyknight17 · Joined: Feb 03, 2003 Posts: 4864 Location: Brooklyn, NY

I see a bunch of files installed on the root of your Program Files folder. Did you install a program into this root folder in the past by mistake? Here's a small sample of what's there now:

C:\Program Files\MAPcadduct16-2004.arx
C:\Program Files\MAPcadduct16.arx
C:\Program Files\MAPcadduct.arx
C:\Program Files\UMapBack.exe
C:\Program Files\mapback.exe
C:\Program Files\ViewHasp.exe
C:\Program Files\hupdate.exe
C:\Program Files\editmap.exe
C:\Program Files\umapuser.exe
C:\Program Files\mapuser.exe
C:\Program Files\MAPcadduct17.arx
C:\Program Files\HideVP.BMP
C:\Program Files\maskVP.BMP
C:\Program Files\ShowVP.BMP
C:\Program Files\Hide.BMP
C:\Program Files\Diction.ary
C:\Program Files\Readme.txt

Download OTMoveIt2 at http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Maggot09 · Joined: Apr 25, 2008 Posts: 9

Its running good, but still slows occasionally. I did not put those files in program folder, but some of them are for my AutoCad program.
here is what happened after I ran the move this.

< HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bolliepy >
Registry key HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bolliepy \\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{886483EE-B131-49A1-9065-5DA757F1C32F} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{886483EE-B131-49A1-9065-5DA757F1C32F} \\ not found.
LoadLibrary failed for C:\WINDOWS\system32\cabine.dll
C:\WINDOWS\system32\cabine.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\cabine.dll scheduled to be moved on reboot.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04302008_151833

Files moved on Reboot...
LoadLibrary failed for C:\WINDOWS\system32\cabine.dll
C:\WINDOWS\system32\cabine.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\cabine.dll scheduled to be moved on reboot.

and this is the combofix log

ComboFix 08-04-24.1 - John Bertucci 2008-04-30 15:30:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1142 [GMT -4:00]
Running from: C:\Documents and Settings\John Bertucci\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-30 15:18 . 2008-04-30 15:18 <DIR> d-------- C:\_OTMoveIt
2008-04-26 10:59 . 2008-04-28 07:36 <DIR> d-------- C:\HJT
2008-04-25 09:10 . 2008-04-25 09:10 <DIR> d-------- C:\Documents and Settings\John Bertucci\Application Data\Sunbelt Software
2008-04-25 09:10 . 2008-04-25 09:10 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-04-25 09:09 . 2008-04-25 09:09 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-04-25 09:09 . 2008-04-25 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-04-18 09:23 . 2008-04-18 09:23 <DIR> d-------- C:\Program Files\Citrix
2008-03-31 18:21 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-31 18:21 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-03-31 07:48 . 2008-03-31 07:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-31 07:48 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-03-31 07:48 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-03-31 07:48 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-03-31 07:48 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-03-31 07:48 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-03-31 07:42 . 2008-03-31 07:42 164 --a------ C:\install.dat
2008-03-28 15:15 . 2008-03-28 15:15 <DIR> d-------- C:\Program Files\Webroot
2008-03-28 15:15 . 2008-03-28 15:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-28 15:15 . 2008-03-28 15:15 <DIR> d-------- C:\Documents and Settings\John Bertucci\Application Data\Webroot
2008-03-28 15:15 . 2004-02-11 18:27 102,912 --a------ C:\WINDOWS\system32\islzma.dll
2008-03-13 15:52 . 2008-04-02 14:29 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-03-06 17:03 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-03-06 17:02 . 2008-03-06 17:02 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-06 09:34 . 2008-03-06 09:50 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-06 08:19 . 2007-07-09 09:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 12:00 --------- d-----w C:\Program Files\Symantec
2008-04-28 12:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-26 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 11:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 17:36 --------- d-----w C:\Program Files\Lavasoft
2008-03-27 17:36 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Lavasoft
2008-03-25 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-03-14 17:29 --------- d-----w C:\Program Files\Google
2008-03-14 17:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 17:27 --------- d-----w C:\Program Files\GNU
2008-03-14 17:25 --------- d-----w C:\Program Files\WebEx
2008-03-14 17:23 --------- d-----w C:\Program Files\Common Files\Wextech Shared
2008-03-09 18:55 --------- d-----w C:\Documents and Settings\John Bertucci\Application Data\LimeWire
2006-10-12 19:21 10,964,992 ----a-w C:\Program Files\MAPcadduct16-2004.arx
2006-10-12 19:09 10,969,088 ----a-w C:\Program Files\MAPcadduct16.arx
2006-10-12 18:58 8,654,848 ----a-w C:\Program Files\MAPcadduct.arx
2006-10-12 18:54 4,440,064 ----a-w C:\Program Files\UMapBack.exe
2006-10-12 18:54 4,407,296 ----a-w C:\Program Files\mapback.exe
2006-10-12 18:54 1,114,112 ----a-w C:\Program Files\ViewHasp.exe
2006-10-12 18:54 1,024,000 ----a-w C:\Program Files\hupdate.exe
2006-10-12 18:53 823,296 ----a-w C:\Program Files\editmap.exe
2006-10-12 18:53 573,440 ----a-w C:\Program Files\umapuser.exe
2006-10-12 18:53 561,152 ----a-w C:\Program Files\mapuser.exe
2006-10-12 18:28 11,247,616 ----a-w C:\Program Files\MAPcadduct17.arx
2006-10-11 20:54 822 ------w C:\Program Files\HideVP.BMP
2006-10-11 20:51 822 ------w C:\Program Files\maskVP.BMP
2006-10-11 20:48 822 ------w C:\Program Files\ShowVP.BMP
2006-10-11 20:45 822 ------w C:\Program Files\Hide.BMP
2006-09-04 20:06 622,385 ----a-w C:\Program Files\Diction.ary
2006-08-10 17:42 5,465 ------w C:\Program Files\Readme.txt
2006-07-11 12:53 28,672 ----a-w C:\Documents and Settings\Kevin\atwbxdet.dll
2006-06-13 19:43 43,008 --sh--w C:\Program Files\Thumbs.db
2006-05-31 16:19 822 ------w C:\Program Files\SecnSize.BMP
2006-05-31 16:16 822 ------w C:\Program Files\eddesobj.BMP
2006-05-31 16:13 822 ------w C:\Program Files\desobj.BMP
2006-05-31 16:06 822 ------w C:\Program Files\DuctCalc.BMP
2006-05-11 15:55 3,117,212 ------w C:\Program Files\TS-Mechanical-Metric.iez
2006-01-17 15:49 507,989 ------w C:\Program Files\TS-Public-Health-Metric.iez
2006-01-12 21:21 355,284 ------w C:\Program Files\TS-Electrical-Metric.iez
2006-01-12 21:20 592,487 ------w C:\Program Files\TS-HVAC-Metric.iez
2005-09-28 18:24 2,177,351 ----a-w C:\Program Files\haspdinst.exe
2005-08-03 19:28 1,460,490 ------w C:\Program Files\Services.iez
2004-12-23 20:02 6,144 ----a-w C:\Program Files\MapHelper16.arx
2004-12-02 22:49 3,174,400 ----a-w C:\Program Files\hinstall.exe
2004-08-16 17:43 1,853,471 ----a-w C:\Program Files\haspds_windows.dll
2004-04-19 20:06 151,552 ----a-w C:\Program Files\MapLoader16.arx
2004-01-14 21:47 184,320 ----a-w C:\Program Files\MapLoader.arx
2003-10-22 14:06 774 ------w C:\Program Files\PlanView.BMP
2003-10-22 02:48 774 ------w C:\Program Files\LastView.BMP
2003-05-14 15:12 774 ------w C:\Program Files\purge.BMP
2003-05-14 14:51 774 ------w C:\Program Files\Length.BMP
2003-05-14 14:44 774 ------w C:\Program Files\sets.BMP
2003-05-14 14:32 774 ------w C:\Program Files\Alias.BMP
2003-05-14 14:16 774 ------w C:\Program Files\Show.BMP
2003-05-14 14:16 774 ------w C:\Program Files\mask.BMP
2003-05-14 14:08 774 ------w C:\Program Files\fulldb.BMP
2003-05-14 14:00 774 ------w C:\Program Files\Inspect.bmp
2003-01-27 15:52 774 ------w C:\Program Files\matchprp.BMP
2002-12-04 22:29 774 ------w C:\Program Files\Service.bmp
2002-12-04 22:22 774 ------w C:\Program Files\RotateT.BMP
2002-12-04 22:11 774 ------w C:\Program Files\search.BMP
2001-11-06 15:32 774 ------w C:\Program Files\Fill2Ends.BMP
2001-08-09 13:13 65,024 ----a-w C:\Program Files\bszip.dll
2001-08-06 19:00 774 ------w C:\Program Files\Size.bmp
2001-08-06 19:00 774 ------w C:\Program Files\Number.bmp
2001-08-06 19:00 774 ------w C:\Program Files\MoveT.bmp
2001-08-06 19:00 774 ------w C:\Program Files\Flex.bmp
2001-08-06 19:00 774 ------w C:\Program Files\FILL.BMP
2001-08-06 19:00 774 ------w C:\Program Files\Elev.bmp
2001-08-06 19:00 774 ------w C:\Program Files\EDIT.BMP
2001-08-06 17:56 774 ------w C:\Program Files\Sectional.BMP
2001-07-20 14:31 774 ------w C:\Program Files\Takeoff.BMP
2001-07-20 14:12 774 ------w C:\Program Files\mprop.BMP
2001-06-15 16:12 774 ------w C:\Program Files\ATTACHOFF.BMP
2001-06-15 16:12 774 ------w C:\Program Files\ATTACHER.BMP
2001-06-15 15:16 774 ------w C:\Program Files\Dbase.BMP
1999-12-29 21:43 774 ------w C:\Program Files\Specs.BMP
1999-08-04 13:44 193,402 ------w C:\Program Files\logo.bmp
2007-08-10 19:26 56 --sh--r C:\WINDOWS\system32\163AC82584.sys
2007-08-10 19:26 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{886483EE-B131-49A1-9065-5DA757F1C32F}]
2008-03-05 10:18 110080 --a------ C:\WINDOWS\system32\cabine.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-12-21 15:30 698864]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 05:35:22 10872]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-02-05 13:42:46 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workgroup Engine.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workgroup Engine.lnk
backup=C:\WINDOWS\pss\Pervasive.SQL Workgroup Engine.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\System32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\PVSW\\Bin\\w3dbsmgr.exe"=

R0 bolliepy;bolliepy;C:\WINDOWS\system32\drivers\ywhpmryt.dat []
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-04-25 09:10]
R1 NEOFLTR_530_11613;Juniper Networks TDI Filter Driver (NEOFLTR_530_11613);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11613.SYS [2007-03-02 21:54]
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 18:36]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0;c:\program files\timberline office\shared\sage.servicehost.host.exe [2007-09-06 12:39]
R2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe" [2007-04-27 01:00]
S3 CBUSB;MARX CryptoTech LP;C:\WINDOWS\system32\drivers\CBUSB.sys [2007-03-08 15:28]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 09:28]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bolliepy]
"ImagePath"="system32\drivers\ywhpmryt.dat"
.
Completion time: 2008-04-30 15:35:47
ComboFix-quarantined-files.txt 2008-04-30 19:35:39
ComboFix2.txt 2008-04-28 12:01:26
ComboFix3.txt 2008-04-26 14:52:32

Pre-Run: 89,731,428,352 bytes free
Post-Run: 90,037,723,136 bytes free

186 --- E O F --- 2008-04-11 20:11:19

Again I can't thank you enough for your help

greyknight17 · Joined: Feb 03, 2003 Posts: 4864 Location: Brooklyn, NY

OK, stubborn file I see....

Download IceSword and save it to your desktop. Extract that file to your desktop and then run IceSword.exe. On the left panel, look at the bottom for the File button. Click on it. Now navigate to C:\WINDOWS\system32\ and then look for the cabine.dll file. Click on it once. Then right click on it and choose Delete. Click Yes to confirm deletion. If it gives you problems deleting it that way, choose the force Delete option and confirm again (Yes) when prompted.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{886483EE-B131-49A1-9065-5DA757F1C32F}]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bolliepy]

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Maggot09 · Joined: Apr 25, 2008 Posts: 9

Thanks it's running well here is the combo fix log

ComboFix 08-04-24.1 - John Bertucci 2008-05-01 7:58:49.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1187 [GMT -4:00]
Running from: C:\Documents and Settings\John Bertucci\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John Bertucci\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOLLIEPY
-------\Service_bolliepy

((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-04-30 15:18 . 2008-04-30 15:18 <DIR> d-------- C:\_OTMoveIt
2008-04-26 10:59 . 2008-05-01 07:46 <DIR> d-------- C:\HJT
2008-04-25 09:10 . 2008-04-25 09:10 <DIR> d-------- C:\Documents and Settings\John Bertucci\Application Data\Sunbelt Software
2008-04-25 09:10 . 2008-04-25 09:10 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-04-25 09:09 . 2008-04-25 09:09 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-04-25 09:09 . 2008-04-25 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-04-18 09:23 . 2008-04-18 09:23 <DIR> d-------- C:\Program Files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 12:00 --------- d-----w C:\Program Files\Symantec
2008-04-28 12:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-26 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 11:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-31 11:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-31 11:42 164 ----a-w C:\install.dat
2008-03-28 19:15 --------- d-----w C:\Program Files\Webroot
2008-03-28 19:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-28 19:15 --------- d-----w C:\Documents and Settings\John Bertucci\Application Data\Webroot
2008-03-27 17:36 --------- d-----w C:\Program Files\Lavasoft
2008-03-27 17:36 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Lavasoft
2008-03-25 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-03-14 17:29 --------- d-----w C:\Program Files\Google
2008-03-14 17:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 17:27 --------- d-----w C:\Program Files\GNU
2008-03-14 17:25 --------- d-----w C:\Program Files\WebEx
2008-03-14 17:23 --------- d-----w C:\Program Files\Common Files\Wextech Shared
2008-03-09 18:55 --------- d-----w C:\Documents and Settings\John Bertucci\Application Data\LimeWire
2008-03-06 21:02 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-06 13:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2006-10-12 19:21 10,964,992 ----a-w C:\Program Files\MAPcadduct16-2004.arx
2006-10-12 19:09 10,969,088 ----a-w C:\Program Files\MAPcadduct16.arx
2006-10-12 18:58 8,654,848 ----a-w C:\Program Files\MAPcadduct.arx
2006-10-12 18:54 4,440,064 ----a-w C:\Program Files\UMapBack.exe
2006-10-12 18:54 4,407,296 ----a-w C:\Program Files\mapback.exe
2006-10-12 18:54 1,114,112 ----a-w C:\Program Files\ViewHasp.exe
2006-10-12 18:54 1,024,000 ----a-w C:\Program Files\hupdate.exe
2006-10-12 18:53 823,296 ----a-w C:\Program Files\editmap.exe
2006-10-12 18:53 573,440 ----a-w C:\Program Files\umapuser.exe
2006-10-12 18:53 561,152 ----a-w C:\Program Files\mapuser.exe
2006-10-12 18:28 11,247,616 ----a-w C:\Program Files\MAPcadduct17.arx
2006-10-11 20:54 822 ------w C:\Program Files\HideVP.BMP
2006-10-11 20:51 822 ------w C:\Program Files\maskVP.BMP
2006-10-11 20:48 822 ------w C:\Program Files\ShowVP.BMP
2006-10-11 20:45 822 ------w C:\Program Files\Hide.BMP
2006-09-04 20:06 622,385 ----a-w C:\Program Files\Diction.ary
2006-08-10 17:42 5,465 ------w C:\Program Files\Readme.txt
2006-07-11 12:53 28,672 ----a-w C:\Documents and Settings\Kevin\atwbxdet.dll
2006-06-13 19:43 43,008 --sh--w C:\Program Files\Thumbs.db
2006-05-31 16:19 822 ------w C:\Program Files\SecnSize.BMP
2006-05-31 16:16 822 ------w C:\Program Files\eddesobj.BMP
2006-05-31 16:13 822 ------w C:\Program Files\desobj.BMP
2006-05-31 16:06 822 ------w C:\Program Files\DuctCalc.BMP
2006-05-11 15:55 3,117,212 ------w C:\Program Files\TS-Mechanical-Metric.iez
2006-01-17 15:49 507,989 ------w C:\Program Files\TS-Public-Health-Metric.iez
2006-01-12 21:21 355,284 ------w C:\Program Files\TS-Electrical-Metric.iez
2006-01-12 21:20 592,487 ------w C:\Program Files\TS-HVAC-Metric.iez
2005-09-28 18:24 2,177,351 ----a-w C:\Program Files\haspdinst.exe
2005-08-03 19:28 1,460,490 ------w C:\Program Files\Services.iez
2004-12-23 20:02 6,144 ----a-w C:\Program Files\MapHelper16.arx
2004-12-02 22:49 3,174,400 ----a-w C:\Program Files\hinstall.exe
2004-08-16 17:43 1,853,471 ----a-w C:\Program Files\haspds_windows.dll
2004-04-19 20:06 151,552 ----a-w C:\Program Files\MapLoader16.arx
2004-01-14 21:47 184,320 ----a-w C:\Program Files\MapLoader.arx
2003-10-22 14:06 774 ------w C:\Program Files\PlanView.BMP
2003-10-22 02:48 774 ------w C:\Program Files\LastView.BMP
2003-05-14 15:12 774 ------w C:\Program Files\purge.BMP
2003-05-14 14:51 774 ------w C:\Program Files\Length.BMP
2003-05-14 14:44 774 ------w C:\Program Files\sets.BMP
2003-05-14 14:32 774 ------w C:\Program Files\Alias.BMP
2003-05-14 14:16 774 ------w C:\Program Files\Show.BMP
2003-05-14 14:16 774 ------w C:\Program Files\mask.BMP
2003-05-14 14:08 774 ------w C:\Program Files\fulldb.BMP
2003-05-14 14:00 774 ------w C:\Program Files\Inspect.bmp
2003-01-27 15:52 774 ------w C:\Program Files\matchprp.BMP
2002-12-04 22:29 774 ------w C:\Program Files\Service.bmp
2002-12-04 22:22 774 ------w C:\Program Files\RotateT.BMP
2002-12-04 22:11 774 ------w C:\Program Files\search.BMP
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\audio3d.dll
2001-11-06 15:32 774 ------w C:\Program Files\Fill2Ends.BMP
2001-08-09 13:13 65,024 ----a-w C:\Program Files\bszip.dll
2001-08-06 19:00 774 ------w C:\Program Files\Size.bmp
2001-08-06 19:00 774 ------w C:\Program Files\Number.bmp
2001-08-06 19:00 774 ------w C:\Program Files\MoveT.bmp
2001-08-06 19:00 774 ------w C:\Program Files\Flex.bmp
2001-08-06 19:00 774 ------w C:\Program Files\FILL.BMP
2001-08-06 19:00 774 ------w C:\Program Files\Elev.bmp
2001-08-06 19:00 774 ------w C:\Program Files\EDIT.BMP
2001-08-06 17:56 774 ------w C:\Program Files\Sectional.BMP
2001-07-20 14:31 774 ------w C:\Program Files\Takeoff.BMP
2001-07-20 14:12 774 ------w C:\Program Files\mprop.BMP
2001-06-15 16:12 774 ------w C:\Program Files\ATTACHOFF.BMP
2001-06-15 16:12 774 ------w C:\Program Files\ATTACHER.BMP
2001-06-15 15:16 774 ------w C:\Program Files\Dbase.BMP
1999-12-29 21:43 774 ------w C:\Program Files\Specs.BMP
1999-08-04 13:44 193,402 ------w C:\Program Files\logo.bmp
2007-08-10 19:26 56 --sh--r C:\WINDOWS\system32\163AC82584.sys
2007-08-10 19:26 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot.TakeThisOut@2008-04-26_10.52.12.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-25 14:55:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-01 12:02:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{886483EE-B131-49A1-9065-5DA757F1C32F}]
C:\WINDOWS\system32\cabine.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workgroup Engine.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workgroup Engine.lnk
backup=C:\WINDOWS\pss\Pervasive.SQL Workgroup Engine.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\System32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\PVSW\\Bin\\w3dbsmgr.exe"=

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-04-25 09:10]
R1 NEOFLTR_530_11613;Juniper Networks TDI Filter Driver (NEOFLTR_530_11613);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11613.SYS [2007-03-02 21:54]
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 18:36]
R2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe" [2007-04-27 01:00]
S2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0;c:\program files\timberline office\shared\sage.servicehost.host.exe [2007-09-06 12:39]
S3 CBUSB;MARX CryptoTech LP;C:\WINDOWS\system32\drivers\CBUSB.sys [2007-03-08 15:28]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 09:28]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 08:03:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-01 8:09:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 12:09:18
ComboFix2.txt 2008-04-30 19:35:48
ComboFix3.txt 2008-04-28 12:01:26
ComboFix4.txt 2008-04-26 14:52:32

Pre-Run: 90,018,025,472 bytes free
Post-Run: 90,030,780,416 bytes free

194 --- E O F --- 2008-04-11 20:11:19

greyknight17 · Joined: Feb 03, 2003 Posts: 4864 Location: Brooklyn, NY

We're almost there. Let's see if it will go away peacefully now.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Maggot09 · Joined: Apr 25, 2008 Posts: 9

Thanks again for your help here is the log

ComboFix 08-05-08.1 - John Bertucci 2008-05-09 11:13:49.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1105 [GMT -4:00]
Running from: C:\Documents and Settings\John Bertucci\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John Bertucci\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

FILE ::
C:\WINDOWS\system32\cabine.dll
.

((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-04-30 15:18 . 2008-04-30 15:18 <DIR> d-------- C:\_OTMoveIt
2008-04-26 10:59 . 2008-05-01 07:46 <DIR> d-------- C:\HJT
2008-04-25 09:10 . 2008-04-25 09:10 <DIR> d-------- C:\Documents and Settings\John Bertucci\Application Data\Sunbelt Software
2008-04-25 09:10 . 2008-04-25 09:10 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-04-18 09:23 . 2008-04-18 09:23 <DIR> d-------- C:\Program Files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 12:00 --------- d-----w C:\Program Files\Symantec
2008-04-28 12:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-26 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 11:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-31 11:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-31 11:42 164 ----a-w C:\install.dat
2008-03-28 19:15 --------- d-----w C:\Program Files\Webroot
2008-03-28 19:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-28 19:15 --------- d-----w C:\Documents and Settings\John Bertucci\Application Data\Webroot
2008-03-27 17:36 --------- d-----w C:\Program Files\Lavasoft
2008-03-27 17:36 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Lavasoft
2008-03-25 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-03-14 17:29 --------- d-----w C:\Program Files\Google
2008-03-14 17:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 17:27 --------- d-----w C:\Program Files\GNU
2008-03-14 17:25 --------- d-----w C:\Program Files\WebEx
2008-03-14 17:23 --------- d-----w C:\Program Files\Common Files\Wextech Shared
2008-03-09 18:55 --------- d-----w C:\Documents and Settings\John Bertucci\Application Data\LimeWire
2006-10-12 19:21 10,964,992 ----a-w C:\Program Files\MAPcadduct16-2004.arx
2006-10-12 19:09 10,969,088 ----a-w C:\Program Files\MAPcadduct16.arx
2006-10-12 18:58 8,654,848 ----a-w C:\Program Files\MAPcadduct.arx
2006-10-12 18:54 4,440,064 ----a-w C:\Program Files\UMapBack.exe
2006-10-12 18:54 4,407,296 ----a-w C:\Program Files\mapback.exe
2006-10-12 18:54 1,114,112 ----a-w C:\Program Files\ViewHasp.exe
2006-10-12 18:54 1,024,000 ----a-w C:\Program Files\hupdate.exe
2006-10-12 18:53 823,296 ----a-w C:\Program Files\editmap.exe
2006-10-12 18:53 573,440 ----a-w C:\Program Files\umapuser.exe
2006-10-12 18:53 561,152 ----a-w C:\Program Files\mapuser.exe
2006-10-12 18:28 11,247,616 ----a-w C:\Program Files\MAPcadduct17.arx
2006-10-11 20:54 822 ------w C:\Program Files\HideVP.BMP
2006-10-11 20:51 822 ------w C:\Program Files\maskVP.BMP
2006-10-11 20:48 822 ------w C:\Program Files\ShowVP.BMP
2006-10-11 20:45 822 ------w C:\Program Files\Hide.BMP
2006-09-04 20:06 622,385 ----a-w C:\Program Files\Diction.ary
2006-08-10 17:42 5,465 ------w C:\Program Files\Readme.txt
2006-07-11 12:53 28,672 ----a-w C:\Documents and Settings\Kevin\atwbxdet.dll
2006-06-13 19:43 43,008 --sh--w C:\Program Files\Thumbs.db
2006-05-31 16:19 822 ------w C:\Program Files\SecnSize.BMP
2006-05-31 16:16 822 ------w C:\Program Files\eddesobj.BMP
2006-05-31 16:13 822 ------w C:\Program Files\desobj.BMP
2006-05-31 16:06 822 ------w C:\Program Files\DuctCalc.BMP
2006-05-11 15:55 3,117,212 ------w C:\Program Files\TS-Mechanical-Metric.iez
2006-01-17 15:49 507,989 ------w C:\Program Files\TS-Public-Health-Metric.iez
2006-01-12 21:21 355,284 ------w C:\Program Files\TS-Electrical-Metric.iez
2006-01-12 21:20 592,487 ------w C:\Program Files\TS-HVAC-Metric.iez
2005-09-28 18:24 2,177,351 ----a-w C:\Program Files\haspdinst.exe
2005-08-03 19:28 1,460,490 ------w C:\Program Files\Services.iez
2004-12-23 20:02 6,144 ----a-w C:\Program Files\MapHelper16.arx
2004-12-02 22:49 3,174,400 ----a-w C:\Program Files\hinstall.exe
2004-08-16 17:43 1,853,471 ----a-w C:\Program Files\haspds_windows.dll
2004-04-19 20:06 151,552 ----a-w C:\Program Files\MapLoader16.arx
2004-01-14 21:47 184,320 ----a-w C:\Program Files\MapLoader.arx
2003-10-22 14:06 774 ------w C:\Program Files\PlanView.BMP
2003-10-22 02:48 774 ------w C:\Program Files\LastView.BMP
2003-05-14 15:12 774 ------w C:\Program Files\purge.BMP
2003-05-14 14:51 774 ------w C:\Program Files\Length.BMP
2003-05-14 14:44 774 ------w C:\Program Files\sets.BMP
2003-05-14 14:32 774 ------w C:\Program Files\Alias.BMP
2003-05-14 14:16 774 ------w C:\Program Files\Show.BMP
2003-05-14 14:16 774 ------w C:\Program Files\mask.BMP
2003-05-14 14:08 774 ------w C:\Program Files\fulldb.BMP
2003-05-14 14:00 774 ------w C:\Program Files\Inspect.bmp
2003-01-27 15:52 774 ------w C:\Program Files\matchprp.BMP
2002-12-04 22:29 774 ------w C:\Program Files\Service.bmp
2002-12-04 22:22 774 ------w C:\Program Files\RotateT.BMP
2002-12-04 22:11 774 ------w C:\Program Files\search.BMP
2001-11-06 15:32 774 ------w C:\Program Files\Fill2Ends.BMP
2001-08-09 13:13 65,024 ----a-w C:\Program Files\bszip.dll
2001-08-06 19:00 774 ------w C:\Program Files\Size.bmp
2001-08-06 19:00 774 ------w C:\Program Files\Number.bmp
2001-08-06 19:00 774 ------w C:\Program Files\MoveT.bmp
2001-08-06 19:00 774 ------w C:\Program Files\Flex.bmp
2001-08-06 19:00 774 ------w C:\Program Files\FILL.BMP
2001-08-06 19:00 774 ------w C:\Program Files\Elev.bmp
2001-08-06 19:00 774 ------w C:\Program Files\EDIT.BMP
2001-08-06 17:56 774 ------w C:\Program Files\Sectional.BMP
2001-07-20 14:31 774 ------w C:\Program Files\Takeoff.BMP
2001-07-20 14:12 774 ------w C:\Program Files\mprop.BMP
2001-06-15 16:12 774 ------w C:\Program Files\ATTACHOFF.BMP
2001-06-15 16:12 774 ------w C:\Program Files\ATTACHER.BMP
2001-06-15 15:16 774 ------w C:\Program Files\Dbase.BMP
1999-12-29 21:43 774 ------w C:\Program Files\Specs.BMP
1999-08-04 13:44 193,402 ------w C:\Program Files\logo.bmp
2007-08-10 19:26 56 --sh--r C:\WINDOWS\system32\163AC82584.sys
2007-08-10 19:26 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{886483EE-B131-49A1-9065-5DA757F1C32F}]
C:\WINDOWS\system32\cabine.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workgroup Engine.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workgroup Engine.lnk
backup=C:\WINDOWS\pss\Pervasive.SQL Workgroup Engine.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\System32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\PVSW\\Bin\\w3dbsmgr.exe"=

R1 NEOFLTR_530_11613;Juniper Networks TDI Filter Driver (NEOFLTR_530_11613);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11613.SYS [2007-03-02 21:54]
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 18:36]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0;c:\program files\timberline office\shared\sage.servicehost.host.exe [2007-09-06 12:39]
R2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe" [2007-04-27 01:00]
S3 CBUSB;MARX CryptoTech LP;C:\WINDOWS\system32\drivers\CBUSB.sys [2007-03-08 15:28]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 09:28]

*Newly Created Service* - CATCHME
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-05-09 11:18:21
ComboFix-quarantined-files.txt 2008-05-09 15:18:17
ComboFix2.txt 2008-05-01 12:09:25
ComboFix3.txt 2008-04-30 19:35:48
ComboFix4.txt 2008-04-28 12:01:26
ComboFix5.txt 2008-04-26 14:52:32

Pre-Run: 89,493,057,536 bytes free
Post-Run: 89,860,702,208 bytes free

167 --- E O F --- 2008-04-11 20:11:19