can I delete System Security from XP system

Page 2 of 3 Previous  1, 2, 3  Next

View previous topic View next topic Go down

Re: can I delete System Security from XP system

Post by Belahzur on 16th June 2009, 1:50 pm

Please turn caps lock off, it's very hard to read and considered shouting.
I didn't know you were running it on 2000, and I didn't ask you to run it on 2000.

a) Combofix isn't made for 2000
b) Combofix IS dangerous if your going to use it without telling me.

We have other tools besides Combofix, like MBAM.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 16th June 2009, 2:38 pm

you know, I already installed MBAM in my working pc. But it can't be started. what can I do now? thanks

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 16th June 2009, 2:51 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

The log will be quite big, so please upload it to rapidshare.com for me to see.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 16th June 2009, 3:23 pm

GMER 1.0.15.14972 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-16 11:23:04
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 84AB67FE ZwEnumerateKey
Code 8495416E ZwFlushInstructionCache
Code 845D11ED IofCallDriver
Code 847C552D IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EEF9C 5 Bytes JMP 845D11F2
.text ntkrnlpa.exe!IofCompleteRequest 804EF02C 5 Bytes JMP 847C5532
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B51D2 5 Bytes JMP 84954172
PAGE ntkrnlpa.exe!ZwEnumerateKey 806228DE 5 Bytes JMP 84AB6802

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[188] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 08B2000A
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[188] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08C4000A
.text C:\WINDOWS\RTHDCPL.EXE[236] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 09BC000A
.text C:\WINDOWS\RTHDCPL.EXE[236] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 09BD000A
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[252] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 08B1000A
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[252] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08B2000A
.text C:\Program Files\CA\eTrustITM\realmon.exe[264] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08CC000A
.text C:\WINDOWS\system32\ctfmon.exe[292] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 089D000A
.text C:\WINDOWS\system32\ctfmon.exe[292] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08AF000A
.text C:\Acer\LANScope Agent\awServ.exe[300] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0195000A
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[312] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 08B3000A
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[312] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08C5000A
.text C:\WINDOWS\system32\sistray.exe[320] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 08BA000A
.text C:\WINDOWS\system32\sistray.exe[320] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08BB000A
.text C:\Program Files\Outlook Express\msimn.exe[328] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A6000A
.text C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe[544] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B3000A
.text C:\Program Files\CA\eTrustITM\InoRpc.exe[556] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A3000A
.text C:\Program Files\CA\eTrustITM\InoRT.exe[604] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B3000A
.text ...
.text C:\WINDOWS\system32\winlogon.exe[772] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0072000A
.text C:\WINDOWS\system32\winlogon.exe[772] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0074000A
.text C:\WINDOWS\system32\services.exe[816] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\services.exe[816] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0086000A
.text C:\WINDOWS\system32\lsass.exe[828] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0097000A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1096] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009F000A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1096] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A0000A
.text C:\Acer\LANScope Agent\LockKM.exe[1500] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0117000A
.text C:\Acer\LANScope Agent\LockKM.exe[1500] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0118000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1596] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0084000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1596] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\spoolsv.exe[1660] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AF000A
.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B0000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B6000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WININET.dll!HttpAddRequestHeadersA 771C411E 5 Bytes JMP 00C2000C
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WININET.dll!HttpAddRequestHeadersW 771CEF65 5 Bytes JMP 00CD000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00CEF9F0 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00CF08A0 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WS2_32.dll!send 71AB428A 5 Bytes JMP 00CF0780 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 16th June 2009, 3:24 pm

.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 00CEFDA0 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1868] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00CF0A60 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\WINDOWS\System32\alg.exe[2772] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0084000A
.text C:\WINDOWS\System32\alg.exe[2772] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0085000A
.text C:\Program Files\Messenger\msmsgs.exe[3188] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A8000A
.text C:\Program Files\Messenger\msmsgs.exe[3188] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08B6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WININET.dll!HttpAddRequestHeadersA 771C411E 5 Bytes JMP 08C1000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WININET.dll!HttpAddRequestHeadersW 771CEF65 5 Bytes JMP 08CC000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 08CDF9F0 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WS2_32.dll!connect 71AB406A 5 Bytes JMP 08CE08A0 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WS2_32.dll!send 71AB428A 5 Bytes JMP 08CE0780 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 08CDFDA0 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3424] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 08CE0A60 \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll
.text C:\ud4ombv0.exe[3852] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 08AC000A
.text C:\ud4ombv0.exe[3852] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 08BE000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Ntfs \Ntfs ino_flpy.sys (CA eTrust Antivirus/InoculateIT File System Mounting Filter Driver for Windows 2000/XP/2003/Vista/Computer Associates)
AttachedDevice \Driver\Tcpip \Device\Ip netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Ip netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
AttachedDevice \Driver\Tcpip \Device\Tcp netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Tcp netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACagxmmepxxuskbpr.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [992] 0x01420000
Library \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1136] 0x00A10000
Library \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1252] 0x00A10000
Library \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1372] 0x00A10000
Library \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1868] 0x00CE0000
Library \\?\globalroot\systemroot\system32\UACfkeafpcclvbnabb.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3424] 0x08CD0000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETpwmdtgbw.sys (*** hidden *** ) [SYSTEM] SKYNETjbgsilxt <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACrqpxufxhpmpuyyd.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 16th June 2009, 3:27 pm

Sorry, I don't know how to use rapidshare.com. so I copy & past here for you. Thanks

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 16th June 2009, 4:08 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
SKYNETjbgsilxt
UACd.sys

Drivers to delete:
SKYNETjbgsilxt
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\SKYNETpwmdtgbw.sys
C:\WINDOWS\system32\drivers\UACrqpxufxhpmpuyyd.sys
C:\WINDOWS\system32\UACagxmmepxxuskbpr.dll
C:\WINDOWS\system32\UACfkeafpcclvbnabb.dll
C:\ud4ombv0.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 16th June 2009, 4:35 pm

once again, the download is stopped by my server. I have to go back to home & download it to my USB. I will come back tomorrow if this is only tools I can download now. thanks

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 17th June 2009, 12:33 am

I just start a new topic for my personal laptop. please check technicla & support forums. the subject is add/remove program in win2000. could you help me to fix it. thanks

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 17th June 2009, 12:22 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Disablement of driver "SKYNETjbgsilxt" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)

Disablement of driver "UACd.sys" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)

Driver "SKYNETjbgsilxt" deleted successfully.
Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\SKYNETpwmdtgbw.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACrqpxufxhpmpuyyd.sys" deleted successfully.
File "C:\WINDOWS\system32\UACagxmmepxxuskbpr.dll" deleted successfully.
File "C:\WINDOWS\system32\UACfkeafpcclvbnabb.dll" deleted successfully.
File "C:\ud4ombv0.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 17th June 2009, 12:43 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 17th June 2009, 12:45 pm

It seems my machine is fixed. I can print now & no error appear when I start. I can run Malwarebytes' Anti-Malware. Please check the following report from Malwarebytes' Anti-Malware. Thanks

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 17th June 2009, 12:45 pm

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 2

6/17/2009 8:37:11 AM
mbam-log-2009-06-17 (08-37-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 137602
Time elapsed: 9 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\USER1\local settings\Temp\nsxremacwo.tmp (Trojan.Downloader) -> No action taken.
c:\documents and settings\USER1\local settings\Temp\prun.tmp (Trojan.Downloader) -> No action taken.
c:\documents and settings\USER1\local settings\Temp\UAC62d7.tmp (Trojan.FakeAV) -> No action taken.
c:\WINDOWS\system32\net.net (Trojan.Downloader) -> No action taken.
c:\WINDOWS\system32\UACbnevdlmrmbfoewm.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\system32\UACfkeafpcclvbnabb.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\system32\UACtsqwefftvpfhtie.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\UACagxmmepxxuskbpr.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\UACfnoearmycrrxdkp.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\UACwygrsbfjecxnrgl.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\drivers\UACrqpxufxhpmpuyyd.sys (Trojan.Agent) -> No action taken.

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 17th June 2009, 12:59 pm

Hello.
Please update the MBAM database (go into the update tab, and check for updates), re-scan, and remove everything found.
Post the newest log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 17th June 2009, 1:23 pm

Malwarebytes' Anti-Malware 1.37
Database version: 2295
Windows 5.1.2600 Service Pack 2

6/17/2009 9:19:12 AM
mbam-log-2009-06-17 (09-19-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 143211
Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\10501094\10501094.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\USER1\Desktop\avenger.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\USER1\local settings\Temp\axwrcnoems.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\USER1\local settings\Temp\dailybucks_install.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\USER1\local settings\Temp\nsxremacwo.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\USER1\local settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\USER1\local settings\Temp\UAC62d7.tmp (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACagxmmepxxuskbpr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACbnevdlmrmbfoewm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACfkeafpcclvbnabb.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACfnoearmycrrxdkp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACtsqwefftvpfhtie.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACwygrsbfjecxnrgl.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACrqpxufxhpmpuyyd.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 17th June 2009, 1:41 pm

I run it again. I got a clean report as follows.

alwarebytes' Anti-Malware 1.37
Database version: 2295
Windows 5.1.2600 Service Pack 2

6/17/2009 9:34:14 AM
mbam-log-2009-06-17 (09-34-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 143049
Time elapsed: 8 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 17th June 2009, 1:43 pm

Is my system clean now? What's next I have to do? By the way, I have to uninstall Malwarebytes' Anti-Malware from my working pc after it is complete clean. Do I need do anything before uninstallation? Thanks.

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Origin on 17th June 2009, 2:00 pm

Lets make sure there are no any left overs:
[You must be registered and logged in to see this link.]

Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..


Last edited by Origin on 17th June 2009, 2:11 pm; edited 1 time in total


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31533
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 17th June 2009, 2:05 pm

can not connect to server. shows me Page cannot be displayed. Any other address I can download?

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 17th June 2009, 2:07 pm

Hello.
I want a DDS log to make sure the rootkit files are gone.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.a
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 17th June 2009, 2:16 pm

thanks. my server stopped me to download it. Anyont I can download instead or I have to download from my personal laptop at home tonight? Thanks

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 17th June 2009, 2:21 pm

Okay. No rush though, this should be fine, all looks good as of right now. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 17th June 2009, 2:27 pm

Ok. I will download tonight & come back to you tomorrow morning. Thank you very much for your great help.

Have a wonderful day!

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 17th June 2009, 2:55 pm

need urgent help. I use google at IE6.0 brower. google listed what I checked. But the shows me as follows when I click some links. (some links are ok)

ERROR
INVALID SYNTAX
INVALID SYNTAX

I didn't have the similar problem before. Could you help me for this? Thanks

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 17th June 2009, 5:03 pm

Hmm, could be malware related still. I'll wait to see the DDS log before doing anything else.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by mizzou13 on 17th June 2009, 8:00 pm

I started reading this thread and I was able to follow your steps and use the icesword to delete the 2 numbers you spoke of. It seems to have solved my problem, no more pop ups or black screen. Is there anything else I need to do to make sure its gone and wont be returning. Thanks

mizzou13
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-06-17
OS OS : windows
Points Points : 27349
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by mizzou13 on 17th June 2009, 8:14 pm

-

mizzou13
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-06-17
OS OS : windows
Points Points : 27349
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 18th June 2009, 12:16 pm

DDS (Ver_09-05-14.01) - NTFSx86
Run by USER1 at 8:12:43.92 on Thu 06/18/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.454 [GMT -4:00]

AV: eTrust ITM *On-access scanning enabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C44}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\LANScope Agent\awtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\USER1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [EPSON Stylus CX4400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticaa.exe /fu "c:\docume~1\user1\locals~1\temp\E_SC.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [installnet.exe] "c:\acer\lanscope agent\installnet.exe" "c:\acer\lanscope agent\
mRun: [AdminWorks Tray] "c:\acer\lanscope agent\awtray.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s
StartupFolder: c:\docume~1\user1\startm~1\programs\startup\outloo~1.lnk - c:\program files\outlook express\msimn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
TCP: {BCED07BB-62BB-4239-B92A-9380A4066C90} = 204.50.251.17,201.107.254.9
TCP: {CFA6B775-0E90-4FFF-BC04-A6B99288DB53} = 204.50.251.17,201.107.254.9

============= SERVICES / DRIVERS ===============

R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-8-27 26768]
R2 AWService;AdminWorks Agent X6;c:\acer\lanscope agent\awServ.exe [2007-4-26 75032]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-3 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2007-5-30 14616]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-6-12 15640]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-9 10944]

=============== Created Last 30 ================

2009-06-17 08:26 --d----- c:\docume~1\user1\applic~1\Malwarebytes
2009-06-15 15:11 2,850 a------- c:\windows\system32\tmp.reg
2009-06-15 15:09 --d----- C:\SmitfraudFix
2009-06-15 12:24 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 12:24 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 12:24 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 12:24 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-12 13:23 3,976,714 a------- c:\windows\system32\uactmp.db
2009-06-12 13:09 --d----- c:\docume~1\alluse~1\applic~1\10501094
2009-06-12 12:55 1,110,399 a------- c:\windows\system32\UACxewkmnnmyxjkwwq.db
2009-06-12 12:55 224 a------- c:\windows\system32\UACksvjelemovbsswu.dat
2009-06-11 12:41 676,224 a------- c:\windows\system32\ogacheckcontrol.dll
2009-06-11 12:35 --d----- c:\windows\system32\PreInstall
2009-06-11 10:43 --d----- c:\windows\system32\wbem\Repository
2009-05-29 13:59 --d----- c:\docume~1\user1\applic~1\MSNInstaller

==================== Find3M ====================


============= FINISH: 8:13:50.46 ===============

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 18th June 2009, 1:27 pm

Well, there is still some malware there. We'll delete them soon, they are not thread now the main rootkit is gone.
Re-Run GMER again and post the new log, I want to see if anything else is found now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 18th June 2009, 4:35 pm

GMER 1.0.15.14972 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-18 12:34:23
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 845C88D8 ZwEnumerateKey
Code 84791150 ZwFlushInstructionCache
Code 8479A2A6 IofCallDriver
Code 847BAC0E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EEF9C 5 Bytes JMP 8479A2AB
.text ntkrnlpa.exe!IofCompleteRequest 804EF02C 5 Bytes JMP 847BAC13
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B51D2 5 Bytes JMP 84791154
PAGE ntkrnlpa.exe!ZwEnumerateKey 806228DE 5 Bytes JMP 845C88DC

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[772] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\services.exe[816] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0065000A
.text C:\Acer\LANScope Agent\LockKM.exe[1256] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00F8000A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 007E000A
.text C:\WINDOWS\Explorer.EXE[2568] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A1000A
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Ntfs \Ntfs ino_flpy.sys (CA eTrust Antivirus/InoculateIT File System Mounting Filter Driver for Windows 2000/XP/2003/Vista/Computer Associates)
AttachedDevice \Driver\Tcpip \Device\Ip netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Ip netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
AttachedDevice \Driver\Tcpip \Device\Tcp netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Tcp netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)

Device \Driver\NetBT \Device\NetBT_Tcpip_{CFA6B775-0E90-4FFF-BC04-A6B99288DB53} netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
Device \Driver\NetBT \Device\NetBt_Wins_Export netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
Device \Driver\NetBT \Device\NetbiosSmb

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 18th June 2009, 4:35 pm

AttachedDevice \Driver\Tcpip \Device\Udp netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Udp netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
AttachedDevice \Driver\Tcpip \Device\RawIp netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\RawIp netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
AttachedDevice \FileSystem\Fastfat \Fat ino_fltr.sys (CA eTrust Antivirus/InoculateIT File System Filter Driver for Windows 2000/XP/2003/Vista/Computer Associates)
AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETpwmdtgbw.sys (*** hidden *** ) [SYSTEM] SKYNETjbgsilxt <-- ROOTKIT !!!
Service system32\drivers\UACcmcrjipmbmoobvc.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt@imagepath \systemroot\system32\drivers\SKYNETpwmdtgbw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpwmdtgbw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\modules@SKYNETcmd.dll \systemroot\system32\SKYNETaieabbpf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\modules@SKYNETlog.dat \systemroot\system32\SKYNETpofyabdw.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\modules@SKYNETwsp.dll \systemroot\system32\SKYNETorenemui.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjbgsilxt\modules@SKYNET.dat \systemroot\system32\SKYNETrqfaabed.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACcmcrjipmbmoobvc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACcmcrjipmbmoobvc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UAClfamdturatnsesx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt@imagepath \systemroot\system32\drivers\SKYNETpwmdtgbw.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\main
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\modules
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpwmdtgbw.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\modules@SKYNETcmd.dll \systemroot\system32\SKYNETaieabbpf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\modules@SKYNETlog.dat \systemroot\system32\SKYNETpofyabdw.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\modules@SKYNETwsp.dll \systemroot\system32\SKYNETorenemui.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjbgsilxt\modules@SKYNET.dat \systemroot\system32\SKYNETrqfaabed.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 18th June 2009, 4:35 pm

Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACcmcrjipmbmoobvc.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACcmcrjipmbmoobvc.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UAClfamdturatnsesx.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\SKYNETpwmdtgbw.sys 67072 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\SKYNETaieabbpf.dll 43008 bytes executable
File C:\WINDOWS\system32\SKYNETjupaordb.dll 43008 bytes executable
File C:\WINDOWS\system32\SKYNETnjgrneos.dll 19968 bytes executable
File C:\WINDOWS\system32\SKYNETorenemui.dll 19968 bytes executable
File C:\WINDOWS\system32\SKYNETpofyabdw.dat 9375 bytes
File C:\WINDOWS\system32\SKYNETtyubmhil.dat 32635 bytes
File C:\WINDOWS\temp\SKYNETvrnnkbduwe.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETvrximinpqj.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETwivttrrpqu.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETwpcycicrju.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETwtixvpqxdg.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETwwkijwtsib.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETxcfultrqqy.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETxdsmwtrpib.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETxevnprpulb.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETxnsenvnfvn.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETxtpeqwmitn.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETxvnmspyriu.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETylopqefple.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETymdxweexmx.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETdeouvsbfpy.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETeecrnsidwf.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETfjwidrbvxb.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNEThysiwuymst.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETicxvporrfp.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETidwfpcbqhx.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETiqooufdtpe.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETmioimmqpik.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNEToevvfaapft.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETosnxrnmbfn.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETpheerxndvt.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETqenxrxvosm.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETsqqfpymepu.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETtimuicinpv.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETtsenmbotui.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETufemfdmxnk.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETuwmipmpecb.tmp 20992 bytes executable
File C:\WINDOWS\temp\SKYNETvftrpofypf.tmp 20992 bytes executable

---- EOF - GMER 1.0.15 ----

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 18th June 2009, 7:53 pm

Looks like we'll need Combofix for this, two rootkits is too difficult to take out going the long way round.

Do you have attach.txt from DDS? please post that log too.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

from attach.txt

Post by headache for System Secur on 18th June 2009, 8:05 pm

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 5/22/2008 11:13:16 AM
System Uptime: 6/18/2009 8:07:43 AM (0 hours ago)

Motherboard: Acer | | F672CR
Processor: Intel Pentium II processor | Socket 775 | 1800/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 26.895 GiB free.
D: is FIXED (FAT32) - 35 GiB total, 34.57 GiB free.
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP199: 6/17/2009 9:54:09 AM - Software Distribution Service 3.0

==== Installed Programs ======================

2007 Microsoft Office system
Acer eDataSecurity Management
Acer eDataSecurity Management 2.0.3084
Acer Empowering Technology
Acer ePerformance Management
Acer eSettings Management
Acer LANScope Agent
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Business Contact Manager for Outlook 2007
CA eTrustITM Agent
CA iTechnology iGateway
commercial
EPSON Printer Software
eSobi v2
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 2.0 (KB922981)
Hotfix for Microsoft .NET Framework 2.0 (KB923319)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB906569)
J2SE Runtime Environment 5.0 Update 6
LightScribe 1.4.136.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
MSN
MSXML 6.0 Parser
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
OCA Client history tool install
PowerDVD
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SiS VGA Utilities
SiSAGP driver
Spelling Dictionaries For Adobe Reader Package
Update for Office 2007 (KB934528)
Update for Office System 2007 Setup (KB929722)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

6/17/2009 8:26:15 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
6/12/2009 1:45:02 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
6/12/2009 1:45:02 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/12/2009 1:37:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
6/12/2009 1:37:12 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
6/12/2009 1:37:12 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/12/2009 1:37:12 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/12/2009 1:37:12 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/12/2009 1:36:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
6/12/2009 1:36:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/12/2009 1:36:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/12/2009 1:36:06 PM, error: redbook [2] - Redbook could not open the MIXER device. It may not exist, be in use, or there may be other audio problems. Redbook requires both a WDM audio driver and kernel streaming to be enabled. The audio device may have changed in an unsafe manner, been removed, or have other problems.
6/12/2009 1:29:31 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume3'. It has stopped monitoring the volume.
6/12/2009 1:28:47 PM, error: Service Control Manager [7034] - The SQL Server (MSSMLBIZ) service terminated unexpectedly. It has done this 1 time(s).
6/12/2009 1:28:47 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
6/12/2009 1:28:47 PM, error: Service Control Manager [7034] - The iTechnology iGateway 4.2 service terminated unexpectedly. It has done this 1 time(s).
6/12/2009 1:28:47 PM, error: Service Control Manager [7034] - The eTrust ITM RPC Service service terminated unexpectedly. It has done this 1 time(s).
6/12/2009 1:28:47 PM, error: Service Control Manager [7034] - The eTrust ITM Job Service service terminated unexpectedly. It has done this 1 time(s).
6/12/2009 1:28:47 PM, error: Service Control Manager [7034] - The eTrust Antivirus Realtime Service service terminated unexpectedly. It has done this 1 time(s).
6/12/2009 1:28:47 PM, error: Service Control Manager [7034] - The AdminWorks Agent X6 service terminated unexpectedly. It has done this 1 time(s).
6/12/2009 1:28:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Memory Check Service service to connect.
6/12/2009 1:25:35 PM, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).
6/12/2009 1:25:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SQL Server (MSSMLBIZ) service to connect.
6/12/2009 1:25:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LightScribeService Direct Disc Labeling Service service to connect.
6/12/2009 1:25:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iTechnology iGateway 4.2 service to connect.
6/12/2009 1:25:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the eTrust ITM RPC Service service to connect.
6/12/2009 1:25:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the eTrust ITM Job Service service to connect.
6/12/2009 1:25:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the eTrust Antivirus Realtime Service service to connect.
6/12/2009 1:25:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AdminWorks Agent X6 service to connect.
6/12/2009 1:25:35 PM, error: Service Control Manager [7000] - The SQL Server (MSSMLBIZ) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/12/2009 1:25:35 PM, error: Service Control Manager [7000] - The iTechnology iGateway 4.2 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/12/2009 1:25:35 PM, error: Service Control Manager [7000] - The Fax service failed to start due to the following error: The pipe has been ended.
6/12/2009 1:25:35 PM, error: Service Control Manager [7000] - The eTrust Antivirus Realtime Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 18th June 2009, 8:08 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 7.0
    CA eTrustITM Agent
    CA iTechnology iGateway
    J2SE Runtime Environment 5.0 Update 6

Next,

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 18th June 2009, 8:17 pm

I can't delete those programs. They're regular program we must use.

Adobe Reader 7.0
CA eTrustITM Agent
CA iTechnology iGateway
J2SE Runtime Environment 5.0 Update 6

can we do other way?

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 18th June 2009, 8:23 pm

I know, but Adobe Reader/Java are old versions, we'll update them later.
CA isn't that good at detection, and only gets in our way, I would prefer you to use something else that's better, for example, Avira.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 18th June 2009, 8:37 pm

you know, it's working computer. I can not make changes. I knew they aren't good. But just leave them there if our fixing job is not affected

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 18th June 2009, 8:45 pm

I'm trying to make this easier for the machine and us, CA will only interfere with Combofix because Combofix has a lot of parts to it that are sometimes flagged as a "RiskTool", because some antivirus programs cannot tell the difference between good and malicious intent of the file.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 19th June 2009, 2:20 am

I see. CA was installed by company & our working PC can not use other antivirus software. I can't install CA back if I delete it. Could I try to COmbofix in safe mode? Or administrator account? I'm not sure if CA would be started in Administrator account as well. If it is, I only can try in safe mode if combofix is work in safe mode. By the way, I only have problem with IE browser when I visit some websites (not all, part of them). It's not a big problem to me. If comobofix could not run in safe mode, is it safe if we do not do any clean? Thanks for comments

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 19th June 2009, 2:24 am

By the way, I tried to run combofix after I exit CA. But combofix still warn me CA is interfere. I take risk if I still run combofix. So I stopped it. Does it casue a problem if I keep running combofix at that situation?

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 19th June 2009, 2:27 am

If combofix could run in safe mode & my XP is not installed with Recovery Console, does combofix install it in safe mode as well?

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 19th June 2009, 8:25 am

No, it can't download it in safe mode. Go to safe mode with networking, then it will be able to download it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

clean by combofix

Post by headache for System Secur on 19th June 2009, 11:32 am

I already downloaded it in my USB. I mean if I can use combofix in SAfe mode & clean the system? Thanks.

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 19th June 2009, 11:39 am

If combofix could use in safe mode & my XP is not installed with Recovery Console, does combofix install it in safe mode as well? By the way, I tried to use combofix after I exit CA in my account (admin previlige). But combofix still warn me CA is interfere. I take risk if I still run combofix. So I stopped it. Does it casue a problem if I keep running combofix at that situation?

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 19th June 2009, 12:55 pm

CA will still be found to be active, but in safe mode, it's less intrusive, so it's fine to run it in safe mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 19th June 2009, 4:48 pm

ComboFix 09-06-15.04 - USER1 06/19/2009 12:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.476 [GMT -4:00]
Running from: C:\Combo-Fix.exe
AV: eTrust ITM *On-access scanning enabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C44}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\SKYNETpwmdtgbw.sys
c:\windows\system32\drivers\UACcmcrjipmbmoobvc.sys
c:\windows\system32\UACksvjelemovbsswu.dat
c:\windows\system32\UAClfamdturatnsesx.dll
c:\windows\system32\drivers\SKYNETpwmdtgbw.sys
c:\windows\system32\drivers\UACcmcrjipmbmoobvc.sys
c:\windows\system32\SKYNETaieabbpf.dll
c:\windows\system32\SKYNETjupaordb.dll
c:\windows\system32\SKYNETnjgrneos.dll
c:\windows\system32\SKYNETorenemui.dll
c:\windows\system32\SKYNETpofyabdw.dat
c:\windows\system32\SKYNETtyubmhil.dat
c:\windows\system32\tmp.reg
c:\windows\system32\UAClfamdturatnsesx.dll
c:\windows\system32\uactmp.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_SKYNETjbgsilxt


((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-18 20:34 . 2009-06-15 22:49 3027283 ----a-r- C:\Combo-Fix.exe
2009-06-17 12:26 . 2009-06-17 12:26 -------- d-----w- c:\documents and settings\USER1\Application Data\Malwarebytes
2009-06-15 19:09 . 2009-06-15 19:17 -------- d-----w- C:\SmitfraudFix
2009-06-15 19:09 . 2009-06-15 19:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-15 16:24 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 16:24 . 2009-06-15 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 16:24 . 2009-06-15 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-15 16:24 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 20:11 . 2009-06-12 20:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-06-12 17:09 . 2009-06-12 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\10501094
2009-06-11 16:41 . 2009-06-11 16:41 676224 ----a-w- c:\windows\system32\ogacheckcontrol.dll
2009-06-11 14:43 . 2009-06-11 14:43 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-29 17:59 . 2009-05-29 17:59 845800 ----a-w- c:\documents and settings\USER1\Application Data\MSNInstaller\msnauins.exe
2009-05-29 17:59 . 2009-05-29 17:59 -------- d-----w- c:\documents and settings\USER1\Application Data\MSNInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 14:18 . 2007-09-29 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-14 52832]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2008-02-08 407368]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2007-08-03 53248]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\USER1\Start Menu\Programs\Startup\
Outlook Express.lnk - c:\program files\Outlook Express\msimn.exe [2004-8-4 60416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-5-22 262144]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk
backup=c:\windows\pss\Acer Empowering Technology.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\OLRSubmission\\OLRSubmission.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [4/14/2006 1:07 PM 28933976]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [10/3/2006 2:03 PM 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [5/30/2007 6:30 PM 14616]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-installnet.exe - c:\acer\LANScope Agent\Installnet.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {BCED07BB-62BB-4239-B92A-9380A4066C90} = 204.50.251.17,201.107.254.9
TCP: {CFA6B775-0E90-4FFF-BC04-A6B99288DB53} = 204.50.251.17,201.107.254.9
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-19 12:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3364)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\LANScope Agent\awServ.exe
c:\program files\CA\SharedComponents\iTechnology\igateway.exe
c:\program files\CA\eTrustITM\InoRPC.exe
c:\program files\CA\eTrustITM\InoRT.exe
c:\program files\CA\eTrustITM\InoTask.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\LANScope Agent\lockkm.exe
c:\windows\system32\wscntfy.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-06-19 12:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 16:45

Pre-Run: 28,853,694,464 bytes free
Post-Run: 29,002,002,432 bytes free

150

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 19th June 2009, 4:56 pm

Hello.
This looks so much better now.

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\documents and settings\All Users\Application Data\10501094

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by headache for System Secur on 19th June 2009, 5:26 pm

ComboFix 09-06-15.04 - USER1 06/19/2009 13:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.486 [GMT -4:00]
Running from: c:\documents and settings\USER1\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\USER1\Desktop\CFScript.txt
AV: eTrust ITM *On-access scanning enabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\10501094
c:\documents and settings\All Users\Application Data\10501094\10501094.glu
c:\documents and settings\All Users\Application Data\10501094\pc10501094cnf
c:\documents and settings\All Users\Application Data\10501094\pc10501094ins
c:\documents and settings\All Users\Application Data\10501094\pc10501094reg

.
((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-18 20:34 . 2009-06-15 22:49 3027283 ----a-r- C:\Combo-Fix.exe
2009-06-17 12:26 . 2009-06-17 12:26 -------- d-----w- c:\documents and settings\USER1\Application Data\Malwarebytes
2009-06-15 19:09 . 2009-06-15 19:17 -------- d-----w- C:\SmitfraudFix
2009-06-15 19:09 . 2009-06-15 19:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-15 16:24 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 16:24 . 2009-06-15 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 16:24 . 2009-06-15 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-15 16:24 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 20:11 . 2009-06-12 20:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-06-11 16:41 . 2009-06-11 16:41 676224 ----a-w- c:\windows\system32\ogacheckcontrol.dll
2009-06-11 14:43 . 2009-06-11 14:43 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-29 17:59 . 2009-05-29 17:59 845800 ----a-w- c:\documents and settings\USER1\Application Data\MSNInstaller\msnauins.exe
2009-05-29 17:59 . 2009-05-29 17:59 -------- d-----w- c:\documents and settings\USER1\Application Data\MSNInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 14:18 . 2007-09-29 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-14 52832]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2008-02-08 407368]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2007-08-03 53248]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\USER1\Start Menu\Programs\Startup\
Outlook Express.lnk - c:\program files\Outlook Express\msimn.exe [2004-8-4 60416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-5-22 262144]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk
backup=c:\windows\pss\Acer Empowering Technology.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\OLRSubmission\\OLRSubmission.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [4/14/2006 1:07 PM 28933976]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [10/3/2006 2:03 PM 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [5/30/2007 6:30 PM 14616]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {BCED07BB-62BB-4239-B92A-9380A4066C90} = 204.50.251.17,201.107.254.9
TCP: {CFA6B775-0E90-4FFF-BC04-A6B99288DB53} = 204.50.251.17,201.107.254.9
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-19 13:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-19 13:20
ComboFix-quarantined-files.txt 2009-06-19 17:20
ComboFix2.txt 2009-06-19 16:45

Pre-Run: 29,011,312,640 bytes free
Post-Run: 28,963,586,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

122

headache for System Secur
Intermediate
Intermediate

Posts Posts : 101
Joined Joined : 2009-06-13
OS OS : xp
Points Points : 27685
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can I delete System Security from XP system

Post by Belahzur on 19th June 2009, 5:28 pm

Okay, this should be fine now.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Page 2 of 3 Previous  1, 2, 3  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum