GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

System Security 2009

View previous topic View next topic Go down

Re: System Security 2009

Post by djanddanny on Sat Jun 13, 2009 6:42 pm

ComboFix 09-06-13.01 - Owner 06/13/2009 14:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.504.166 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall 9.1.0.38 *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-13 17:32 . 2009-06-13 17:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-13 17:32 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 17:32 . 2009-06-13 17:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 17:32 . 2009-06-13 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-13 17:32 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 00:59 . 2003-04-10 10:53 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\interMute
2009-06-12 00:59 . 2003-04-10 10:49 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\Sonic
2009-06-12 00:58 . 2009-06-13 14:45 -------- d-----w- c:\documents and settings\Administrator.SHAMMY
2009-06-11 23:54 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-11 23:54 . 2009-06-13 14:45 -------- d-----w- c:\program files\Spyware Doctor
2009-06-10 22:54 . 2009-06-10 22:54 -------- d-----w- C:\qrnt
2009-06-10 22:54 . 2009-06-10 22:54 -------- d-----w- C:\CA
2009-06-08 20:18 . 2009-06-08 20:18 -------- d-----w- c:\windows\Windows Update Setup Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 18:26 . 2008-03-21 00:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-13 18:22 . 2007-11-24 22:51 70380 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-06-13 14:46 . 2009-06-13 14:46 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\Symantec
2009-06-13 14:46 . 2009-06-13 14:46 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\SampleView
2009-06-13 14:46 . 2009-06-13 14:46 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\InterTrust
2009-06-13 14:45 . 2009-06-13 14:45 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-13 14:45 . 2009-06-13 14:45 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-06-13 14:45 . 2009-06-13 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-09 19:27 . 2005-12-25 14:04 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2009-05-07 15:44 . 2008-11-15 15:09 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-06-18 03:49 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2008-11-15 15:09 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-10-16 21:18 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-19 22:58 . 2009-03-14 22:57 225 ----a-w- c:\windows\PowerReg.dat
2009-03-15 22:07 . 2009-03-15 22:07 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2007-10-29 23:26 . 2007-10-29 23:27 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 22:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2004-10-13 1694208]
"Simple Star PhotoShow Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [2006-01-13 233472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"mSpotAlltelRemix"="c:\program files\Alltel Jump Music\Remix\msptcmd.exe" [2008-06-05 1531904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2001-10-02 77887]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-05 180269]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-11 136600]
"CAVRID"="c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-08-20 230664]
"SSP Notifier"="c:\program files\Fisher-Price\FP3 Player\sspnotifier.exe" [2006-07-12 20480]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-3-14 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2004-11-28 172032]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-9-20 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 19:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:TCP"= 53:TCP:websrvx
"8085:TCP"= 8085:TCP:podmena

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [7/24/2007 6:00 PM 92176]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [5/18/2007 3:30 PM 61960]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [5/18/2007 3:30 PM 45064]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [7/24/2007 6:00 PM 114704]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [7/24/2007 6:00 PM 134160]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [5/18/2007 3:30 PM 63496]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [7/24/2007 6:00 PM 1034768]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [7/24/2007 6:37 PM 813840]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [5/18/2007 3:30 PM 275976]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [5/18/2007 3:30 PM 89096]
S2 mrtRate;mrtRate; [x]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-_Windows - c:\windows\WinSecurity\services.exe
HKLM-Run-Reminder - c:\windows\Creator\Remind_XP.exe
HKLM-Run-eTrustPPAP - c:\program files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
HKLM-Run-cctray - c:\documents and settings\all users\_qbothome\_qbotinj.exe
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: plexonline.com\www
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-13 14:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(408)
c:\program files\Softex\OmniPass\opxpgina.dll
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(464)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(1924)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Softex\OmniPass\omniServ.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\windows\system32\CF11272.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-06-13 14:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-13 18:37

Pre-Run: 88,169,947,136 bytes free
Post-Run: 88,692,457,472 bytes free

221 --- E O F --- 2009-06-12 01:48

djanddanny
Novice
Novice

Status :
Online
Offline

Posts : 32
Joined : 2009-06-13
OS : xp
Points : 27338
# Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by djanddanny on Sat Jun 13, 2009 6:43 pm

Is there anything else I need to do?

djanddanny
Novice
Novice

Status :
Online
Offline

Posts : 32
Joined : 2009-06-13
OS : xp
Points : 27338
# Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on Sat Jun 13, 2009 7:00 pm

Hello.
Please try uninstall the Java/Ask Toolbar I listed earlier, see if they will go now.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe

Folder::
c:\program files\AskBarDis

Driver::
PCDRDRV

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:TCP"=-
"8085:TCP"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by djanddanny on Sat Jun 13, 2009 8:22 pm

Ask toolbar is gone and I am going to run combofix again.

djanddanny
Novice
Novice

Status :
Online
Offline

Posts : 32
Joined : 2009-06-13
OS : xp
Points : 27338
# Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by djanddanny on Sat Jun 13, 2009 8:57 pm

ComboFix 09-06-13.01 - Owner 06/13/2009 16:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.504.132 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall 9.1.0.38 *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

FILE ::
"c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PCDRDRV


((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-13 17:32 . 2009-06-13 17:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-13 17:32 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 17:32 . 2009-06-13 17:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 17:32 . 2009-06-13 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-13 17:32 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 00:59 . 2003-04-10 10:53 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\interMute
2009-06-12 00:59 . 2003-04-10 10:49 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\Sonic
2009-06-12 00:58 . 2009-06-13 14:45 -------- d-----w- c:\documents and settings\Administrator.SHAMMY
2009-06-11 23:54 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-11 23:54 . 2009-06-13 14:45 -------- d-----w- c:\program files\Spyware Doctor
2009-06-10 22:54 . 2009-06-10 22:54 -------- d-----w- C:\qrnt
2009-06-10 22:54 . 2009-06-10 22:54 -------- d-----w- C:\CA
2009-06-08 20:18 . 2009-06-08 20:18 -------- d-----w- c:\windows\Windows Update Setup Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 20:42 . 2008-03-21 00:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-13 20:38 . 2007-11-24 22:51 70380 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-06-13 20:38 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-06-13 20:38 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-06-13 20:38 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-06-13 20:38 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-06-13 20:38 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-06-13 20:38 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-06-13 20:38 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-06-13 14:46 . 2009-06-13 14:46 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\Symantec
2009-06-13 14:46 . 2009-06-13 14:46 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\SampleView
2009-06-13 14:46 . 2009-06-13 14:46 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\InterTrust
2009-06-13 14:45 . 2009-06-13 14:45 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-13 14:45 . 2009-06-13 14:45 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-06-13 14:45 . 2009-06-13 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-09 19:27 . 2005-12-25 14:04 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2009-05-07 15:44 . 2008-11-15 15:09 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-06-18 03:49 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2008-11-15 15:09 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-10-16 21:18 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-19 22:58 . 2009-03-14 22:57 225 ----a-w- c:\windows\PowerReg.dat
2009-03-15 22:07 . 2009-03-15 22:07 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2007-10-29 23:26 . 2007-10-29 23:27 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-13 20:39 . 2009-06-13 20:39 16384 c:\windows\Temp\Perflib_Perfdata_51c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2004-10-13 1694208]
"Simple Star PhotoShow Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [2006-01-13 233472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"mSpotAlltelRemix"="c:\program files\Alltel Jump Music\Remix\msptcmd.exe" [2008-06-05 1531904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2001-10-02 77887]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-05 180269]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-11 136600]
"CAVRID"="c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-08-20 230664]
"SSP Notifier"="c:\program files\Fisher-Price\FP3 Player\sspnotifier.exe" [2006-07-12 20480]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2004-11-28 172032]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-9-20 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 19:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [7/24/2007 6:00 PM 92176]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [5/18/2007 3:30 PM 61960]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [5/18/2007 3:30 PM 45064]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [7/24/2007 6:00 PM 114704]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [7/24/2007 6:00 PM 134160]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [5/18/2007 3:30 PM 63496]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [7/24/2007 6:00 PM 1034768]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [7/24/2007 6:37 PM 813840]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [5/18/2007 3:30 PM 275976]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [5/18/2007 3:30 PM 89096]
S2 mrtRate;mrtRate; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: plexonline.com\www
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-13 16:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(404)
c:\program files\Softex\OmniPass\opxpgina.dll
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(460)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(3708)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Softex\OmniPass\omniServ.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-06-13 16:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-13 20:54
ComboFix2.txt 2009-06-13 18:38

Pre-Run: 88,930,869,248 bytes free
Post-Run: 88,910,385,152 bytes free

213 --- E O F --- 2009-06-12 01:48

djanddanny
Novice
Novice

Status :
Online
Offline

Posts : 32
Joined : 2009-06-13
OS : xp
Points : 27338
# Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by djanddanny on Sat Jun 13, 2009 8:58 pm

Here is the last combofix, is there anything else I need to do?

djanddanny
Novice
Novice

Status :
Online
Offline

Posts : 32
Joined : 2009-06-13
OS : xp
Points : 27338
# Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Origin on Sat Jun 13, 2009 9:24 pm

Can you run Malwarebytes and post all contents of the log please.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3
Points : 31453
# Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by djanddanny on Sat Jun 13, 2009 9:31 pm

will do

djanddanny
Novice
Novice

Status :
Online
Offline

Posts : 32
Joined : 2009-06-13
OS : xp
Points : 27338
# Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by djanddanny on Sat Jun 13, 2009 10:20 pm

Malwarebytes' Anti-Malware 1.37
Database version: 2271
Windows 5.1.2600 Service Pack 2

6/13/2009 6:18:41 PM
mbam-log-2009-06-13 (18-18-41).txt

Scan type: Quick Scan
Objects scanned: 97753
Time elapsed: 13 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

djanddanny
Novice
Novice

Status :
Online
Offline

Posts : 32
Joined : 2009-06-13
OS : xp
Points : 27338
# Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by djanddanny on Sat Jun 13, 2009 10:21 pm

Looks like nothing showed up as infected this time.

djanddanny
Novice
Novice

Status :
Online
Offline

Posts : 32
Joined : 2009-06-13
OS : xp
Points : 27338
# Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on Sat Jun 13, 2009 10:25 pm

Yep.
I'd say were done here.

How's the machine running?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by djanddanny on Sat Jun 13, 2009 10:28 pm

It appears to be running fine, but have not really used many programs yet. Should I leave MBAM and IceSword installed?

djanddanny
Novice
Novice

Status :
Online
Offline

Posts : 32
Joined : 2009-06-13
OS : xp
Points : 27338
# Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on Sat Jun 13, 2009 10:33 pm

Leave MBAM, that's a good scanner.
Delete IceSword, too powerful if used incorrectly.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by djanddanny on Sat Jun 13, 2009 10:37 pm

I can't thank you enough for all of the help. SafeMode with MBAM was the ticket for this darn thing...

djanddanny
Novice
Novice

Status :
Online
Offline

Posts : 32
Joined : 2009-06-13
OS : xp
Points : 27338
# Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by RipleyNL on Sat Jun 13, 2009 10:39 pm

Maybe there should be a sticky for how to remove System Security, it looks like there are lots of people who got this thing recently.

RipleyNL
Beginner
Beginner

Status :
Online
Offline

Posts : 3
Joined : 2009-06-13
OS : Windows XP
Points : 27303
# Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on Sat Jun 13, 2009 10:40 pm

Maybe, maybe not.
MBAM can deal with it, but it's getting MBAM to run properly that's the problem.

IceSword is effective, but too powerful.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum