system security.

View previous topic View next topic Go down

system security.

Post by andrewvanderhevel on Sat Jun 13, 2009 10:10 pm

hello, my computer is not allowing me to open most programs, such as hijackthis and spybot. i cant even open task manager as it gives me errors every time. an antivirus program called system security opens whenever i turn on my pc and it scans and tells me i have viruses and have to buy their software. it wont let me use system restore or anything. internet explorer works but firefox will not.
thanks for your time.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sat Jun 13, 2009 10:25 pm

Hello.

Please download Ice Sword from [You must be registered and logged in to see this link.]

  1. Download the zip to your desktop and extract it.
  2. Open the Ice Sword folder and then launch IceSword.exe.
  3. IceSword will rename itself when opened, so let me know if it stays open when run.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sat Jun 13, 2009 10:25 pm

also i have tried going into safe mode but it doesnt allow me to use my arrow keys to select safe mode. so i just sit there.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sat Jun 13, 2009 10:26 pm

I think we posted at the same time. LMBO or ROFL
See my above post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sat Jun 13, 2009 10:26 pm

i downloaded it and it says its infected. so i can't open it

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sat Jun 13, 2009 10:28 pm

Can't extract it?

Let me know and I'll upload the exe file by itself.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sat Jun 13, 2009 10:30 pm

yeah it wont let me extract anything i cant run most things it says they are infected i can't even open task manager

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sat Jun 13, 2009 10:32 pm

Okay, uploaded a copy for you.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sat Jun 13, 2009 10:35 pm

it told me it was infected. im a sad boy

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sat Jun 13, 2009 10:38 pm

Can you do the following in Safe Mode with Networking, (as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do try IceSword again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sat Jun 13, 2009 10:41 pm

i did that but when i get to the menu i am unable to select anything, the arrow keys dont work. ill try again but its happened twice

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sat Jun 13, 2009 10:52 pm

i got ice sword working somehow. what do i do with it?

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sat Jun 13, 2009 11:00 pm

LMBO or ROFL Knew it would work in safe mode.

Okay, instructions below.


  • Look in the left hand bottom of the program and press the "Registry" button
  • When the registry list opens, drag the line between the two windows so you can see which registry hive you need.
  • Next, open the HKEY_LOCAL_MACHINE, and navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  • Now look in the right side pane for one or two run values that are just random numbers.
  • Once you have found the value(s), right click it and press "Delete"
  • Okay the prompt and close IceSword.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sat Jun 13, 2009 11:01 pm

i terminated the process that was running, the antivirus one. what should i do from here?

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sat Jun 13, 2009 11:02 pm

I doubt this will work, but worth a shot.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sat Jun 13, 2009 11:05 pm

ok i did it, should i restart the computer?

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sat Jun 13, 2009 11:11 pm

Ran MBAM? and it worked?

If so, reboot and post the log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sat Jun 13, 2009 11:38 pm

i was able to run combofix heres the log
ComboFix 09-06-13.03 - Cesar Ramos 06/13/2009 19:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.177 [GMT -7:00]
Running from: c:\documents and settings\Cesar Ramos\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\15676774
c:\documents and settings\All Users\Application Data\95686766
c:\progra~1\COMMON~1\{B871C~1
c:\progra~1\COMMON~1\{B871C~2
c:\program files\podmena
c:\windows\mcroso~1.net
c:\windows\sks~1
c:\windows\smbols~1
c:\windows\system32\drivers\SKYNETmnmoxjxb.sys
c:\windows\system32\drivers\UACqlryurqlsrcroem.sys
c:\windows\system32\ssembl~1
c:\windows\system32\sstem3~1
c:\windows\system32\UACayehlwjspkexxlm.dll
c:\windows\system32\UACbpmxhdkjwffvxbd.dll
c:\windows\system32\UACcyxxqcupircvpyi.dll
c:\windows\system32\UACekxqepnnoevtind.dat
c:\windows\system32\UACjkjrobjyycawvvv.dll
c:\windows\system32\UACjqxaphaeslkartk.dll
c:\windows\system32\UACmloanemmhnarepi.db
c:\windows\TEMP\UACbeee.tmp
c:\documents and settings\All Users\Application Data\15676774\15676774.exe
c:\documents and settings\All Users\Application Data\15676774\15676774.glu
c:\documents and settings\All Users\Application Data\15676774\pc15676774cnf
c:\documents and settings\All Users\Application Data\15676774\pc15676774ins
c:\documents and settings\All Users\Application Data\95686766\95686766.exe
c:\documents and settings\Cesar Ramos\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\progra~1\COMMON~1\{B871C~1\system.dll
c:\progra~1\COMMON~1\{B871C~2\system.dll
c:\program files\Manson\liser.dll
c:\program files\Manson\liser.exe
c:\program files\podmena\podmena.dll
c:\program files\podmena\podmena.sys
C:\tj.vbs
c:\windows\pp10.exe
c:\windows\system32\drivers\SKYNETmnmoxjxb.sys
c:\windows\system32\SKYNETbtulxexw.dll
c:\windows\system32\SKYNETqaoylyab.dll
c:\windows\system32\SKYNETsyvdylkt.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\wintsvtr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Legacy_CORE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_PODMENA
-------\Legacy_PODMENADRV
-------\Service_podmena
-------\Service_podmenadrv
-------\Service_SKYNETkawqjntt
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.

2009-06-14 02:13 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-14 02:13 . 2009-06-14 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-14 02:13 . 2009-06-14 02:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 02:13 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 01:31 . 2009-06-14 01:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-12 21:26 . 2009-06-12 21:26 2 ---h--w- c:\windows\zaponce53290.dat
2009-06-12 21:26 . 2009-06-12 21:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-06-12 21:26 . 2009-06-12 21:26 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft
2009-06-12 21:25 . 2009-06-14 02:20 -------- d-sh--r- c:\program files\Manson
2009-06-10 14:01 . 2009-06-10 14:01 -------- d-sh--w- c:\documents and settings\Cesar Ramos\IECompatCache
2009-06-10 14:00 . 2009-06-10 14:00 -------- d-sh--w- c:\documents and settings\Cesar Ramos\PrivacIE
2009-06-10 13:58 . 2009-06-10 13:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-10 13:57 . 2009-06-10 13:57 -------- d-sh--w- c:\documents and settings\Cesar Ramos\IETldCache
2009-06-10 10:55 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 10:55 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 10:55 . 2009-06-10 10:56 -------- d-----w- c:\windows\ie8updates
2009-06-10 10:55 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-10 10:51 . 2009-06-10 10:54 -------- dc-h--w- c:\windows\ie8
2009-06-10 08:13 . 2009-06-10 08:13 -------- d-----w- C:\.jagex_cache_32
2009-06-01 20:34 . 2009-06-14 01:52 66560 ----a-w- c:\windows\system32\UACliopvydpuconcyd.dll
2009-06-01 12:50 . 2009-06-11 01:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-01 12:50 . 2009-06-11 01:00 -------- d-----w- c:\program files\Norton Security Scan
2009-06-01 09:21 . 2009-06-01 09:21 -------- d-----w- c:\windows\system32\Adobe
2009-05-30 02:05 . 2009-06-10 11:13 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\Xfire
2009-05-30 02:05 . 2009-06-10 11:13 -------- d-s---w- c:\program files\Xfire
2009-05-29 22:51 . 2009-05-29 22:52 -------- d-----w- c:\program files\QuickTime
2009-05-29 18:39 . 2009-05-29 18:39 -------- d-----w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\Yahoo
2009-05-29 18:33 . 2009-05-27 02:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-28 16:16 . 2009-05-28 16:16 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-05-28 14:37 . 2009-05-28 14:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-28 06:45 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-28 06:45 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-28 06:45 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-28 06:45 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-28 06:45 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-28 06:45 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-28 06:45 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-28 06:45 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-28 06:45 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-28 06:40 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-28 06:40 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-05-28 05:43 . 2009-06-12 10:32 34 ----a-w- c:\documents and settings\Cesar Ramos\jagex_runescape_preferences.dat
2009-05-28 02:44 . 2009-06-11 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2009-05-28 02:19 . 2009-05-28 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-28 02:16 . 2009-05-28 02:16 -------- d-----w- c:\program files\Messenger Plus! Live
2009-05-28 01:57 . 2009-05-28 01:57 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\acccore
2009-05-28 01:57 . 2009-05-28 01:57 -------- d-----w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\AOL OCP
2009-05-28 01:57 . 2009-05-28 01:57 -------- d-----w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\AOL
2009-05-28 01:56 . 2009-05-28 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-05-28 01:56 . 2009-06-01 23:58 -------- d-----w- c:\program files\Common Files\AOL
2009-05-28 01:50 . 2009-06-12 22:05 -------- d-----w- c:\documents and settings\Cesar Ramos\Tracing
2009-05-28 01:49 . 2009-05-28 01:49 -------- d-----w- c:\program files\Microsoft
2009-05-28 01:48 . 2009-05-28 01:48 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-28 01:48 . 2009-05-28 01:48 -------- d-----w- c:\program files\Windows Live
2009-05-28 01:45 . 2009-05-28 01:45 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-25 19:51 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-05-25 19:51 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 06:02 . 2006-03-25 02:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-02 18:48 . 2007-01-01 19:36 -------- d-----w- c:\program files\Viewpoint
2009-06-01 23:57 . 2007-02-28 20:40 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\Viewpoint
2009-06-01 23:57 . 2007-01-01 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-29 22:51 . 2006-03-25 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-29 18:35 . 2006-12-19 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-29 18:35 . 2006-03-21 02:57 -------- d-----w- c:\program files\Yahoo!
2009-05-29 18:35 . 2007-06-25 02:27 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\Yahoo!
2009-05-28 16:14 . 2007-07-15 12:06 -------- d--h--w- c:\docume~1\CESARR~1\APPLIC~1\ijjigame
2009-05-28 14:41 . 2006-03-21 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-28 01:49 . 2006-04-24 00:23 41576 ----a-w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 05:15 . 2006-06-23 19:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2002-08-29 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2002-08-29 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2005-08-03 00:46 . 2006-12-02 23:39 187904 -csha-r- c:\windows\Q2VzYXI\asappsrv.dll
2005-08-03 00:58 . 2006-12-02 23:39 293888 -csha-r- c:\windows\Q2VzYXI\command.exe
2005-07-30 00:24 . 2006-12-02 23:39 472 -csha-r- c:\windows\Q2VzYXI\kZpWsrK.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sat Jun 13, 2009 11:38 pm

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qfrw"="c:\progra~1\COMMON~1\qfrw\qfrwm.exe" [2006-07-19 9216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2007-07-31 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cesar Ramos^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Cesar Ramos\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:podmena

R3 vgadrv;vgadrv;c:\windows\system32\drivers\vgadrv.sys [3/17/2006 10:04 AM 8078]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys --> c:\windows\system32\XDva011.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
podmena REG_MULTI_SZ podmena

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\Norton Security Scan for Cesar Ramos.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-13 02:04]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PaSystem - c:\program files\pasystem\pasystem.exe
HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKU-Default-Run-kell - c:\program files\Manson\liser.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Cesar Ramos\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} - [You must be registered and logged in to see this link.]
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-13 19:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETkawqjntt]
"imagepath"="\systemroot\system32\drivers\SKYNETmnmoxjxb.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys]
"imagepath"="\systemroot\system32\drivers\UACgjjgyqkjurislly.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-688789844-1060284298-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETkawqjntt]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\SKYNETmnmoxjxb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\UACgjjgyqkjurislly.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2848)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\CF8045.exe
c:\progra~1\COMMON~1\qfrw\qfrwa.exe
.
**************************************************************************
.
Completion time: 2009-06-14 19:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-14 02:36

Pre-Run: 21,630,681,088 bytes free
Post-Run: 22,976,507,904 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

273 --- E O F --- 2009-06-10 10:56

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sat Jun 13, 2009 11:48 pm

when i try to install mbam and hijackthis it tells me the app failed to start msvbvm60.dll was not found.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sun Jun 14, 2009 12:09 am

Hello.
The error is just because you don't have the VB runtime package installed. We'll do that later, more malware to kill first.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
Viewpoint Manager Service
npggsvc
XDva011
podmena

File::
c:\windows\zaponce53290.dat
c:\windows\system32\UACliopvydpuconcyd.dll

Folder::
c:\program files\Manson
c:\program files\Viewpoint
c:\docume~1\CESARR~1\APPLIC~1\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint
c:\windows\Q2VzYXI

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETkawqjntt]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys]

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETkawqjntt]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sun Jun 14, 2009 12:35 am

ComboFix 09-06-13.03 - Cesar Ramos 06/13/2009 20:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.308 [GMT -7:00]
Running from: c:\documents and settings\Cesar Ramos\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Cesar Ramos\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\UACliopvydpuconcyd.dll"
"c:\windows\zaponce53290.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\CESARR~1\APPLIC~1\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Manson
c:\program files\Viewpoint
c:\windows\Q2VzYXI
c:\docume~1\CESARR~1\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\URLCache.ini
c:\docume~1\CESARR~1\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\URLCache.ini
c:\docume~1\CESARR~1\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\URLCache.ini
c:\docume~1\CESARR~1\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\URLCache.ini
c:\docume~1\CESARR~1\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\AolInstantInstallMMX_Win.mtj
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305000D.dll
c:\program files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
c:\program files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\windows\Q2VzYXI\asappsrv.dll
c:\windows\Q2VzYXI\command.exe
c:\windows\Q2VzYXI\kZpWsrK.vbs
c:\windows\system32\UACliopvydpuconcyd.dll
c:\windows\zaponce53290.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Legacy_XDVA011
-------\Service_Viewpoint Manager Service
-------\Service_XDva011


((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.

2009-06-14 03:00 . 2009-06-14 03:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-14 02:54 . 2009-06-14 02:54 -------- d-----w- c:\program files\Trend Micro
2009-06-14 01:31 . 2009-06-14 01:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-12 21:26 . 2009-06-12 21:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-06-12 21:26 . 2009-06-12 21:26 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft
2009-06-10 14:01 . 2009-06-10 14:01 -------- d-sh--w- c:\documents and settings\Cesar Ramos\IECompatCache
2009-06-10 14:00 . 2009-06-10 14:00 -------- d-sh--w- c:\documents and settings\Cesar Ramos\PrivacIE
2009-06-10 13:58 . 2009-06-10 13:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-10 13:57 . 2009-06-10 13:57 -------- d-sh--w- c:\documents and settings\Cesar Ramos\IETldCache
2009-06-10 10:55 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 10:55 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 10:55 . 2009-06-10 10:56 -------- d-----w- c:\windows\ie8updates
2009-06-10 10:55 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-10 10:51 . 2009-06-10 10:54 -------- dc-h--w- c:\windows\ie8
2009-06-10 08:13 . 2009-06-10 08:13 -------- d-----w- C:\.jagex_cache_32
2009-06-01 12:50 . 2009-06-11 01:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-01 12:50 . 2009-06-11 01:00 -------- d-----w- c:\program files\Norton Security Scan
2009-06-01 09:21 . 2009-06-01 09:21 -------- d-----w- c:\windows\system32\Adobe
2009-05-30 02:05 . 2009-06-10 11:13 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\Xfire
2009-05-30 02:05 . 2009-06-10 11:13 -------- d-s---w- c:\program files\Xfire
2009-05-29 22:51 . 2009-05-29 22:52 -------- d-----w- c:\program files\QuickTime
2009-05-29 18:39 . 2009-05-29 18:39 -------- d-----w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\Yahoo
2009-05-29 18:33 . 2009-05-27 02:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-28 16:16 . 2009-05-28 16:16 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-05-28 06:45 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-28 06:45 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-28 06:45 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-28 06:45 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-28 06:45 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-28 06:45 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-28 06:45 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-28 06:45 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-28 06:45 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-28 06:40 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-28 06:40 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-05-28 05:43 . 2009-06-12 10:32 34 ----a-w- c:\documents and settings\Cesar Ramos\jagex_runescape_preferences.dat
2009-05-28 02:44 . 2009-06-11 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2009-05-28 02:19 . 2009-05-28 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-28 02:16 . 2009-05-28 02:16 -------- d-----w- c:\program files\Messenger Plus! Live
2009-05-28 01:57 . 2009-05-28 01:57 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\acccore
2009-05-28 01:57 . 2009-05-28 01:57 -------- d-----w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\AOL OCP
2009-05-28 01:57 . 2009-05-28 01:57 -------- d-----w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\AOL
2009-05-28 01:56 . 2009-05-28 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-05-28 01:56 . 2009-06-01 23:58 -------- d-----w- c:\program files\Common Files\AOL
2009-05-28 01:50 . 2009-06-14 03:31 -------- d-----w- c:\documents and settings\Cesar Ramos\Tracing
2009-05-28 01:49 . 2009-05-28 01:49 -------- d-----w- c:\program files\Microsoft
2009-05-28 01:48 . 2009-05-28 01:48 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-28 01:48 . 2009-05-28 01:48 -------- d-----w- c:\program files\Windows Live
2009-05-28 01:45 . 2009-05-28 01:45 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-25 19:51 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-05-25 19:51 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 03:05 . 2006-03-21 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-11 06:02 . 2006-03-25 02:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-29 22:51 . 2006-03-25 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-29 18:35 . 2006-12-19 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-29 18:35 . 2006-03-21 02:57 -------- d-----w- c:\program files\Yahoo!
2009-05-29 18:35 . 2007-06-25 02:27 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\Yahoo!
2009-05-28 16:14 . 2007-07-15 12:06 -------- d--h--w- c:\docume~1\CESARR~1\APPLIC~1\ijjigame
2009-05-28 01:49 . 2006-04-24 00:23 41576 ----a-w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 05:15 . 2006-06-23 19:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2002-08-29 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2002-08-29 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sun Jun 14, 2009 12:35 am

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qfrw"="c:\progra~1\COMMON~1\qfrw\qfrwm.exe" [2006-07-19 9216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2007-07-31 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cesar Ramos^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Cesar Ramos\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:podmena

R3 vgadrv;vgadrv;c:\windows\system32\drivers\vgadrv.sys [3/17/2006 10:04 AM 8078]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
podmena REG_MULTI_SZ podmena

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\Norton Security Scan for Cesar Ramos.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-13 02:04]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Cesar Ramos\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} - [You must be registered and logged in to see this link.]
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-13 20:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-688789844-1060284298-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3356)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-14 20:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-14 03:35
ComboFix2.txt 2009-06-14 02:36

Pre-Run: 22,836,629,504 bytes free
Post-Run: 22,830,104,576 bytes free

214 --- E O F --- 2009-06-10 10:56

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sun Jun 14, 2009 12:38 am

Hello.
Something brought part of the infection back, I have a suspect that it maybe a driver that is running, can't find much on it, so I want to submit it for analysis.

Submit a file for analysis.

  1. Please visit this website: [You must be registered and logged in to see this link.]
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\drivers\vgadrv.sys
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sun Jun 14, 2009 12:41 am

no malware was found

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sun Jun 14, 2009 12:45 am

Hello.
Do the same again for this file.

c:\Program Files\Common Files\qfrw\qfrwm.exe


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sun Jun 14, 2009 12:47 am

Scan finished. 18 out of 20 scanners reported malware.

[ArcaVir]
2009-06-13 Downloader.Tsupdate.N
[F-Secure Anti-Virus]
2009-06-13 Adware:W32/TargetSaver.B
[Emsisoft A-squared]
2009-06-14 Trojan-Downloader.Win32.TSUpdate!IK
[Ikarus]
2009-06-13 Trojan-Downloader.Win32.TSUpdate
[Avast! antivirus]
2009-06-13 Win32:Tsupdate-C
[Kaspersky Anti-Virus]
2009-06-14 Trojan-Downloader.Win32.TSUpdate.n
[Grisoft AVG Anti-Virus]
2009-06-13 Downloader.Generic.JAD
[ESET NOD32]
2009-06-13 Win32/TrojanDownloader.TSUpdate.N
[Avira AntiVir]
2009-06-12 TR/Drop.TSUpdat.A.3
[Norman Virus Control]
2009-06-12 W32/DLoader.QKD
[Softwin BitDefender]
2009-06-13 Trojan.Downloader.Tsupdate.N
[Panda Antivirus]
2009-06-12 Adware/Sqwire
[ClamAV]
2009-06-13 Trojan.Downloader.TSUp-11
[Quick Heal]
2009-06-12 TrojanDownloader.TSUpdate.n
[CPsecure]
2009-06-14 Troj.Downloader.W32.TSUpdate.N
[Sophos]
2009-06-13 Found nothing
[Dr.Web]
2009-06-14 Adware.TargetServer
[VirusBlokAda VBA32]
2009-06-12 Found nothing
[Frisk F-Prot Antivirus]
2009-06-13 W32/Downloader.JWS
[VirusBuster]
2009-06-13 Trojan.DL.TSUpdate.J

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sun Jun 14, 2009 1:02 am

Haha, that's what brought it back.

Now open a new notepad file.
Input this into the notepad file:

Driver::
podmena

Folder::
c:\progra~1\COMMON~1\qfrw

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qfrw"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"podmena"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sun Jun 14, 2009 1:12 am

ComboFix 09-06-13.03 - Cesar Ramos 06/13/2009 21:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.283 [GMT -7:00]
Running from: c:\documents and settings\Cesar Ramos\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Cesar Ramos\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\COMMON~1\qfrw
c:\progra~1\COMMON~1\qfrw\qfrwa.exe
c:\progra~1\COMMON~1\qfrw\qfrwa.lck
c:\progra~1\COMMON~1\qfrw\qfrwd\class-barrel
c:\progra~1\COMMON~1\qfrw\qfrwd\qfrwc.dll
c:\progra~1\COMMON~1\qfrw\qfrwd\vocabulary
c:\progra~1\COMMON~1\qfrw\qfrwh
c:\progra~1\COMMON~1\qfrw\qfrwl.exe
c:\progra~1\COMMON~1\qfrw\qfrwl.lck
c:\progra~1\COMMON~1\qfrw\qfrwm.exe
c:\progra~1\COMMON~1\qfrw\qfrwm.lck
c:\progra~1\COMMON~1\qfrw\qfrwp.exe
c:\progra~1\COMMON~1\qfrw\qfrwp.lck

.
((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.

2009-06-14 03:00 . 2009-06-14 03:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-14 02:54 . 2009-06-14 02:54 -------- d-----w- c:\program files\Trend Micro
2009-06-14 01:31 . 2009-06-14 01:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-12 21:26 . 2009-06-12 21:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-06-12 21:26 . 2009-06-12 21:26 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft
2009-06-10 14:01 . 2009-06-10 14:01 -------- d-sh--w- c:\documents and settings\Cesar Ramos\IECompatCache
2009-06-10 14:00 . 2009-06-10 14:00 -------- d-sh--w- c:\documents and settings\Cesar Ramos\PrivacIE
2009-06-10 13:58 . 2009-06-10 13:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-10 13:57 . 2009-06-10 13:57 -------- d-sh--w- c:\documents and settings\Cesar Ramos\IETldCache
2009-06-10 10:55 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 10:55 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 10:55 . 2009-06-10 10:56 -------- d-----w- c:\windows\ie8updates
2009-06-10 10:55 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-10 10:51 . 2009-06-10 10:54 -------- dc-h--w- c:\windows\ie8
2009-06-10 08:13 . 2009-06-10 08:13 -------- d-----w- C:\.jagex_cache_32
2009-06-01 12:50 . 2009-06-11 01:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-01 12:50 . 2009-06-11 01:00 -------- d-----w- c:\program files\Norton Security Scan
2009-06-01 09:21 . 2009-06-01 09:21 -------- d-----w- c:\windows\system32\Adobe
2009-05-30 02:05 . 2009-06-10 11:13 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\Xfire
2009-05-30 02:05 . 2009-06-10 11:13 -------- d-s---w- c:\program files\Xfire
2009-05-29 22:51 . 2009-05-29 22:52 -------- d-----w- c:\program files\QuickTime
2009-05-29 18:39 . 2009-05-29 18:39 -------- d-----w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\Yahoo
2009-05-29 18:33 . 2009-05-27 02:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-28 16:16 . 2009-05-28 16:16 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-05-28 06:45 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-28 06:45 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-28 06:45 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-28 06:45 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-28 06:45 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-28 06:45 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-28 06:45 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-28 06:45 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-28 06:45 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-28 06:40 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-28 06:40 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-05-28 05:43 . 2009-06-12 10:32 34 ----a-w- c:\documents and settings\Cesar Ramos\jagex_runescape_preferences.dat
2009-05-28 02:44 . 2009-06-11 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2009-05-28 02:19 . 2009-05-28 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-28 02:16 . 2009-05-28 02:16 -------- d-----w- c:\program files\Messenger Plus! Live
2009-05-28 01:57 . 2009-05-28 01:57 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\acccore
2009-05-28 01:57 . 2009-05-28 01:57 -------- d-----w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\AOL OCP
2009-05-28 01:57 . 2009-05-28 01:57 -------- d-----w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\AOL
2009-05-28 01:56 . 2009-05-28 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-05-28 01:56 . 2009-06-01 23:58 -------- d-----w- c:\program files\Common Files\AOL
2009-05-28 01:50 . 2009-06-14 03:31 -------- d-----w- c:\documents and settings\Cesar Ramos\Tracing
2009-05-28 01:49 . 2009-05-28 01:49 -------- d-----w- c:\program files\Microsoft
2009-05-28 01:48 . 2009-05-28 01:48 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-28 01:48 . 2009-05-28 01:48 -------- d-----w- c:\program files\Windows Live
2009-05-28 01:45 . 2009-05-28 01:45 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-25 19:51 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-05-25 19:51 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 03:05 . 2006-03-21 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-11 06:02 . 2006-03-25 02:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-29 22:51 . 2006-03-25 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-29 18:35 . 2006-12-19 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-29 18:35 . 2006-03-21 02:57 -------- d-----w- c:\program files\Yahoo!
2009-05-29 18:35 . 2007-06-25 02:27 -------- d-----w- c:\docume~1\CESARR~1\APPLIC~1\Yahoo!
2009-05-28 16:14 . 2007-07-15 12:06 -------- d--h--w- c:\docume~1\CESARR~1\APPLIC~1\ijjigame
2009-05-28 01:49 . 2006-04-24 00:23 41576 ----a-w- c:\documents and settings\Cesar Ramos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 05:15 . 2006-06-23 19:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2002-08-29 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2002-08-29 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2007-07-31 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cesar Ramos^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Cesar Ramos\Start Menu\Programs\Startup\IMVU.lnk

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sun Jun 14, 2009 1:12 am

backup=c:\windows\pss\IMVU.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 vgadrv;vgadrv;c:\windows\system32\drivers\vgadrv.sys [3/17/2006 10:04 AM 8078]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\Norton Security Scan for Cesar Ramos.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-13 02:04]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Cesar Ramos\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} - [You must be registered and logged in to see this link.]
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-13 21:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-688789844-1060284298-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-14 21:12
ComboFix-quarantined-files.txt 2009-06-14 04:12
ComboFix2.txt 2009-06-14 03:35
ComboFix3.txt 2009-06-14 02:36

Pre-Run: 22,852,427,776 bytes free
Post-Run: 22,839,398,400 bytes free

167 --- E O F --- 2009-06-10 10:56

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security.

Post by Belahzur on Sun Jun 14, 2009 1:18 am

Hello.
That got it. It hasn't come back this time.

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security.

Post by andrewvanderhevel on Sun Jun 14, 2009 2:06 am

sorry about the delayed response. my computer is now running quite well. little to no lag, no pop-ups out of nowhere and of course no silly system security telling me that of all things ms paint is infected(seriously...what?) thank you for the anti-virus software. and of course thank you for all your assistance.


Thank You!

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum