System Security 2009

View previous topic View next topic Go down

System Security 2009

Post by DamonJones on 5th September 2009, 3:34 pm

I'm new to the site but i was hoping someone could help me. I was recently infected with the System Security 2009 malware. When I try to boot normally I get to my desktop, then my startmenu/task bar appears for a second and instantly vanishes, leaving me looking at a my desktop image with no icons. At this point the only thing I can do is shut down my computer. I've dealt with this issue before, but I was able to get rid of it by booting in safe mode and running my various spyware/virus removal programs. The ones that did the most work were Xoftspy, SuperAntiSpyware, and Malware Bytes respectively. Surprisingly I ran AVG first and it couldn't detect the threats at all and only found cookies. Running these programs one after another got rid of the problem for me or so I thought, but now it's back. Now I have the same boot problem as before, but when I run safe mode, the System Security Malware is there too! I thought safe mode was supposed to be...safe. Anyway I can't open any of my removal programs because of it. When I double click, nothing happens. It even blocks the installers for certain programs to run. I found a handy trick online to go into the program files and rename the executable since the SP2009 recognizes processes by name. It works to a degree but only for certain programs. Xoftspy opened and fully ran when I did this trick. It detected some threats and removed them but the problem still remains. When I rename and try to run AVG or SuperAntiSpyware they start to scan my computer, then abruptly close. I've tried everything in my knowledge and I'm at the end of my rope now so I was hoping someone could help me here. I hope I was descriptive enough for someone to recognize what the problem is and how to fix it. Thanks!

Edit: I've even tried to run Hijack This. It installs but nothing happens when I try to open it.

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 5th September 2009, 8:57 pm

Hello.
Did you get Hijack This from this link?
[You must be registered and logged in to see this link.]

If not, please download it from that link.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 6th September 2009, 2:49 am

The version of HJT from that link opened fine, but closed shortly after it started running. And now I guess System Security recognizes it as HJT so I can't open that one again either. It's like the malware is learning what i'm doing and preventing me from opening anything that can potentially remove it. Is there anything I can do to prevent it from blocking my programs functionality?

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 6th September 2009, 6:37 pm

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then try Hijack This from there.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 6th September 2009, 7:14 pm

That's actually the version of safe mode i've been running the whole time. It's the only way I can access the internet now since I can't boot normally. Still no luck though. Would you suggest reformatting?

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Origin on 6th September 2009, 10:13 pm

Try this in safe mode with networking:

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 7th September 2009, 12:40 pm

Ok. I followed your instructions. When I run combo fix it opens and closes abruptly as well. For some reason, when it closes, I get a message saying combo fix is uninstalled and the icon disappears so I have to reinstall it to try it again.

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 7th September 2009, 9:04 pm

Please download Ice Sword from [You must be registered and logged in to see this link.][LIST=1]

Are you able to extract it?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 7th September 2009, 11:35 pm

It extracts fine. When I try to run the program I get this error message:

Open device failed, error code: 1073741762

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 8th September 2009, 1:17 am

Oops, forgot to ask.
Are you running XP or Vista?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 8th September 2009, 2:37 am

xp

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 8th September 2009, 3:49 pm

Please download SilentRunners from here:
[You must be registered and logged in to see this link.]
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 9th September 2009, 12:25 am

Thanks for all the help btw. Here are the contents of the log file:

"Silent Runners.vbs", revision 59, [You must be registered and logged in to see this link.]
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"DellSupport" = ""C:\Program Files\Dell Support\DSAgnt.exe" /startup" [file not found]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"fmzf" = "C:\PROGRA~1\COMMON~1\fmzf\fmzfm.exe" [file not found]
"ArtChk" = "C:\WINDOWS\system32\artchker.exe" [file not found]
"Messenger (Yahoo!)" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [file not found]
"Google Update" = ""C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c" ["Google Inc."]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
"Windows System Recover!" = "C:\DOCUME~1\Travis\LOCALS~1\Temp\winamp.exe" [null data]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"Protection System" = ""C:\Program Files\Protection System\psystem.exe" -noscan" ["Protection System Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"DMXLauncher" = "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Norton Ghost 10.0" = ""C:\Program Files\Norton Ghost\Agent\GhostTray.exe"" [file not found]
"ISUSPM Startup" = ""c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup" ["InstallShield Software Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"DLA" = "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" ["Sonic Solutions"]
"Windows Media Connect 2" = ""C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"MSKDetectorExe" = "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall" ["McAfee, Inc."]
"Zune Launcher" = ""C:\Program Files\Zune\ZuneLauncher.exe"" [MS]
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]
"AdobeCS4ServiceManager" = ""C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin" ["Adobe Systems Incorporated"]
"Adobe Acrobat Speed Launcher" = ""C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"" ["Adobe Systems Incorporated"]
"(Default)" = "(empty string)" [file not found]
"Acrobat Assistant 8.0" = ""C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"" ["Adobe Systems Inc."]
"Adobe_ID0ENQBO" = "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" ["Adobe Systems Incorporated"]
"braviax" = "braviax.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 9th September 2009, 6:59 pm

Hello.
Please post the full log, I think it got cut off.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 9th September 2009, 10:37 pm

Whoops!! Sorry I think I copied information from the file prematurely before the scan was complete. Here is the whole thing:

"Silent Runners.vbs", revision 59, [You must be registered and logged in to see this link.]
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"DellSupport" = ""C:\Program Files\Dell Support\DSAgnt.exe" /startup" [file not found]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"fmzf" = "C:\PROGRA~1\COMMON~1\fmzf\fmzfm.exe" [file not found]
"ArtChk" = "C:\WINDOWS\system32\artchker.exe" [file not found]
"Messenger (Yahoo!)" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [file not found]
"Google Update" = ""C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c" ["Google Inc."]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
"Windows System Recover!" = "C:\DOCUME~1\Travis\LOCALS~1\Temp\winamp.exe" [null data]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"Protection System" = ""C:\Program Files\Protection System\psystem.exe" -noscan" ["Protection System Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"DMXLauncher" = "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Norton Ghost 10.0" = ""C:\Program Files\Norton Ghost\Agent\GhostTray.exe"" [file not found]
"ISUSPM Startup" = ""c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup" ["InstallShield Software Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"DLA" = "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" ["Sonic Solutions"]
"Windows Media Connect 2" = ""C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"MSKDetectorExe" = "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall" ["McAfee, Inc."]
"Zune Launcher" = ""C:\Program Files\Zune\ZuneLauncher.exe"" [MS]
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]
"AdobeCS4ServiceManager" = ""C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin" ["Adobe Systems Incorporated"]
"Adobe Acrobat Speed Launcher" = ""C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"" ["Adobe Systems Incorporated"]
"(Default)" = "(empty string)" [file not found]
"Acrobat Assistant 8.0" = ""C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"" ["Adobe Systems Inc."]
"Adobe_ID0ENQBO" = "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" ["Adobe Systems Incorporated"]
"braviax" = "braviax.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{30351348-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
"{30351347-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
"{3035134A-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
"{3035134C-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
"{30351346-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
"{30351349-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
"{3035134B-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
"{3035134D-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
"{3035134E-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
-> {HKLM...CLSID} = "ACDWFTHMBPRXY"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\AcDwfThmbPrxy16.dll" ["Autodesk"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 9.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Protection System extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Protection System\CoreExt.dll" [empty string]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<> "{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}" = "ghya673gidh87we9inkff"
-> {HKLM...CLSID} = "C:\WINDOWS\system32\tajf83ikdmf.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\tajf83ikdmf.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<> "Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe" [MS], ["PROMO Software"]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\opnOghec"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<> "Notification Packages" = "scecli"|"C:\WINDOWS\system32\hedohudi.dll"

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<> ("digeste.dll" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL" ["SUPERAntiSpyware.com"]
<> avgrsstarter\DLLName = "avgrsstx.dll" ["AVG Technologies CZ, s.r.o."]
<> ddcyx\DLLName = "C:\WINDOWS\system32\ddcyx.dll" [file not found]
<> gebya\DLLName = "C:\WINDOWS\system32\gebya.dll" [file not found]
<> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
<> vturp\DLLName = "C:\WINDOWS\system32\vturp.dll" [file not found]
<> vtuustt\DLLName = "vtuustt.dll" [file not found]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{30351349-7B7D-4FCC-81B4-1E394CA267EB}\(Default) = (no title provided)
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 9.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
SimpleShlExt\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Protection System\CoreExt.dll" [empty string]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 9.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
SimpleShlExt\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Protection System\CoreExt.dll" [empty string]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["[You must be registered and logged in to see this link.]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
{C95FFEAE-A32E-4122-A5C4-49B5BFB69795}\(Default) = "{C95FFEAE-A32E-4122-A5C4-49B5BFB69795}"
-> {HKLM...CLSID} = "Adobe Drive CS4"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Adobe Drive CS4\ADFSMenu.dll" ["Adobe Systems Incorporated"]


Default executables:
--------------------

HKLM\SOFTWARE\Classes\.exe\(Default) = "exefile"
<> HKLM\SOFTWARE\Classes\exefile\shell\open\command\(Default) = "C:\WINDOWS\system32\desote.exe "%1" %*" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoFolderOptions" = (REG_DWORD) dword:0x00000001
{Removes the Folder Options menu item from the Tools menu}

"NoSetActiveDesktop" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000001
{Prohibit changes}

"NoViewContextMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000001
{Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Windows\System\

"disablecmd" = (REG_DWORD) dword:0x00000000
{Disable the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\

"DisableSR" = (REG_DWORD) dword:0x00000001
{Turn off System Restore}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\critical_warning.html"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Desktop Background.bmp"

Active Desktop web content (hidden if disabled):

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = ""
"Source" = "C:\Program Files\MSN\bazyrag.html"
"SubscribedURL" = ""


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

AdobeOnLocationCS4CameraArrival\
"Provider" = "Adobe OnLocation"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Adobe\Adobe OnLocation CS4\Adobe OnLocation.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

AdobePremiereProCS4CameraArrival\
"Provider" = "Adobe Premiere Pro"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Adobe\Adobe Premiere Pro CS4\Adobe Premiere Pro.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

BridgeCS4ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS4"
"InvokeProgID" = "Adobe.adobebridgeCS4"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\Adobe.adobebridgeCS4\shell\launch\command\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS4\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]

BridgeCS4NonVolumeHandler\
"Provider" = "Adobe Bridge CS4"
"ProgID" = "Adobe.adobebridgeMTP_1"
HKLM\SOFTWARE\Classes\Adobe.adobebridgeMTP_1\CLSID\(Default) = "{1E6C711B-6D70-4a65-8AB6-745DC19BE2A6}"
-> {HKLM...CLSID} = "Adobe Bridge CS4"
\LocalServer32\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS4\bridgeproxy.exe -m" ["Adobe Systems, Inc."]

Corel Photo Album 6HandleCDBurningOnArrival\
"Provider" = "Corel Photo Album 6"
"InvokeProgID" = "CorelPhotoAlbumFolder"
"InvokeVerb" = "BurnCD"
HKLM\SOFTWARE\Classes\CorelPhotoAlbumFolder\shell\BurnCD\command\(Default) = "C:\PROGRA~1\Corel\CORELP~1\PHOTOA~1.EXE -burncdlaunch" [file not found]

Corel Photo Album 6ShowPicturesOnArrivalHandler\
"Provider" = "Corel Photo Album 6"
"InvokeProgID" = "CorelPhotoAlbumFolder"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CorelPhotoAlbumFolder\shell\open\command\(Default) = "C:\PROGRA~1\Corel\CORELP~1\PHOTOA~1.EXE "%1"" [file not found]

DMXPlayDVD\
"Provider" = "Dell CinePlayer"
"InvokeProgID" = "DMX.PLAYDVD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\DMX.PLAYDVD\shell\Play\Command\(Default) = "C:\Program Files\Dell\Media Experience\DMX.exe DVD "Play %1"" [null data]

MMJBAutoplayBURNERPLUS\
"Provider" = "MUSICMATCH Burner Plus"
"InvokeProgID" = "MMJB.BURN"
"InvokeVerb" = "Burn"
HKLM\SOFTWARE\Classes\MMJB.BURN\shell\Burn\Command\(Default) = ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmfwlaunch.exe""-mmjb"" ["Musicmatch, Inc."]

MMJBPlayCDAudioOnArrival\
"Provider" = "Musicmatch Jukebox"
"InvokeProgID" = "MMJB.AUDIOCD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\MMJB.AUDIOCD\shell\Play\command\(Default) = ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmjblaunch.exe" /AudioCD "%1"" ["Musicmatch, Inc."]

MMJBPlayMediaOnArrival\
"Provider" = "Musicmatch Jukebox"
"InvokeProgID" = "MMJB.MMJB"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\MMJB.MMJB\shell\Play\command\(Default) = ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmjblaunch.exe" "%1"" ["Musicmatch, Inc."]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

SonicMyCreateProject\
"Provider" = "Sonic MyDVD"
"InvokeProgID" = "Sonic.MyDVD"
"InvokeVerb" = "CreateProject"
HKLM\SOFTWARE\Classes\Sonic.MyDVD\shell\CreateProject\Command\(Default) = "C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\MyDVD.EXE /AutoPlayCreateProject %L" ["Sonic Solutions"]

SonicSCAudioCDTask\
"Provider" = "Sonic Audio Module"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "AudioCDTask"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {EBD22732-1CC3-4CD7-9A45-B8D98DA0E784}" [null data]

SonicSCCopyCD\
"Provider" = "Sonic Copy Module"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]

SonicSCCopyDisc\
"Provider" = "Sonic Copy Module"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]

SonicSCDataProject\
"Provider" = "Sonic Data Module"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "DataGuide"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch Data" [null data]

SonicSCDataTask\
"Provider" = "Sonic Data Module"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "DataTask"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {0BAC5C34-DF45-4C0F-8D64-8E92DCCF007D}" [null data]

SonicVideoCameraArrival\
"Provider" = "Sonic Solutions"
"ProgID" = "MyDVD.MyDVDAPHandler"
"InitCmdLine" = "new"
HKLM\SOFTWARE\Classes\MyDVD.MyDVDAPHandler\CLSID\(Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}"
-> {HKLM...CLSID} = "MyDVDAPHandler Class"
\LocalServer32\(Default) = "C:\PROGRA~1\Sonic\DIGITA~1\MYDVDP~1\MyDVD.EXE -autoplay" ["Sonic Solutions"]

SonicVideoCameraArrivalDirect\
"Provider" = "Sonic Solutions"
"ProgID" = "MyDVD.MyDVDAPHandler"
"InitCmdLine" = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {3563B7B4-E6D4-4360-8E38-64E008F52C5C}"
HKLM\SOFTWARE\Classes\MyDVD.MyDVDAPHandler\CLSID\(Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}"
-> {HKLM...CLSID} = "MyDVDAPHandler Class"
\LocalServer32\(Default) = "C:\PROGRA~1\Sonic\DIGITA~1\MYDVDP~1\MyDVD.EXE -autoplay" ["Sonic Solutions"]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]

ZunePlayCDAudioOnArrival\
"Provider" = "@C:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
"InvokeProgID" = "Microsoft.Zune.2.AudioCD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Microsoft.Zune.2.AudioCD\shell\Play\Command\(Default) = ""C:\Program Files\Zune\Zune.exe" /PlayCD:"%L"" [MS]

ZunePlayMediaOnArrival\
"Provider" = "@C:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
"InvokeProgID" = "Microsoft.Zune.2.PlayMedia"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Microsoft.Zune.2.PlayMedia\shell\Play\Command\(Default) = ""C:\Program Files\Zune\Zune.exe" /PlayMedia:"%L"" [MS]

ZuneRipCDAudioOnArrival\
"Provider" = "@C:\Program Files\Zune\en-US\ZuneResources.dll.mui,-603"
"InvokeProgID" = "Microsoft.Zune.2.RipCD"
"InvokeVerb" = "Rip"
HKLM\SOFTWARE\Classes\Microsoft.Zune.2.RipCD\shell\Rip\Command\(Default) = ""C:\Program Files\Zune\Zune.exe" /RipCD:"%L"" [MS]


Startup items in "Travis" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]


Enabled Scheduled Tasks:
------------------------

"GoogleUpdateTaskUserS-1-5-21-3069825194-2149376031-1139591230-1006Core" -> launches: "C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /c" ["Google Inc."]
"GoogleUpdateTaskUserS-1-5-21-3069825194-2149376031-1139591230-1006UA" -> launches: "C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /ua /installsource scheduler" ["Google Inc."]
"mjsdaxid" -> launches: "C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\ssqOIXQH.dll",ShellPath" [MS]
"nzuuxoyp" -> launches: "C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\qoMgeeFX.dll",AddRefActCtx" [MS]
"XoftSpySE 2" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe ShowReminders" [file not found]
"XoftSpySE" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe -t" [file not found]
"{7B02EF0B-A410-4938-8480-9BA26420A627}" -> launches: "C:\WINDOWS\TEMP\cpv.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 09
%SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"
-> {HKLM...CLSID} = "AVG Security Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [null data]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"
-> {HKLM...CLSID} = "Ask Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AskBarDis\bar\bin\askBar.dll" ["Ask.com"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}" = (no title provided)
-> {HKLM...CLSID} = "Ask Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AskBarDis\bar\bin\askBar.dll" ["Ask.com"]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" = "AVG Security Toolbar"
-> {HKLM...CLSID} = "AVG Security Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [null data]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}" = (no title provided)
-> {HKLM...CLSID} = "Contribute Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll" ["Adobe Systems Incorporated."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{B0DE3308-5D5A-470D-81B9-634FC078393B}\(Default) = "Ask Toolbar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search && Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<> "{A3BC75A2-1F87-4686-AA43-5347D756017C}" = (no title provided)
-> {HKLM...CLSID} = "AVG Security Toolbar BHO"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [null data]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 9 domain names to IP addresses,
8 of the IP addresses are *not* localhost!


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}Crying
---------------------------------------------------------------------------

.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
Adobe LM Service, Adobe LM Service, ""C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"" ["Adobe Systems"]
Adobe Version Cue CS4, Adobe Version Cue CS4, ""C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" -win32service" ["Adobe Systems Incorporated"]
Application Management, AppMgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\appmgmts.dll" [file not found]}
ASKService, ASKService, "C:\Program Files\AskBarDis\bar\bin\AskService.exe" [null data]
ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [MS]
Autodesk Licensing Service, Autodesk Licensing Service, ""C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"" ["Autodesk"]
AVG Free8 E-mail Scanner, avg8emc, "C:\PROGRA~1\AVG\AVG8\avgemc.exe" ["AVG Technologies CZ, s.r.o."]
AVG Free8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
Extensible Authentication Protocol Service, EapHost, "C:\WINDOWS\System32\svchost.exe -k eapsvcs" {"C:\WINDOWS\System32\eapsvc.dll" [MS]}
Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
FLEXnet Licensing Service, FLEXnet Licensing Service, ""C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"" ["Acresso Software Inc."]
GEARSecurity, GEARSecurity, "C:\WINDOWS\System32\GEARSec.exe" ["GEAR Software"]
Health Key and Certificate Management Service, hkmsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\kmsvc.dll" [MS]}
Intel NCS NetService, NetSvc, "C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe" ["Intel(R) Corporation"]
Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Macromedia Licensing Service, Macromedia Licensing Service, ""C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"" ["Macromedia"]
mental ray 3.5 Satellite (32-bit), mi-raysat_3dsmax9_32, ""C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe"" [null data]
Network Access Protection Agent, napagent, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\qagentrt.dll" [MS]}
Norton Ghost, Norton Ghost, "C:\Program Files\Norton Ghost\Agent\VProSvc.exe" [file not found]
Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
RaySat_3dsmax8 Server, mi-raysat_3dsmax8, ""C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe"" [null data]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Password Validation, ccPwdSvc, ""C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}
Windows Media Connect Service, WMConnectCDS, "C:\Program Files\Windows Media Connect 2\wmccds.exe" [MS]
Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" [MS]
Wired AutoConfig, Dot3svc, "C:\WINDOWS\System32\svchost.exe -k dot3svc" {"C:\WINDOWS\System32\dot3svc.dll" [MS]}
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]
Zune Bus Enumerator, ZuneBusEnum, "c:\WINDOWS\system32\ZuneBusEnum.exe" [MS]
Zune Network Sharing Service, ZuneNetworkSvc, ""c:\Program Files\Zune\ZuneNss.exe"" [MS]
Zune Wireless Configuration Service, ZuneWlanCfgSvc, "c:\WINDOWS\system32\ZuneWlanCfgSvc.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port Monitor\Driver = "AdobePDF.dll" ["Adobe Systems Inc"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2009-09-09 17:19:53)
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 700 seconds.
---------- (total run time: 802 seconds)

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 10th September 2009, 7:10 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    C:\Windows\Tasks\mjsdaxid.job
    C:\Windows\Tasks\nzuuxoyp
    C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job

    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "braviax"=-
    "KernelFaultCheck"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Protection System"=-
    "fmzf"=-
    "ArtChk"=-
    "Windows System Recover!"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\WINDOWS\system32\userinit.exe,"
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcyx]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebya]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vturp]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtuustt]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
    @="\"%1\" %*"
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 11th September 2009, 3:03 am

Ok i'll give it a go and let you know how it turns out.

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 11th September 2009, 3:37 am

Ok here are the results.

========== FILES ==========
C:\Windows\Tasks\mjsdaxid.job moved successfully.
File/Folder C:\Windows\Tasks\nzuuxoyp not found.
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\braviax deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Protection System deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\fmzf deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ArtChk deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Windows System Recover! deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\"Userinit"|"C:\WINDOWS\system32\userinit.exe," /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Authentication Packages"|hex(7):6d,73,76,31,5f,30,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\\"SecurityProviders"|"msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcyx\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebya\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vturp\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtuustt\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\@|"\"%1\" %*" /E : value set successfully!
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ deleted successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09102009_223558

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 11th September 2009, 8:09 pm

Hello.
Can you run Hijack This now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 11th September 2009, 10:47 pm

No I can't. It still closes abruptly after the scan begins.

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Origin on 12th September 2009, 5:13 am

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 12th September 2009, 6:49 am

Here is the GMER scan. I'll have to split it into two posts to fit it all.

GMER 1.0.15.15077 [82vy98zx.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-12 01:47:31
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) ECAA816D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) ECAA7FC2

Code 8676AD36 ZwEnumerateKey
Code 865A31E6 ZwFlushInstructionCache
Code 865BE1B5 IofCallDriver
Code 867745DD IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 865BE1BA
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 867745E2
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 8676AD3A
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 865A31EA
? C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys The system cannot find the file specified. !
? C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS The system cannot find the file specified. !
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[312] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[312] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[312] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[564] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[564] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[564] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe[656] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe[656] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe[656] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe[892] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe[892] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe[892] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\svchost.exe[956] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\svchost.exe[956] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\svchost.exe[956] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1072] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1072] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1072] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1160] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1160] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1160] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
UPX1 C:\WINDOWS\system32\drivers\smss.exe[1436] C:\WINDOWS\system32\drivers\smss.exe entry point in "UPX1" section [0x004186B0]
.text C:\WINDOWS\system32\svchost.exe[1496] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1496] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1496] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\Explorer.EXE[1540] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\Explorer.EXE[1540] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\Explorer.EXE[1540] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1592] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1592] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1796] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1796] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1796] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\AskBarDis\bar\bin\AskService.exe[1932] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\AskBarDis\bar\bin\AskService.exe[1932] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\AskBarDis\bar\bin\AskService.exe[1932] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text c:\WINDOWS\system32\ZuneBusEnum.exe[2300] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text c:\WINDOWS\system32\ZuneBusEnum.exe[2300] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text c:\WINDOWS\system32\ZuneBusEnum.exe[2300] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3800] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3800] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3800] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, 00, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, 00, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, 01, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B90EAFC
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, 02, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, 01, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, 02, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B90EB6D
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, 00, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B90EC9B
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, 01, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, 02, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4328] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4892] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4892] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4892] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] WININET.dll!HttpAddRequestHeadersA 7805FB35 5 Bytes JMP 08DE000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] WININET.dll!HttpAddRequestHeadersW 780CCF65 5 Bytes JMP 08ED000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 08B729A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 08B727E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] WS2_32.dll!send 71AB4C27 5 Bytes JMP 104B584C
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 104B5BA8
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] WS2_32.dll!recv 71AB676F 5 Bytes JMP 104B5D88
.text C:\Program Files\Internet Explorer\Iexplore.exe[5004] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 104B5CF8
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, 00, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, 00, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, 01, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B90EAFC
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, 02, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, 01, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, 02, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B90EB6D
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, 00, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B90EC9B
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, 01, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, 02, 15, 00]
.text C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5824] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\AVG\AVG8\avgnsx.exe[312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\PROGRA~1\AVG\AVG8\avgnsx.exe[312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Program Files\Java\jre6\bin\jqs.exe[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Program Files\Java\jre6\bin\jqs.exe[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe[656] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe[656] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe[892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe[892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[956] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[956] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1160] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1160] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1496] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1496] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\Explorer.EXE[1540] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\Explorer.EXE[1540] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1592] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1592] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1796] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1796] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Program Files\AskBarDis\bar\bin\AskService.exe[1932] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Program Files\AskBarDis\bar\bin\AskService.exe[1932] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT c:\WINDOWS\system32\ZuneBusEnum.exe[2300] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT c:\WINDOWS\system32\ZuneBusEnum.exe[2300] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3800] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[3800] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Program Files\Internet Explorer\Iexplore.exe[5004] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll
IAT C:\Program Files\Internet Explorer\Iexplore.exe[5004] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\1E0F6094.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----


Last edited by DamonJones on 12th September 2009, 6:51 am; edited 1 time in total

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 12th September 2009, 6:49 am

Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\PROGRA~1\AVG\AVG8\avgnsx.exe [312] 0x35670000
Library \\?\globalroot\systemroot\system32\UACdorfqpoowk.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [436] 0x10000000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [564] 0x35670000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe [656] 0x35670000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [716] 0x10000000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe [892] 0x35670000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [956] 0x35670000
Library \\?\globalroot\systemroot\system32\UACdorfqpoowk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [956] 0x02F30000
Library \\?\globalroot\systemroot\system32\UACvesuiqptnb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [956] 0x03070000
Library \\?\globalroot\systemroot\system32\UACdorfqpoowk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1072] 0x10000000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1072] 0x35670000
Library \\?\globalroot\systemroot\system32\UACdorfqpoowk.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1160] 0x10000000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1160] 0x35670000
Library \\?\globalroot\systemroot\system32\UACdorfqpoowk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1204] 0x10000000
Library \\?\globalroot\systemroot\system32\UACdorfqpoowk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1296] 0x10000000
Library \\?\globalroot\systemroot\system32\UACdorfqpoowk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1496] 0x10000000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1496] 0x35670000
Library \\?\globalroot\systemroot\system32\SKYNETivnnbmue.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1540] 0x10000000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1540] 0x35670000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1540] 0x011D0000
Library \\?\globalroot\systemroot\system32\UACdorfqpoowk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1592] 0x10000000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1592] 0x35670000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1796] 0x35670000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\Program Files\AskBarDis\bar\bin\AskService.exe [1932] 0x35670000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ c:\WINDOWS\system32\ZuneBusEnum.exe [2300] 0x35670000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jusched.exe [2952] 0x10000000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\Program Files\Windows Media Player\wmpnetwk.exe [3800] 0x35670000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [4892] 0x35670000
Library \\?\globalroot\systemroot\system32\SKYNETivnnbmue.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [5004] 0x10000000
Library \\?\globalroot\systemroot\system32\UACutfqppxnsp.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [5004] 0x08D40000
Library \\?\globalroot\Device\__max++>\1E0F6094.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [5004] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETroywumpp.sys (*** hidden *** ) [SYSTEM] SKYNETmydjehbl <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACwpnkvwqodj.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl@imagepath \systemroot\system32\drivers\SKYNETroywumpp.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\main@aid 10096
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETroywumpp.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\modules@SKYNETcmd.dll \systemroot\system32\SKYNETjexlqlnw.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\modules@SKYNETlog.dat \systemroot\system32\SKYNETrsvpitup.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdqkolbmo.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl\modules@SKYNET.dat \systemroot\system32\SKYNETarkxqpiq.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwpnkvwqodj.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACwpnkvwqodj.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACkdasbivkbi.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACdorfqpoowk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACipmktxlmpr.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACvesuiqptnb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACutfqppxnsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl@imagepath \systemroot\system32\drivers\SKYNETroywumpp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\main\injector@* SKYNETwsp8.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETroywumpp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\modules@SKYNETcmd.dll \systemroot\system32\SKYNETjexlqlnw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\modules@SKYNETlog.dat \systemroot\system32\SKYNETrsvpitup.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdqkolbmo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\modules@SKYNET.dat \systemroot\system32\SKYNETarkxqpiq.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\modules@SKYNETwsp8.dll \systemroot\system32\SKYNETivnnbmue.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwpnkvwqodj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACwpnkvwqodj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACkdasbivkbi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACdorfqpoowk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACipmktxlmpr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACvesuiqptnb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACutfqppxnsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl@imagepath \systemroot\system32\drivers\SKYNETroywumpp.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\main@aid 10096
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\main\injector@* SKYNETwsp8.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETroywumpp.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\modules@SKYNETcmd.dll \systemroot\system32\SKYNETjexlqlnw.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\modules@SKYNETlog.dat \systemroot\system32\SKYNETrsvpitup.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdqkolbmo.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\modules@SKYNET.dat \systemroot\system32\SKYNETarkxqpiq.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\modules@SKYNETwsp8.dll \systemroot\system32\SKYNETivnnbmue.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwpnkvwqodj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACwpnkvwqodj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACkdasbivkbi.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACdorfqpoowk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACipmktxlmpr.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACvesuiqptnb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACutfqppxnsp.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs cru629.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Classes\UACTLS.UAAddressBookButtonCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAAddressBookButtonCtrl.5@ UAAddressBookBttn Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAAddressBookButtonCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAAddressBookButtonCtrl.5\CLSID@ {C0E10003-001C-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAButtonCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAButtonCtrl.5@ UAButton Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAButtonCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAButtonCtrl.5\CLSID@ {C0E10003-0007-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UACheckBoxCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UACheckBoxCtrl.5@ UACheckBox Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UACheckBoxCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UACheckBoxCtrl.5\CLSID@ {C0E10003-0013-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UADropDwnCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UADropDwnCtrl.5@ UADropDown Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UADropDwnCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UADropDwnCtrl.5\CLSID@ {C0E10003-000A-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAEditCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAEditCtrl.5@ UAEdit Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAEditCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAEditCtrl.5\CLSID@ {C0E10003-0023-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryButtonCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryButtonCtrl.5@ UAGalleryBttn Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryButtonCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryButtonCtrl.5\CLSID@ {C0E10003-0010-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryCtrl.5@ UAGallery Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGalleryCtrl.5\CLSID@ {C0E10003-0019-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGraphicDropDown.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGraphicDropDown.5@ UAGraphicDropDown Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGraphicDropDown.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAGraphicDropDown.5\CLSID@ {C0E10003-0026-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAHelpCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAHelpCtrl.5@ UAHelp Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAHelpCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAHelpCtrl.5\CLSID@ {C0E10003-002F-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAPartsListCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAPartsListCtrl.5@ UAPartsList Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAPartsListCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAPartsListCtrl.5\CLSID@ {C0E10003-000D-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UARadioBttnCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UARadioBttnCtrl.5@ UARadioButton Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UARadioBttnCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UARadioBttnCtrl.5\CLSID@ {C0E10003-0016-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UAScrapBookButtonCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UAScrapBookButtonCtrl.5@ UAScrapBookBttn Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UAScrapBookButtonCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UAScrapBookButtonCtrl.5\CLSID@ {C0E10003-001F-0005-C0E1-C0E1C0E1C0E1}
Reg HKLM\SOFTWARE\Classes\UACTLS.UATextCtrl.5
Reg HKLM\SOFTWARE\Classes\UACTLS.UATextCtrl.5@ UAText Control
Reg HKLM\SOFTWARE\Classes\UACTLS.UATextCtrl.5\CLSID
Reg HKLM\SOFTWARE\Classes\UACTLS.UATextCtrl.5\CLSID@ {C0E10003-002C-0005-C0E1-C0E1C0E1C0E1}

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Travis\Local Settings\Temp\uac9F1.tmp 0 bytes
File C:\Documents and Settings\Travis\My Documents\Stock photos\3D Total Textures Vol 4\thumbs\th_m_100\creature_fur\Application Data 0 bytes
File C:\Documents and Settings\Travis\My Documents\Stock photos\3D Total Textures Vol 4\thumbs\th_m_100\creature_fur\Cookies 0 bytes
File C:\Documents and Settings\Travis\My Documents\Stock photos\3D Total Textures Vol 4\thumbs\th_m_100\creature_fur\Desktop 0 bytes
File C:\Documents and Settings\Travis\My Documents\Stock photos\3D Total Textures Vol 4\thumbs\th_m_100\creature_fur\Favorites 0 bytes
File C:\Documents and Settings\Travis\My Documents\Stock photos\3D Total Textures Vol 4\thumbs\th_m_100\creature_fur\Local Settings 0 bytes
File C:\Documents and Settings\Travis\My Documents\Stock photos\3D Total Textures Vol 4\thumbs\th_m_100\creature_fur\My Documents 0 bytes
File C:\Documents and Settings\Travis\My Documents\Stock photos\3D Total Textures Vol 4\thumbs\th_m_100\creature_fur\NTUSER.DAT 262144 bytes
File C:\Documents and Settings\Travis\My Documents\Stock photos\3D Total Textures Vol 4\thumbs\th_m_100\creature_fur\ntuser.dat.LOG 16384 bytes
File C:\Documents and Settings\Travis\My Documents\Stock photos\3D Total Textures Vol 4\thumbs\th_m_100\creature_fur\ntuser.ini 20 bytes
File C:\Documents and Settings\Travis\My Documents\Stock photos\3D Total Textures Vol 4\thumbs\th_m_100\creature_fur\Recent 0 bytes
File C:\Documents and Settings\Travis\My Documents\Stock photos\3D Total Textures Vol 4\thumbs\th_m_100\creature_fur\Start Menu 0 bytes

---- EOF - GMER 1.0.15 ----

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Origin on 12th September 2009, 5:25 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\SKYNETroywumpp.sys
C:\WINDOWS\system32\drivers\UACwpnkvwqodj.sys

Registry keys to delete:
HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl
HKLM\SYSTEM\ControlSet001\Services\UACd.sys
HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl
HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl
HKLM\SYSTEM\ControlSet003\Services\UACd.sys



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 13th September 2009, 5:08 pm

Here is the avenger log. One thing i would like to mention is that I'll be out of town and away from this computer tomorrow through saturday, so my next reply won't be until then. Thanks.


Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\SKYNETroywumpp.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACwpnkvwqodj.sys" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet001\Services\SKYNETmydjehbl" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet001\Services\UACd.sys" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet003\Services\UACd.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 14th September 2009, 12:09 am

Hello.
Can you run Hijack This now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 14th September 2009, 12:38 am

I still can't run it. It keeps doing the same thing where it begins to scan then closes.

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Origin on 14th September 2009, 1:56 am

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 14th September 2009, 3:17 am

Combo fix still closes then automatically uninstalls when I run it. This problem doesn't seem to be going away no matter what I do. Would you recommend reformatting?

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 20th September 2009, 12:48 am

???

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 20th September 2009, 2:13 am

No, please run GMER one more time.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 20th September 2009, 4:30 pm

Here is another GMER scan.

GMER 1.0.15.15087 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-20 11:28:38
Windows 5.1.2600 Service Pack 3
Running: netkhh0v.exe; Driver: C:\DOCUME~1\Travis\LOCALS~1\Temp\fwryrpow.sys


---- System - GMER 1.0.15 ----

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EE63B16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EE63AFC2

Code 867AF010 ZwEnumerateKey
Code 86AA8BB8 ZwFlushInstructionCache
Code 86A9125E IofCallDriver
Code 86B8F0AE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 86A91263
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 86B8F0B3
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 867AF014
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 86AA8BBC
? system32\drivers\bibyfcas.sys The system cannot find the path specified. !
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
? C:\DOCUME~1\Travis\LOCALS~1\Temp\aujasnkj.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[708] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\services.exe[756] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 003B000A
.text C:\Program Files\AskBarDis\bar\bin\AskService.exe[1072] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
.text C:\Program Files\AskBarDis\bar\bin\AskService.exe[1072] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
.text C:\Program Files\AskBarDis\bar\bin\AskService.exe[1072] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1124] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1124] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
UPX1 C:\WINDOWS\system32\drivers\smss.exe[1464] C:\WINDOWS\system32\drivers\smss.exe entry point in "UPX1" section [0x004186B0]
.text C:\WINDOWS\system32\svchost.exe[1512] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1512] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1512] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
.text C:\WINDOWS\Explorer.exe[3320] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
.text C:\WINDOWS\Explorer.exe[3320] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
.text C:\WINDOWS\Explorer.exe[3320] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\AskBarDis\bar\bin\AskService.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
IAT C:\Program Files\AskBarDis\bar\bin\AskService.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1124] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1124] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
IAT C:\WINDOWS\Explorer.exe[3320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll
IAT C:\WINDOWS\Explorer.exe[3320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe [136] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1032] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\Program Files\AskBarDis\bar\bin\AskService.exe [1072] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1124] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1368] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1512] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\PROGRA~1\AVG\AVG8\avgnsx.exe [1520] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1756] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1904] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe [2032] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ c:\WINDOWS\system32\ZuneBusEnum.exe [2104] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [2320] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2676] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\Program Files\TortoiseSVN\bin\TSVNCache.exe [3284] 0x35670000
Library \\?\globalroot\Device\__max++>\C3A77CFE.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [3320] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETroywumpp.sys (*** hidden *** ) [SYSTEM] SKYNETmydjehbl <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl@imagepath \systemroot\system32\drivers\SKYNETroywumpp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETroywumpp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl\modules@SKYNETcmd.dll \systemroot\system32\SKYNETbetspyfu.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl@imagepath \systemroot\system32\drivers\SKYNETroywumpp.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETroywumpp.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl\modules@SKYNETcmd.dll \systemroot\system32\SKYNETbetspyfu.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs cru629.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\blocklist.xml 2644 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\bookmarkbackups 0 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\bookmarks.bak 136634 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\bookmarks.html 136634 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cert8.db 196608 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\chrome 0 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\compatibility.ini 180 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\compreg.dat 187923 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\content-prefs.sqlite 7168 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cookies.sqlite 414720 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cvhelper.log 17937 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\dh-conv-rules.rdf 686 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\dh-media-lists.rdf 517 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\dh-smart-names.rdf 198 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\downloads.sqlite 21504 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\extensions 0 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\extensions.cache 1258 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\extensions.ini 916 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\extensions.log 13504 bytes
File C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\extensions.rdf 11632 bytes

---- EOF - GMER 1.0.15 ----

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 20th September 2009, 9:13 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
SKYNETmydjehbl

Files to delete:
C:\WINDOWS\system32\drivers\SKYNETroywumpp.sys

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl
HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 20th September 2009, 11:07 pm

Here you go. BTW I tried to run Hijack this after the scan and it still wasn't successful. It's doing the same thing.

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "SKYNETmydjehbl" deleted successfully.
File "C:\WINDOWS\system32\drivers\SKYNETroywumpp.sys" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\SKYNETmydjehbl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet003\Services\SKYNETmydjehbl" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 20th September 2009, 11:50 pm

Hello.
Try running Combofix now, the rootkit is dead.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 21st September 2009, 12:43 pm

I ran it and it showed a blue command prompt window for a second, then it uninstalled again.

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 21st September 2009, 12:51 pm

Hello.
Did you rename it?

Delete your copy of Combofix now, and re-download it.

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 22nd September 2009, 3:50 pm

Yes I renamed it and it still does nothing.

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 22nd September 2009, 7:20 pm

Hello.

1. Download Win32kDiag from any of the following locations and save it to your Desktop.
[You must be registered and logged in to see this link.]
2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the [b]Win32kDiag.txt[b] file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 22nd September 2009, 10:11 pm

Here you go.

Running from: C:\Documents and Settings\Travis\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Travis\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP186B.tmp\ZAP186B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E8.tmp\ZAP2E8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CAVTemp\CAVTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\cfig\cfig

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\3361704fe1a0367fcfe17758efab6972\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cfbc39150cce12d1357ba324d4d0c40c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\94ZEJHTN\94ZEJHTN

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\KXHKAUG8\KXHKAUG8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-3069825194-2149376031-1139591230-1003\S-1-5-21-3069825194-2149376031-1139591230-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Symantec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!\Companion\Buttons\Buttons

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-3069825194-2149376031-1139591230-1003\S-1-5-21-3069825194-2149376031-1139591230-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\DRVSTORE\DRVSTORE

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-08-28 14:38:22 24689600 C:\WINDOWS\system32\MRT.exe ()



Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\o02PrEz\o02PrEz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\os2\os2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\pad2\pad2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\uie1\uie1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\vMW02a\vMW02a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\win\win

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ZoneLabs\avsys\avsys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\AskBarDis\AskBarDis

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\AskBarDis\RSS\1\1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\AskBarDis\RSS\2\2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\VHJhdmlz\VHJhdmlz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 23rd September 2009, 12:53 am

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security 2009

Post by DamonJones on 23rd September 2009, 7:28 am

Here is the latest avenger log. And good news! Hijack this was finally able to complete a scan so I'll post both logs starting with the Avenger. Thanks again for all the help I really appreciate it.

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\eventlog.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:43 AM, on 9/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\drivers\smss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Travis\Desktop\winlogon.scr

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe
O1 - Hosts: 82.98.235.133 url.adtrgt.com
O1 - Hosts: 82.98.235.133 best-click-scanner.info
O1 - Hosts: 82.98.235.133 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.235.133 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.235.133 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.235.133 onlinenotifyq.net
O1 - Hosts: 82.98.235.133 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.235.133 microsoft.browser-security-center.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [XoftSpySE] "C:\Program Files\XoftSpySE6\XoftSpySE.exe" -NM -hidesplash
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Travis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [mebitazibe] Rundll32.exe "C:\WINDOWS\system32\sisaziki.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [mebitazibe] Rundll32.exe "C:\WINDOWS\system32\sisaziki.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Unknown owner - C:\Program Files\Norton Ghost\Agent\VProSvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\bazyrag.html

--
End of file - 12030 bytes

DamonJones
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-09-05
OS OS : XP
Points Points : 26573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security 2009

Post by Belahzur on 23rd September 2009, 6:40 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe
    O1 - Hosts: 82.98.235.133 url.adtrgt.com
    O1 - Hosts: 82.98.235.133 best-click-scanner.info
    O1 - Hosts: 82.98.235.133 antivirus-xp-pro-2009.com
    O1 - Hosts: 82.98.235.133 microsoft.infosecuritycenter.com
    O1 - Hosts: 82.98.235.133 microsoft.softwaresecurityhelp.com
    O1 - Hosts: 82.98.235.133 onlinenotifyq.net
    O1 - Hosts: 82.98.235.133 antivirusxp-pro-2009.com
    O1 - Hosts: 82.98.235.133 microsoft.browser-security-center.com
    O4 - HKUS\S-1-5-19\..\Run: [mebitazibe] Rundll32.exe "C:\WINDOWS\system32\sisaziki.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [mebitazibe] Rundll32.exe "C:\WINDOWS\system32\sisaziki.dll",s (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'Default user')
    O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum