Windows Police Pro :D

View previous topic View next topic Go down

Windows Police Pro :D

Post by gasket300 on 21st September 2009, 12:14 am

I've read through at least 10 different "tutorials" on removing this badboy, but the problems I keep running to are:

1) Can not find the malware files in the registry
2) Malwarebytes won't open, Superantispyware won't open

GMER will run and Combofix will run, however that is the extent of my ability...
Where do I start?

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by Dr Jay on 21st September 2009, 1:29 am

ComboFix should not be run without the guidance of a helper. It is a powerful tool and is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private or regular use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please post the log in your next reply located at C:\ComboFix.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by gasket300 on 21st September 2009, 5:39 pm

ComboFix 09-09-20.04 - corey 09/21/2009 12:24.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.809 [GMT -5:00]
Running from: c:\documents and settings\corey\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Windows Police Pro
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\svchast.exe
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\bszip.dll
c:\windows\system32\desot.exe
c:\windows\system32\drivers\gasfkylnktcsvm.sys
c:\windows\system32\gasfkycrxwmxoo.dll
c:\windows\system32\gasfkydilyejgy.dll
c:\windows\system32\gasfkyhlwowjof.dat
c:\windows\system32\gasfkyhonhsdkb.dat
c:\windows\system32\gasfkyxcpswkkb.dll
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\UA000035.DLL
c:\windows\wpd99.drv

c:\windows\system32\mstsc.exe . . . is infected!!

c:\windows\system32\wiaacmgr.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gasfkytpldqukf
-------\Service_gasfkytpldqukf
-------\Legacy_AntipPolice_
-------\Service_AntipPolice_


((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-21 00:15 . 2009-09-21 00:15 -------- d-----w- c:\program files\Trend Micro
2009-09-20 22:45 . 2009-09-20 22:52 -------- d-----w- C:\ComboFix
2009-09-20 19:39 . 2009-09-21 04:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 18:56 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-20 18:56 . 2009-08-24 19:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-20 18:56 . 2009-08-19 16:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-20 18:56 . 2009-09-20 18:57 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-20 18:56 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-20 18:56 . 2009-09-20 19:01 -------- d-----w- c:\program files\Spyware Doctor
2009-09-20 18:56 . 2009-09-20 18:56 -------- d-----w- c:\documents and settings\corey\Application Data\PC Tools
2009-09-20 18:56 . 2009-09-20 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-20 18:46 . 2009-09-20 18:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-20 18:36 . 2009-09-20 18:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-20 18:30 . 2009-09-20 18:30 -------- d-----w- c:\documents and settings\corey\Application Data\Malwarebytes
2009-09-20 18:29 . 2009-09-20 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 18:20 . 2009-09-20 18:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-20 18:06 . 2009-09-20 18:06 -------- d-----w- c:\program files\GiPo@Utilities
2009-09-20 18:06 . 2009-09-20 18:06 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2009-09-20 17:37 . 2009-09-20 17:37 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-14 22:30 . 2009-09-14 22:30 -------- d-----w- c:\program files\Native Instruments
2009-09-14 22:06 . 2009-09-14 22:06 -------- d-----w- c:\program files\Steinberg
2009-09-14 22:06 . 2009-09-14 22:06 -------- d-----w- c:\program files\Kjaerhus Audio
2009-09-14 01:04 . 2006-06-20 08:56 225280 ----a-w- c:\windows\system32\rewire.dll
2009-09-10 00:26 . 2009-09-20 23:03 -------- d-sh--w- c:\documents and settings\corey\PrivacIE
2009-09-10 00:25 . 2009-09-10 00:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-10 00:25 . 2009-09-20 23:03 -------- d-sh--w- c:\documents and settings\corey\IETldCache
2009-09-10 00:18 . 2009-09-10 00:18 -------- d-----w- c:\windows\ie8updates
2009-09-10 00:16 . 2009-09-10 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-10 00:16 . 2009-09-10 00:16 -------- d-----w- c:\documents and settings\corey\Application Data\Yahoo!
2009-09-10 00:14 . 2009-09-10 00:16 -------- dc-h--w- c:\windows\ie8
2009-09-10 00:13 . 2009-09-10 00:18 -------- d--h--w- c:\windows\msdownld.tmp
2009-09-09 23:20 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-09 23:20 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-09 23:20 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-09 23:20 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-09 23:20 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-09 23:20 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-07 17:01 . 2009-09-07 17:01 -------- d-----w- c:\program files\BitTorrent
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\documents and settings\corey\Local Settings\Application Data\AOL OCP
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\program files\AIM6
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\program files\Netflix
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\program files\Music Mixer 4
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\program files\Veoh Networks
2009-09-05 14:44 . 2009-09-09 23:12 -------- d-----w- c:\program files\LimeWire
2009-09-03 22:12 . 2009-09-14 01:05 -------- d-----w- c:\program files\ASIO4ALL v2
2009-09-03 22:08 . 2009-09-03 22:32 -------- d-----w- c:\program files\Image-Line
2009-09-02 20:06 . 2009-09-05 14:44 -------- d-----w- c:\program files\Mozilla Firefox(2)
2009-08-26 04:05 . 2009-08-26 04:05 -------- d-----w- c:\documents and settings\corey\Application Data\AVS4YOU
2009-08-26 04:04 . 2009-08-26 04:04 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-26 04:03 . 2009-09-05 14:44 -------- d-----w- c:\program files\AVS4YOU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 23:03 . 2006-12-11 20:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-20 21:52 . 2006-06-11 03:21 60064 ----a-w- c:\documents and settings\corey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-20 18:23 . 2007-10-02 02:51 -------- d-----w- c:\program files\Vstplugins
2009-09-14 01:01 . 2006-08-24 17:56 -------- d-----w- c:\documents and settings\corey\Application Data\BitTorrent
2009-09-09 23:11 . 2006-07-03 00:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-26 02:59 . 2008-11-08 22:24 -------- d-----w- c:\program files\Common Files\AOL
2009-08-14 11:58 . 2009-09-20 18:56 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-07-03 17:09 . 2002-12-31 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2006-07-03 15:33 . 2006-07-03 15:33 5632 --sha-w- c:\program files\Thumbs.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoWinKeys"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"BthServ"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"CryptSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/20/2009 1:56 PM 206256]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/8/2008 5:25 PM 24652]
S3 kbeepm;kbeepm;\??\c:\docume~1\corey\LOCALS~1\Temp\kbeepm.sys --> c:\docume~1\corey\LOCALS~1\Temp\kbeepm.sys [?]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/20/2009 1:56 PM 348752]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-21 12:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1580436667-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"

[HKEY_LOCAL_MACHINE\software\Classes\.xaml\bootstrap]
@DACL=(02 0000)
@="bootstrap.xaml.1"

[HKEY_LOCAL_MACHINE\software\Classes\.xbap\bootstrap]
@DACL=(02 0000)
@="bootstrap.xbap.1"

[HKEY_LOCAL_MACHINE\software\Classes\.xps\bootstrap]
@DACL=(02 0000)
@="bootstrap.xps.1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(724)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-09-21 12:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-21 17:36

Pre-Run: 36,498,518,016 bytes free
Post-Run: 37,255,786,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

197 --- E O F --- 2007-07-14 09:07

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by gasket300 on 21st September 2009, 5:40 pm

My computer won't start up normally, so I had to do this in safe mode. I've always had problems starting it up normally, and usually after a few tries, it will. This time it would not.

I brought it to a computer place a few years ago, and they said I'd have to replace the motherboard, so I just live with the hard starting problem.

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by Dr Jay on 21st September 2009, 6:36 pm

Hi

I see you are running a P2P application. I suggest to read the following, and then decided whether you want to keep it or not: [You must be registered and logged in to see this link.]

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Let me know if you decided to uninstall it.

==
It will be easier to boot in to Safe Mode with Networking, so you can access the Internet.
Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=-

    File::
    c:\docume~1\corey\LOCALS~1\Temp\kbeepm.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
!! SAVE the file to your Desktop, but first rename it during the download to dontkillme.exe
then, click the Save button.

Double Click dontkillme.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

==

In your next reply, please include the ComboFix and Malwarebytes logs, and tell me if you uninstalled Viewpoint and the P2P applications. Also, please tell me how your computer is running. Can you boot to Normal Mode?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by gasket300 on 21st September 2009, 7:19 pm

ComboFix 09-09-20.04 - corey 09/21/2009 14:03.2.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.811 [GMT -5:00]
Running from: c:\documents and settings\corey\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\corey\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\docume~1\corey\LOCALS~1\Temp\kbeepm.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mstsc.exe . . . is infected!!

c:\windows\system32\wiaacmgr.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-21 00:15 . 2009-09-21 00:15 -------- d-----w- c:\program files\Trend Micro
2009-09-20 22:45 . 2009-09-20 22:52 -------- d-----w- C:\ComboFix
2009-09-20 19:39 . 2009-09-21 04:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 18:56 . 2009-09-21 19:01 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-20 18:56 . 2009-09-21 19:01 -------- d-----w- c:\program files\Spyware Doctor
2009-09-20 18:46 . 2009-09-20 18:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-20 18:36 . 2009-09-20 18:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-20 18:30 . 2009-09-20 18:30 -------- d-----w- c:\documents and settings\corey\Application Data\Malwarebytes
2009-09-20 18:29 . 2009-09-20 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 18:20 . 2009-09-20 18:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-20 18:06 . 2009-09-20 18:06 -------- d-----w- c:\program files\GiPo@Utilities
2009-09-20 18:06 . 2009-09-20 18:06 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2009-09-20 17:37 . 2009-09-20 17:37 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-14 22:30 . 2009-09-14 22:30 -------- d-----w- c:\program files\Native Instruments
2009-09-14 22:06 . 2009-09-14 22:06 -------- d-----w- c:\program files\Steinberg
2009-09-14 22:06 . 2009-09-14 22:06 -------- d-----w- c:\program files\Kjaerhus Audio
2009-09-14 01:04 . 2006-06-20 08:56 225280 ----a-w- c:\windows\system32\rewire.dll
2009-09-10 00:26 . 2009-09-20 23:03 -------- d-sh--w- c:\documents and settings\corey\PrivacIE
2009-09-10 00:25 . 2009-09-10 00:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-10 00:25 . 2009-09-20 23:03 -------- d-sh--w- c:\documents and settings\corey\IETldCache
2009-09-10 00:18 . 2009-09-10 00:18 -------- d-----w- c:\windows\ie8updates
2009-09-10 00:16 . 2009-09-10 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-10 00:16 . 2009-09-10 00:16 -------- d-----w- c:\documents and settings\corey\Application Data\Yahoo!
2009-09-10 00:14 . 2009-09-10 00:16 -------- dc-h--w- c:\windows\ie8
2009-09-10 00:13 . 2009-09-10 00:18 -------- d--h--w- c:\windows\msdownld.tmp
2009-09-09 23:20 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-09 23:20 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-09 23:20 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-09 23:20 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-09 23:20 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-09 23:20 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\program files\Netflix
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\program files\Music Mixer 4
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\program files\Veoh Networks
2009-09-05 14:44 . 2009-09-09 23:12 -------- d-----w- c:\program files\LimeWire
2009-09-03 22:12 . 2009-09-14 01:05 -------- d-----w- c:\program files\ASIO4ALL v2
2009-09-03 22:08 . 2009-09-03 22:32 -------- d-----w- c:\program files\Image-Line
2009-09-02 20:06 . 2009-09-05 14:44 -------- d-----w- c:\program files\Mozilla Firefox(2)
2009-08-26 04:05 . 2009-08-26 04:05 -------- d-----w- c:\documents and settings\corey\Application Data\AVS4YOU
2009-08-26 04:04 . 2009-08-26 04:04 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-26 04:03 . 2009-09-05 14:44 -------- d-----w- c:\program files\AVS4YOU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 19:01 . 2006-12-11 20:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-21 18:59 . 2008-11-08 22:24 -------- d-----w- c:\program files\Common Files\AOL
2009-09-21 18:57 . 2006-08-24 17:56 -------- d-----w- c:\documents and settings\corey\Application Data\BitTorrent
2009-09-21 18:56 . 2008-11-08 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-20 21:52 . 2006-06-11 03:21 60064 ----a-w- c:\documents and settings\corey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-20 18:23 . 2007-10-02 02:51 -------- d-----w- c:\program files\Vstplugins
2009-09-09 23:11 . 2006-07-03 00:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-03 17:09 . 2002-12-31 12:00 915456 ------w- c:\windows\system32\wininet.dll
2006-07-03 15:33 . 2006-07-03 15:33 5632 --sha-w- c:\program files\Thumbs.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoWinKeys"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"BthServ"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"CryptSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
S3 kbeepm;kbeepm;\??\c:\docume~1\corey\LOCALS~1\Temp\kbeepm.sys --> c:\docume~1\corey\LOCALS~1\Temp\kbeepm.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-21 14:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1580436667-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"

[HKEY_LOCAL_MACHINE\software\Classes\.xaml\bootstrap]
@DACL=(02 0000)
@="bootstrap.xaml.1"

[HKEY_LOCAL_MACHINE\software\Classes\.xbap\bootstrap]
@DACL=(02 0000)
@="bootstrap.xbap.1"

[HKEY_LOCAL_MACHINE\software\Classes\.xps\bootstrap]
@DACL=(02 0000)
@="bootstrap.xps.1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(520)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-09-21 14:12
ComboFix-quarantined-files.txt 2009-09-21 19:12
ComboFix2.txt 2009-09-21 17:36

Pre-Run: 37,312,376,832 bytes free
Post-Run: 37,282,934,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

157 --- E O F --- 2007-07-14 09:07





I deleted Viewpoint Media Player, BitTorrent, AIM6 (not sure if it's p2p). I didn't see any other P2P or viewpoint things.

No, my computer freezes on startup. It goes through the one with the black background, but stops when it says "Windows XP Starting up..." with a blue background. I still need to post the Malwarebytes log.

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by gasket300 on 21st September 2009, 7:25 pm

Malwarebytes will not run. Every time I install and press finish, (I was trying all day yesterday, uninstalling and re-installing) I get this error msg:
"An error occurred. Please report this to the Malwarebytes' Anti-Malware support team.

Error code: 703 (0, 48)"

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by Dr Jay on 21st September 2009, 8:12 pm

Hi

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\Documents and Settings\corey\Local Settings\Temp\kbeepm.sys

    Reglock::
    [HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
    [HKEY_LOCAL_MACHINE\software\Classes\.xbap\bootstrap]
    [HKEY_LOCAL_MACHINE\software\Classes\.xps\bootstrap]
    [HKEY_LOCAL_MACHINE\software\Classes\.xaml\bootstrap]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==

Please use Windows Explorer and make sure the following file is deleted:
c:\Documents and Settings\corey\Local Settings\Temp\kbeepm.sys

It must be deleted.

==

Please download and unzip [You must be registered and logged in to see this link.]to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks


Please tell me if you have any problems doing any of the above.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by gasket300 on 21st September 2009, 8:50 pm

ComboFix 09-09-20.04 - corey 09/21/2009 15:41.3.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.738 [GMT -5:00]
Running from: c:\documents and settings\corey\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\corey\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\documents and settings\corey\Local Settings\Temp\kbeepm.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mstsc.exe . . . is infected!!

c:\windows\system32\wiaacmgr.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-21 19:22 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 19:22 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-21 00:15 . 2009-09-21 00:15 -------- d-----w- c:\program files\Trend Micro
2009-09-20 22:45 . 2009-09-20 22:52 -------- d-----w- C:\ComboFix
2009-09-20 19:39 . 2009-09-21 19:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 18:56 . 2009-09-21 19:01 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-20 18:56 . 2009-09-21 19:01 -------- d-----w- c:\program files\Spyware Doctor
2009-09-20 18:46 . 2009-09-20 18:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-20 18:36 . 2009-09-20 18:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-20 18:30 . 2009-09-20 18:30 -------- d-----w- c:\documents and settings\corey\Application Data\Malwarebytes
2009-09-20 18:29 . 2009-09-20 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 18:20 . 2009-09-20 18:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-20 18:06 . 2009-09-20 18:06 -------- d-----w- c:\program files\GiPo@Utilities
2009-09-20 18:06 . 2009-09-20 18:06 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2009-09-20 17:37 . 2009-09-20 17:37 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-14 22:30 . 2009-09-14 22:30 -------- d-----w- c:\program files\Native Instruments
2009-09-14 22:06 . 2009-09-14 22:06 -------- d-----w- c:\program files\Steinberg
2009-09-14 22:06 . 2009-09-14 22:06 -------- d-----w- c:\program files\Kjaerhus Audio
2009-09-14 01:04 . 2006-06-20 08:56 225280 ----a-w- c:\windows\system32\rewire.dll
2009-09-10 00:26 . 2009-09-20 23:03 -------- d-sh--w- c:\documents and settings\corey\PrivacIE
2009-09-10 00:25 . 2009-09-10 00:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-10 00:25 . 2009-09-20 23:03 -------- d-sh--w- c:\documents and settings\corey\IETldCache
2009-09-10 00:18 . 2009-09-10 00:18 -------- d-----w- c:\windows\ie8updates
2009-09-10 00:16 . 2009-09-10 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-10 00:16 . 2009-09-10 00:16 -------- d-----w- c:\documents and settings\corey\Application Data\Yahoo!
2009-09-10 00:14 . 2009-09-10 00:16 -------- dc-h--w- c:\windows\ie8
2009-09-10 00:13 . 2009-09-10 00:18 -------- d--h--w- c:\windows\msdownld.tmp
2009-09-09 23:20 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-09 23:20 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-09 23:20 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-09 23:20 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-09 23:20 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-09 23:20 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\program files\Netflix
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\program files\Music Mixer 4
2009-09-05 14:45 . 2009-09-05 14:45 -------- d-----w- c:\program files\Veoh Networks
2009-09-05 14:44 . 2009-09-09 23:12 -------- d-----w- c:\program files\LimeWire
2009-09-03 22:12 . 2009-09-14 01:05 -------- d-----w- c:\program files\ASIO4ALL v2
2009-09-03 22:08 . 2009-09-03 22:32 -------- d-----w- c:\program files\Image-Line
2009-09-02 20:06 . 2009-09-05 14:44 -------- d-----w- c:\program files\Mozilla Firefox(2)
2009-08-26 04:05 . 2009-08-26 04:05 -------- d-----w- c:\documents and settings\corey\Application Data\AVS4YOU
2009-08-26 04:04 . 2009-08-26 04:04 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-26 04:03 . 2009-09-05 14:44 -------- d-----w- c:\program files\AVS4YOU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 19:01 . 2006-12-11 20:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-21 18:59 . 2008-11-08 22:24 -------- d-----w- c:\program files\Common Files\AOL
2009-09-21 18:57 . 2006-08-24 17:56 -------- d-----w- c:\documents and settings\corey\Application Data\BitTorrent
2009-09-21 18:56 . 2008-11-08 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-20 21:52 . 2006-06-11 03:21 60064 ----a-w- c:\documents and settings\corey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-20 18:23 . 2007-10-02 02:51 -------- d-----w- c:\program files\Vstplugins
2009-09-09 23:11 . 2006-07-03 00:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-03 17:09 . 2002-12-31 12:00 915456 ------w- c:\windows\system32\wininet.dll
2006-07-03 15:33 . 2006-07-03 15:33 5632 --sha-w- c:\program files\Thumbs.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoWinKeys"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"BthServ"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"CryptSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
S3 kbeepm;kbeepm;\??\c:\docume~1\corey\LOCALS~1\Temp\kbeepm.sys --> c:\docume~1\corey\LOCALS~1\Temp\kbeepm.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-21 15:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1580436667-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(224)
c:\windows\system32\WININET.dll
.
Completion time: 2009-09-21 15:46
ComboFix-quarantined-files.txt 2009-09-21 20:46
ComboFix2.txt 2009-09-21 19:12
ComboFix3.txt 2009-09-21 17:36

Pre-Run: 37,266,620,416 bytes free
Post-Run: 37,267,931,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

147 --- E O F --- 2007-07-14 09:07

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by gasket300 on 21st September 2009, 8:54 pm

D/L'ed Icesword onto desktop, extracted files onto desktop, will not run. This is the error msg.

"Open device failed, error code: 1073741762."

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by gasket300 on 21st September 2009, 8:55 pm

c:\Documents and Settings\corey\Local Settings\Temp\kbeepm.sys This file was not in my temp folder.

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by gasket300 on 21st September 2009, 10:04 pm

Also, I have no anti-virus software on my computer. or anti-anything for that matter; No Norton, No McAffee, Spybot, nothing.

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by Dr Jay on 21st September 2009, 11:12 pm

Hi

Please download the [You must be registered and logged in to see this link.] and save it to your desktop.

You will need to enter your name, e-mail address and location in order to access the download page.

  • Once you have downloaded the file, double click the sarsfx icon
  • Review the licence agreement and click on the Accept button
  • The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button

  • Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  • Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  • Allow the program to scan your computer - please be patient as it may take some time
  • Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  • In the main window, you will see each of the entries found by the scan (if any)

    • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you

  • If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
  • To clean up these entries click on the Clean up checked items button
  • If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
  • Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
  • When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by gasket300 on 22nd September 2009, 12:15 am

Warning when I first started the scan:

Error: Could not initialize kernel driver memsweep.sys. Please restart and try again.

This service cannot be started in Safe Mode

at the end of the scan I got this:

Error: Encountered corrupt data structures during scan of drive C:. We suggest you check this disk for errors.

I'll try restarting in normal mode a few more times

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by gasket300 on 22nd September 2009, 12:25 am

Holy Moly my computer started in normal mode again.... Here's the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:36 PM, on 9/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [You must be registered and logged in to see this link.]
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 3458 bytes

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by Dr Jay on 22nd September 2009, 2:26 am

Please try the Sophos Rootkit scanner in Normal Mode.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by gasket300 on 22nd September 2009, 8:25 am

Still get this msg when it's finished.

Error: Encountered corrupt data structures during scan of drive C:. We suggest you check this disk for errors.

Other than that, I'd like to wait to restart it, b/c it may never restart... Thank you for all your time; you helped me big time. I'm sure I'll be back

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by Dr Jay on 22nd September 2009, 3:42 pm

Hi

Rooter Rootkit Detector - [You must be registered and logged in to see this link.]

Download [You must be registered and logged in to see this link.] to your desktop

  1. Double click it to start the tool.
  2. A Notepad file containing the report will open, also found at
    %systemdrive%(usually C:)\Rooter.txt. Post that log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by gasket300 on 24th September 2009, 12:28 am

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 2
[32_bits] - x86 Family 6 Model 13 Stepping 6, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:55 Go - Free:33 Go )
.
Scan : 19:25.42
Path : C:\Documents and Settings\corey\Desktop\Rooter.exe
User : corey ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (540)
______ \??\C:\WINDOWS\system32\csrss.exe (608)
______ \??\C:\WINDOWS\system32\winlogon.exe (640)
______ C:\WINDOWS\system32\services.exe (848)
______ C:\WINDOWS\system32\lsass.exe (860)
______ C:\WINDOWS\system32\svchost.exe (1020)
______ C:\WINDOWS\system32\svchost.exe (1088)
______ C:\WINDOWS\System32\svchost.exe (1124)
______ C:\WINDOWS\system32\svchost.exe (1180)
______ C:\WINDOWS\system32\svchost.exe (1256)
______ C:\WINDOWS\system32\spoolsv.exe (1572)
______ C:\Program Files\Common Files\LightScribe\LSSrvc.exe (2016)
______ C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (172)
______ C:\WINDOWS\system32\svchost.exe (376)
______ C:\WINDOWS\System32\alg.exe (1028)
______ C:\WINDOWS\Explorer.EXE (1776)
______ C:\WINDOWS\system32\wscntfy.exe (2028)
______ C:\WINDOWS\System32\svchost.exe (1040)
______ C:\WINDOWS\system32\ctfmon.exe (240)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (3500)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (3664)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (2664)
______ C:\WINDOWS\system32\wuauclt.exe (2868)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (2100)
______ C:\Documents and Settings\corey\Desktop\Rooter.exe (160)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:60011610624)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\DOCUME~1\corey\Complete\Acoustica CD and DVD Label Software - Includes working crack and a large collection of added content.zip
C:\DOCUME~1\corey\Complete\Acronis Drive Cleanser 6.0 include crack by NeoCoderz.zip
C:\DOCUME~1\corey\Complete\Music Editing Master v5 2 +crack [yahaa org].zip
C:\DOCUME~1\corey\Complete\SymantecNorton Internet Security 2007 (with crack).zip
C:\DOCUME~1\corey\Complete\Windows Vista Acrivation MEGA crack [keznews com].zip
C:\DOCUME~1\corey\Complete\WMP 11 (cracked 4 No WGA) rar.zip
C:\DOCUME~1\corey\Desktop\flmp3\fltor\Crack\crack.exe
C:\DOCUME~1\corey\My Documents\BitTorrent Downloads\FL\Crack\crack.exe
C:\DOCUME~1\corey\Complete\Ahead Nero Burning Rom V7 5 9 0 keygen.zip
C:\DOCUME~1\corey\Complete\nero keygen all versions.zip
C:\DOCUME~1\corey\Complete\norton-keygen all versions.zip
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 19:26.00
.
C:\Rooter$\Rooter_1.txt - (23/09/2009 | 19:26.00).c

gasket300
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-09-21
OS OS : xp pro
Points Points : 26597
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows Police Pro :D

Post by Dr Jay on 24th September 2009, 12:59 am

Hi

==> Cracks & Keygens <==

What is so bad about Cracks, Hacks, Pirated software, warez, or Keygens?

I have been questioned many times on why these things are bad. I will tell you that they are one of the top distributors of malware, and are rarely safe.

Most popular cracks or keygens I see, are for Adobe CS3, a lot of different games, Nero, Kaspersky antivirus, and much more. All of these cracks and keygens have what is called "cloaked malware." Most hacks for games that come in the form of a program or installer, will also be infected. It is the opportunity for attackers to present a seemingly safe situation where the opportunity to steal something is in play, while the malware infects your system in the process. Yes, it will install what you were looking for, but also allow malware to potentially take control of your computer.

Lastly, it is illegal.

Unfortunately, your log shows a dangerous trojan and worm is residing on your computer which has a backdoor functionality. It is possible that a remote attacker has already breached your computer. If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted. This is what happens when you download cracks and keygens. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on internet theft and when to reformat!
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Please let me know if you would like to continue with trying to clean your computer.

Instead, if you decide to format and reinstall, please disconnect your computer from the Internet immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum