Virus Removal Help

View previous topic View next topic Go down

Re: Virus Removal Help

Post by Japanese on Tue Mar 03, 2009 7:13 pm

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32256]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-17 342848]
"Google Update"="c:\documents and settings\TXS6696\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-25 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 53339]
"VMware Tools"="c:\program files\VMware\VMware Tools\VMwareTray.exe" [2008-05-15 92720]
"VMware User Process"="c:\program files\VMware\VMware Tools\VMwareUser.exe" [2008-05-15 268848]
"NAL"="c:\program files\novell\zenworks\nalwin.exe" [2007-12-24 382464]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Startup"="c:\windows\system32\startup.exe" [2005-07-18 121315]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 61440]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1904640]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-30 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-30 137752]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 425984]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2008-05-28 61440]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2008-05-28 65536]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]

c:\documents and settings\TXS6696\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2008-01-04 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2007-12-24 22:21 24576 c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
2008-05-15 22:23 364544 c:\windows\system32\TPSvc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"57547:TCP"= 57547:TCP:Pando Media Booster
"57547:UDP"= 57547:UDP:Pando Media Booster

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-06-23 17968]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2008-06-23 34671]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-05-23 6899]
R2 hgfs;hgfs;c:\windows\system32\drivers\hgfs.sys [2008-06-23 92592]
R2 LGTO_Sync;Sync Driver;c:\windows\system32\drivers\lgtosync.sys [2008-06-23 36400]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-05-09 188416]
R2 VMMEMCTL;VMware server memory controller;c:\program files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [2008-05-15 15408]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2007-12-24 81920]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-05-23 2773]
S2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [2008-05-15 264752]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-08-04 2176]
S3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [2008-05-15 315392]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2008-06-23 11696]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2008-06-23 62768]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2008-06-23 34992]
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-426075309-104346630-1563886607-1016.job
- c:\documents and settings\TXS6696\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-25 16:15]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;reef000s288.cert.mobiledomain.net;mobile.domain;10.1.0.51;*.coppellisd.com
uInternet Settings,ProxyServer = 10.0.0.6:8080
IE: &Search
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\TXS6696\Application Data\Mozilla\Firefox\Profiles\tjzcl9gp.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-03 13:03:02
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1232)
c:\windows\system32\NETWIN32.DLL
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\Novell\ncplw32.dll
c:\windows\system32\novell\nls\english\NetIdent.dll
c:\windows\system32\Novell\xtagent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\nexon\MapleStory\npkcmsvc.exe
c:\windows\system32\stacsv.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Novell\ZENworks\NalAgent.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-03-03 13:09:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-03 19:09:14
ComboFix2.txt 2009-03-03 01:40:34

Pre-Run: 34,942,062,592 bytes free
Post-Run: 34,971,398,144 bytes free

666 --- E O F --- 2009-02-26 23:22:30


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29689
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on Tue Mar 03, 2009 7:14 pm

Hello.
Really, this is a waste of mine and your time.
This infection is Virut, Virut CANNOT be fixed.

c:\windows\system32\userinit.exe . . . is infected!!
c:\windows\system32\svchost.exe . . . is infected!!
c:\windows\system32\spoolsv.exe . . . is infected!!
c:\windows\explorer.exe . . . is infected!!


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on Tue Mar 03, 2009 9:13 pm

Well... there goes $1450 down the drain... thanks though...


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29689
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on Tue Mar 03, 2009 10:22 pm

Just format the machine, you have an XP disc right?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on Wed Mar 04, 2009 12:25 am

No o.o


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29689
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on Wed Mar 04, 2009 12:41 am

They should be pretty much giving away XP discs now.
If MS are still offering the beta for 7, use that for now, free to download. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Japanese on Wed Mar 04, 2009 4:22 pm

How long will the download be?


[You must be registered and logged in to see this link.]

Japanese
Senior
Senior

Posts Posts : 204
Joined Joined : 2008-11-29
Gender Gender : Male
OS OS : Windows 7
Protection Protection : Malwarebytes Anti Malware and Kaspersky
Points Points : 29689
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus Removal Help

Post by Belahzur on Wed Mar 04, 2009 4:29 pm

Depends on your internet connection.
I could download the beta in about 2-3hrs.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum