Ratchetstrike

i ran a full scan last night and it came up with 2 infections msvcrt.dll & shfolder.dll inside of abdobe photoshop cs3 i've uploaded these both to virus total and it has found nothing but they seem to have alot of information near the packers/ section Also my photoshop cs3 is cracked, it seems to work fine...when using it heres the virustotal reports http://www.virustotal.com/analisis/cb5d45d...fecd-1266396367 http://www.virustotal.com/analisis/04f2661...3013-1266396243 i notice there packed with yoda's crypter,apparently this is used commonly to hide malware or something http://groups.google.com/group/alt.comp.vi...b7321ebe6aa89f8

Ok i ran malwarebytes and it says this D:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys (Trojan.Agent) -> No action taken. D:\WINDOWS\system32\sysproc64\sysproc32.sys (Trojan.Agent) -> No action taken. D:\WINDOWS\system32\sysproc64\sysproc86.sys (Trojan.Agent) -> No action taken. ive opened up the folder sysproc64 and inside is two files which are blue in text sysproc32.sys is 0kb and sysproc86.sys is 107kb i've uploaded them to virus total and jotti and they have came back 0% on both scanners are these actually malware or needed system files? doesnt sysproc stand for system processor

Ok so just recently my computer has been acting up, like freezing and not letting me move my mouse for 2-3 seconds or crashing to a nv4_disp.dll Page_fault_in_nonpaged_area bluescreen while playing games, i also have trouble connecting to my wireless, with TcPip spamming my event viewer --------------------------------------------------------- The Nv4_disp.dll Problem Ok so randomly while playing games i crash to this, i have tested my ram with memtest86, i let it do 7 full passes and it came back with 0 errors i've tried updating my nvidia drivers but the problem keeps arising.... ----------------------------------------------------------- The Gura.exe Problem in my event viewer, before or right after these Bluescreens i get The administrator NT AUTHORITY\SYSTEM canceled job "D:\WINDOWS\TEMP\GURA.exe" on behalf of HOME-38D73EF425\Ryan. The job ID was {CECBBF4C-BFDE-48A6-A61A-54C403543F29}. It used to be called GUR2.exe but has changed recently... its source is BITS and its event is 16384 ----------------------------------------------------- Tcpip Problem i have trouble connecting to my wireless sometimes with The system detected that network adapter Ralink...LAN Card - Packet Scheduler Miniport was connected to the network, and has initiated normal operation over the network adapter. being spammed in my event viewer about 40 times, its event is 4201 i believe this might be linked to a malware.trace in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid ------------------- i have attached a HIJACK this log, and a MALWAREBYTES LOG, as my malware bytes has found 5 trojan.agents and 4 backdoor.bots one of which trojan is sysproc86 , sysproc64 , and sysproc32 MBAM log Malwarebytes' Anti-Malware 1.44 Database version: 3747 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 16/02/2010 7:38:08 PM mbam-log-2010-02-16 (19-38-03).txt Scan type: Quick Scan Objects scanned: 132585 Time elapsed: 10 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 1 Registry Data Items Infected: 2 Folders Infected: 2 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken. Registry Data Items Infected: HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: D:\Documents and Settings\LocalService\Application Data\sysproc64 (Trojan.Agent) -> No action taken. D:\WINDOWS\system32\sysproc64 (Trojan.Agent) -> No action taken. Files Infected: D:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys (Trojan.Agent) -> No action taken. D:\WINDOWS\system32\sysproc64\sysproc32.sys (Trojan.Agent) -> No action taken. D:\WINDOWS\system32\sysproc64\sysproc86.sys (Trojan.Agent) -> No action taken. HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:46:44 PM, on 16/02/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Alwil Software\Avast5\AvastSvc.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\system32\cisvc.exe D:\Program Files\Java\jre6\bin\jqs.exe D:\Program Files\Kontiki\KService.exe D:\WINDOWS\system32\PnkBstrB.exe D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe D:\WINDOWS\System32\TUProgSt.exe D:\WINDOWS\system32\atwtusb.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\atwtusb.exe D:\Program Files\TortoiseSVN\bin\TSVNCache.exe D:\Program Files\PowerISO\PWRISOVM.EXE D:\Program Files\Unlocker\UnlockerAssistant.exe D:\Program Files\Java\jre6\bin\jusched.exe D:\WINDOWS\system32\RUNDLL32.EXE D:\WINDOWS\system32\WTMKM.exe D:\WINDOWS\RTHDCPL.EXE D:\WINDOWS\system32\RunDll32.exe D:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe D:\Program Files\COMODO\COMODO Internet Security\cfp.exe D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe D:\Program Files\nerds.de\LoopBe1\loopBeMon.exe D:\Program Files\RALINK\Common\RaUI.exe D:\Program Files\Stardock\ObjectDock\ObjectDock.exe D:\Program Files\Thoosje\thoosje vista sidebar\Thoosje Sidebar.exe D:\Documents and Settings\Ryan\My Documents\Winflip\WinFlip.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\WINDOWS\system32\mmc.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Java\jre6\bin\jucheck.exe D:\WINDOWS\system32\cidaemon.exe D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe D:\Documents and Settings\Ryan\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - D:\Program Files\IEPro\iepro.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - D:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [unlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MacrokeyManager] WTMKM.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd O4 - HKLM\..\Run: [avast5] D:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Ryan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Stardock ObjectDock.lnk = D:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Startup: Thoosje Sidebar.lnk = D:\Program Files\Thoosje\thoosje vista sidebar\Thoosje Sidebar.exe O4 - Startup: WinFlip.lnk = D:\Documents and Settings\Ryan\My Documents\Winflip\WinFlip.exe O4 - Global Startup: LoopBe1 Monitor.lnk = D:\Program Files\nerds.de\LoopBe1\loopBeMon.exe O4 - Global Startup: Ralink Wireless Utility.lnk = D:\Program Files\RALINK\Common\RaUI.exe O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\Program Files\IEPro\iepro.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\jp2iexp.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - D:\Program Files\Paltalk Messenger\Paltalk.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: @D:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @D:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199300685734 O17 - HKLM\System\CCS\Services\Tcpip\..\{8DDBA5D9-4A76-442D-B5C3-CD93D7CF3D01}: NameServer = 192.168.1.254 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate1ca217f867ce258) (gupdate1ca217f867ce258) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: KService - Kontiki Inc. - D:\Program Files\Kontiki\KService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrB - Unknown owner - D:\WINDOWS\system32\PnkBstrB.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - D:\WINDOWS\System32\TUProgSt.exe O23 - Service: WTService - Unknown owner - D:\WINDOWS\system32\atwtusb.exe -- End of file - 9101 bytes