Jump to content

tyler

Members
  • Posts

    17
  • Joined

  • Last visited

Reputation

0 Neutral
  1. ROOTREPEAL © AD, 2007-2008 ================================================== Scan Time: 2009/03/09 23:24 Program Version: Version 1.2.3.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xEFC54000 Size: 98304 File Visible: No Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8BD3000 Size: 8192 File Visible: No Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xEF54E000 Size: 45056 File Visible: No Status: - Hidden/Locked Files ------------------- Path: C:\WINDOWS\WindowsUpdate.log Status: Size mismatch (API: 543111, Raw: 541964) Path: C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Status: Size mismatch (API: 835524, Raw: 835070) Path: C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Status: Size mismatch (API: 1024, Raw: 24576) Path: C:\WINDOWS\SoftwareDistribution\Download\f9a482c6548f5fe0d3c6095f8a2de4fc Status: Invisible to the Windows API! Path: C:\WINDOWS\SoftwareDistribution\Download\6468021b2765d1cbe95cbb4632ff65b7 Status: Invisible to the Windows API! Path: C:\WINDOWS\SoftwareDistribution\Download\e32e42b86ada41fe0c947743c71f222c Status: Visible to the Windows API, but not on disk. Path: C:\WINDOWS\SoftwareDistribution\Download\21b9c2f7b1db683e3d83bfb825d32092 Status: Visible to the Windows API, but not on disk. Path: C:\WINDOWS\SoftwareDistribution\Download\f9a482c6548f5fe0d3c6095f8a2de4fc\_downloadprogress_.state Status: Invisible to the Windows API! Path: C:\WINDOWS\SoftwareDistribution\Download\f9a482c6548f5fe0d3c6095f8a2de4fc\_useselfcontained_.state Status: Invisible to the Windows API! Path: C:\WINDOWS\SoftwareDistribution\Download\f9a482c6548f5fe0d3c6095f8a2de4fc\BIT1.TMP Status: Invisible to the Windows API! Path: C:\WINDOWS\SoftwareDistribution\Download\6468021b2765d1cbe95cbb4632ff65b7\_downloadprogress_.state Status: Invisible to the Windows API! also 23:25:11: Could not enumerate files in dir '\\?\C:\WINDOWS\SoftwareDistribution\Download\f9a482c6548f5fe0d3c6095f8a2de4fc\*' with the Windows API! Error code - 0x00000003 23:25:11: Could not enumerate files in dir '\\?\C:\WINDOWS\SoftwareDistribution\Download\6468021b2765d1cbe95cbb4632ff65b7\*' with the Windows API! Error code - 0x00000003 23:25:11: Could not enumerate files in dir '\\?\C:\WINDOWS\SoftwareDistribution\Download\704dacb1466b612a883116cd01445169\*' with the Windows API! Error code - 0x00000003
  2. ok heres my latest highjack this and the other program showed no viruses. ps im not sure if step 2 worked corectly because, on the black screen it showed a few files and then said access dinide. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:35:24 AM, on 2/8/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Bell\Security Manager\Fws.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Personal Vault\VaultClientUpgrade.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\tyler.exl.exe C:\WINDOWS\System32\svchost.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe -- End of file - 2355 bytes
  3. oh yah when i ran the reboot program there was a duck in top corner before program loaded not sure if this was normal.
  4. My system is running ok. Before I did the stuff yesterday my system was rebooting itself by closing down windows, no it seems the system might be running a bit slower but everything seems good. so you know i got this virus from antivirus 2008 if that helps. Malwarebytes' Anti-Malware 1.33 Database version: 1736 Windows 5.1.2600 Service Pack 3 2/6/2009 8:16:33 PM mbam-log-2009-02-06 (20-16-33).txt Scan type: Quick Scan Objects scanned: 60932 Time elapsed: 5 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:17:15 PM, on 2/6/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Bell\Security Manager\Fws.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Personal Vault\VaultClientUpgrade.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\tyler.exl.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe -- End of file - 2274 bytes
  5. ok i ran program and here is log cheching master boot record of drive 128 129 error (2): cannot read record auto excluding /sys/ from scans ( is a special fs) auto excluding /proc from scans ( is a special fs) chking /mt/then some bell security archive stuff comes up warning: archive not completely scaned: content encrypted /mnt/hda1/docume~1/user/desktop/combofix.exe ALERT:[APPL/PsExec] /mnt/hda1/docume~1/user/desktop/combofix.exe -- arrow 32788r22fwjfw (it the backward) /psexec.cfexe next there are zsnes files a bunch so i wont put all just an expl /mnt/hda1/docume~1/guest/desktop/zsnesw~1.exe all say in brackets (unknown or supported compression method). and same for snes9x.exe Warning :archive not completley scanned: format unsupported archive: /mnt/hda1/program~1/common~1/scannerppcleaner --arrow vete.dll extract error then same with inocboot.exe extract error warning:archive not completly scanned:process error mnt/hda1/progra~1/bitlord/downlo~1/thelor~1.bc --arrow unknown extract error about 20 of these bitlord ones achive: /mnt/hda1/system~1/_resto~1/rp1041/a0119296.exe license.txt extract error (unkown or unsupported compression methods) gens.exe, gens.hlp, gens.txt,history.txt, kailleraclient all extract errors with same bracket discription. and not completely scanded. Alert[adspy/softomate.K.8.] /mnt/hda/system~1/resto~1/rp10042/a0119565.dll Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012642.dll Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012643.dll Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012644.dll Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012645.dll Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012646.exe Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012647.dll Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012649.dll Alert[adspy/zango.c] /mnt/hda/system~1/resto~1/rp1089/a012650.exe Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012651.dll Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012652.exe Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012653.dll Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012654.exe Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012656.dll Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012657.exe Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012658.dll Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012659.dll Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012660.dll Alert[TR/Crypt.XPACK.Gen]/mnt/hda1/system~1/_resto~1/rp1098/a0123644.exe Alert[TR/Crypt.XPACK.Gen]/mnt/hda1/system~1/_resto~1/rp1098/a0123645.exe Alert[TR/Crypt.XPACK.Gen]/mnt/hda1/system~1/_resto~1/rp1098/a0123646.exe Alert[APPL/PsExec.E] /mnt/hda1/system~1/_resto~1/rp1098/a0123663.exe Alert[APPL/Psexec.e] /mnt/hda1/system~1/_resto~1/rp1098/a0123738.exe Alert[APPL/psexec.e] /mnt/hda1/system~1/_resto~1/rp1098/a0123786.exe --arrow 32788r22fwjfw/psexec.cfexe Aler[Appl/psexec.e] /mnt/hda1/system~1/_resto~1/rp1101/a0124025.exe same as above line Alert[TR/dldr.injector.cbs] /mnt/hda1/system~1/_resto~1/rp1101/a0124035.exe Alert[APPL/PsExec.E] /mnt/hda1/system~1/_resto~1/rp1101/a0124076.exe Alert[APPL/PsExec.E] /mnt/hda1/system~1/_resto~1/rp1102/a0124205.exe --arrow 32788r22fwjfw/psexec.cfexe Alert[APPL/PsExec.E] /mnt/hda1/system~1/_resto~1/rp1102/a0124242.exe Alert[Adspy/180solutions.AM.1]/mnt/hda1/system~1/_resto~1/rp1083/a0121546 Alert[TR/Crypt.Xpack.Gen]/mnt/hda1/goobox/quaran~1/c/windows/system32/998exe~1.vir Alert[TR/Crypt.Xpack.Gen]/mnt/hda1/goobox/quaran~1/c/windows/system32/userin~1.vir Alert[TR/Crypt.Xpack.Gen]/mnt/hda1/goobox/quaran~1/c/windows/system32/clickf~1.vir Alert[html/Rce.Gen]/mnt/hda1/found.015/file0257.chk thats it for scan i still have it up on my computer if you need more. and shoud i try to repair programs in this scanner by clicking try repair folder icon. thanks again
  6. first i cant explain and i followed advise and heres the new hjt. im not a computer wis but im followinf all instuctions. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:23:47 AM, on 2/6/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Bell\Security Manager\Fws.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Personal Vault\VaultClientUpgrade.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\HijackThis\tyler.exl.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe -- End of file - 2241 bytes
  7. Malwarebytes' Anti-Malware 1.33 Database version: 1733 Windows 5.1.2600 Service Pack 3 2/6/2009 4:08:45 AM mbam-log-2009-02-06 (04-08-45).txt Scan type: Quick Scan Objects scanned: 59893 Time elapsed: 2 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:11:11 AM, on 2/6/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Bell\Security Manager\Fws.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\userinit.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Personal Vault\VaultClientUpgrade.exe C:\WINDOWS\system32\imapi.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\WgaTray.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe -- End of file - 2767 bytes
  8. ok i did run scrip as shown and i lost combofix by accident. I just ran again using the same instructions heres results. and thanks for helping. ComboFix 09-02-05.02 - user 2009-02-06 3:02:39.5 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.320 [GMT -5:00] Running from: c:\documents and settings\user\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\user\Desktop\CFscript.txt AV: Sympatico Security Manager Anti-Virus *On-access scanning disabled* (Updated) FW: Sympatico Security Manager Firewall *disabled* * Created a new restore point FILE :: c:\windows\DUMP46cd.tmp c:\windows\DUMP562e.tmp c:\windows\system32\clickfile.exe c:\windows\system32\CP1215EWS.dll c:\windows\system32\CP1215LI.DLL c:\windows\system32\CP1215LM.DLL c:\windows\system32\drivers\ojmpkcyu.sys c:\windows\system32\HPIPMX.dll c:\windows\system32\HPIPMXRes.dll c:\windows\system32\HPMCoSetup.dll c:\windows\system32\XDva143.sys c:\windows\system32\ZIMF.DLL c:\windows\system32\ZSPOOL.DLL c:\windows\system32\ZTAG.DLL c:\windows\Tasks\Registry OK Schedule.job c:\windows\yogodjvv . ((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 ))))))))))))))))))))))))))))))) . 2009-02-05 17:13 . 2009-02-05 17:13 <DIR> d-------- c:\program files\Yahoo! 2009-02-05 17:13 . 2009-02-05 17:13 <DIR> d-------- c:\program files\CCleaner 2009-02-05 16:52 . 2009-02-05 17:07 3,171,208 --a------ c:\program files\ccsetup216.exe 2009-02-05 16:48 . 2009-02-05 16:48 <DIR> d-------- c:\documents and settings\user\Application Data\Yahoo! 2009-02-05 04:59 . 2009-02-05 04:59 25,085,704 --a------ c:\program files\antivir_workstation_winu_en_h.exe 2009-02-05 03:12 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll 2009-02-04 19:53 . 2009-02-04 19:53 <DIR> d--hs---- C:\FOUND.016 2009-02-04 19:45 . 2009-02-04 19:45 <DIR> d-------- c:\program files\Trend Micro 2009-02-04 05:14 . 2009-02-04 05:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-04 05:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-04 05:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-04 02:29 . 2009-02-04 02:29 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes 2009-02-04 01:29 . 2009-02-04 01:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP 2009-02-01 10:01 . 2009-02-01 10:01 <DIR> d--hs---- c:\windows\system32\twain32 2009-02-01 02:52 . 2009-02-01 02:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard 2009-02-01 02:03 . 2009-02-01 02:03 <DIR> d-------- c:\program files\Windows Installer Clean Up 2009-02-01 02:02 . 2009-02-01 02:03 <DIR> d-------- c:\program files\MSECACHE 2009-02-01 01:44 . 2009-02-01 01:44 <DIR> d-------- c:\program files\Common Files\iS3 2009-02-01 01:43 . 2009-02-01 01:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla! 2009-02-01 01:20 . 2009-02-01 01:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-31 09:38 . 2009-01-31 09:38 <DIR> d-------- c:\program files\Hewlett-Packard 2009-01-31 09:17 . 2009-01-31 09:17 <DIR> d-------- c:\documents and settings\user\Application Data\Hewlett-Packard 2009-01-25 17:24 . 2009-01-25 17:24 <DIR> d-------- c:\documents and settings\user\tyler2 2009-01-24 14:51 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll 2009-01-24 14:49 . 2009-01-24 14:49 <DIR> d-------- c:\windows\Logs 2009-01-24 14:49 . 2009-01-24 14:49 302,928 --a------ C:\dxwebsetup.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2008-11-27 16:14 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-11-27 16:14 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-11-27 16:14 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-11-27 16:14 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-11-27 16:14 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2008-09-15 08:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091520080916\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-15 185784] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk * [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"= "c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\groove.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= R2 VaultClientUpgrade;Personal Vault Upgrade Service;c:\program files\Personal Vault\VaultClientUpgrade.exe [2008-03-07 53248] S3 Radialpoint Security Services;Sympatico Security Manager;c:\program files\Bell\Security Manager\RpsSecurityAware.exe [2008-03-10 67824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2005-12-23 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-06-18 17:17] 2009-02-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20] 2009-02-06 c:\windows\Tasks\HP WEP.job - c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 14:28] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\5nquye0b.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-06 03:07:53 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(668) c:\program files\CA\PPRT\bin\CACheck.dll c:\program files\CA\PPRT\bin\CAHook.dll c:\program files\CA\PPRT\bin\CAServer.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\BELL\SECURITY MANAGER\FWS.EXE c:\windows\SYSTEM32\LEXBCES.EXE c:\windows\SYSTEM32\LEXPPS.EXE c:\program files\COMMON FILES\AUTHENTIUM\ANTIVIRUS\DVPAPI.EXE c:\program files\CA\PPRT\BIN\ITMRTSVC.EXE c:\windows\SYSTEM32\WDFMGR.EXE c:\windows\SYSTEM32\WSCNTFY.EXE . ************************************************************************** . Completion time: 2009-02-06 3:09:30 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-06 08:09:28 ComboFix4.txt 2009-02-05 08:56:12 ComboFix3.txt 2009-02-05 21:44:58 ComboFix5.txt 2009-02-06 08:01:44 ComboFix2.txt 2009-02-06 05:51:32 Pre-Run: 45,899,415,552 bytes free Post-Run: 45,887,455,232 bytes free 165 --- E O F --- 2009-01-19 08:04:27
  9. i have now ran full malwarebytes and another hyjack this scan heres results Malwarebytes' Anti-Malware 1.33 Database version: 1732 Windows 5.1.2600 Service Pack 3 2/5/2009 6:16:49 PM mbam-log-2009-02-05 (18-16-49).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|) Objects scanned: 116480 Time elapsed: 23 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{2F508D62-B983-4B32-B17D-9B046440F78F}\RP1101\A0124202.sys (Rootkit.Agent) -> Quarantined and deleted successfully. oh crap lost hyjack one put it hase the hkey windows cfmon still and one that resembles the malwarebyets 2 invected files before. O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe is one of them its back on there.
  10. Malwarebytes' Anti-Malware 1.33 Database version: 1732 Windows 5.1.2600 Service Pack 3 2/5/2009 5:24:00 PM mbam-log-2009-02-05 (17-24-00).txt Scan type: Quick Scan Objects scanned: 59001 Time elapsed: 2 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\yogodjvv (Rootkit.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\drivers\ojmpkcyu.sys (Rootkit.Agent) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:29:01 PM, on 2/5/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Bell\Security Manager\Fws.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Personal Vault\VaultClientUpgrade.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe -- End of file - 3244 bytes
  11. ok i used combofix here is result ComboFix 09-02-04.01 - user 2009-02-05 3:49:54.2 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.236 [GMT -5:00] Running from: c:\documents and settings\user\Desktop\ComboFix.exe AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) AV: Sympatico Security Manager Anti-Virus *On-access scanning disabled* (Updated) FW: Sympatico Security Manager Firewall *disabled* . ((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 ))))))))))))))))))))))))))))))) . 2009-02-05 03:12 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll 2009-02-04 19:53 . 2009-02-04 19:53 <DIR> d--hs---- C:\FOUND.016 2009-02-04 19:45 . 2009-02-04 19:45 <DIR> d-------- c:\program files\Trend Micro 2009-02-04 19:44 . 2009-02-04 19:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2009-02-04 05:14 . 2009-02-04 05:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-04 05:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-04 05:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-04 02:29 . 2009-02-04 02:29 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes 2009-02-04 01:29 . 2009-02-04 01:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP 2009-02-03 14:51 . 2009-02-03 14:51 45,568 --------- c:\windows\system32\clickfile.exe 2009-02-01 10:01 . 2009-02-01 10:01 <DIR> d--hs---- c:\windows\system32\twain32 2009-02-01 02:52 . 2009-02-01 02:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard 2009-02-01 02:03 . 2009-02-01 02:03 <DIR> d-------- c:\program files\Windows Installer Clean Up 2009-02-01 02:02 . 2009-02-01 02:03 <DIR> d-------- c:\program files\MSECACHE 2009-02-01 01:44 . 2009-02-01 01:44 <DIR> d-------- c:\program files\Common Files\iS3 2009-02-01 01:43 . 2009-02-01 01:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla! 2009-02-01 01:20 . 2009-02-01 01:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-31 09:42 . 2007-08-29 16:06 512,000 --a------ c:\windows\system32\HPIPMX.dll 2009-01-31 09:42 . 2007-08-29 16:06 237,568 --a------ c:\windows\system32\HPIPMXRes.dll 2009-01-31 09:42 . 2007-08-29 16:06 163,840 --a------ c:\windows\system32\CP1215LI.DLL 2009-01-31 09:42 . 2007-08-29 16:06 143,360 --a------ c:\windows\system32\CP1215LM.DLL 2009-01-31 09:42 . 2007-08-29 16:06 114,688 --a------ c:\windows\system32\HPMCoSetup.dll 2009-01-31 09:42 . 2007-08-29 16:06 106,496 --a------ c:\windows\system32\ZSPOOL.DLL 2009-01-31 09:42 . 2007-08-29 16:06 61,440 --a------ c:\windows\system32\ZIMF.DLL 2009-01-31 09:42 . 2008-02-11 15:26 57,344 --a------ c:\windows\system32\CP1215EWS.dll 2009-01-31 09:42 . 2007-08-29 16:06 53,248 --a------ c:\windows\system32\ZTAG.DLL 2009-01-31 09:38 . 2009-01-31 09:38 <DIR> d-------- c:\program files\Hewlett-Packard 2009-01-31 09:17 . 2009-01-31 09:17 <DIR> d-------- c:\documents and settings\user\Application Data\Hewlett-Packard 2009-01-31 06:02 . 2009-02-05 03:53 1,104 --a------ c:\windows\yogodjvv 2009-01-25 17:24 . 2009-01-25 17:24 <DIR> d-------- c:\documents and settings\user\tyler2 2009-01-24 14:51 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll 2009-01-24 14:49 . 2009-01-24 14:49 <DIR> d-------- c:\windows\Logs 2009-01-24 14:49 . 2009-01-24 14:49 302,928 --a------ C:\dxwebsetup.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-31 21:39 90,112 ----a-w c:\windows\DUMP46cd.tmp 2009-01-31 21:07 90,112 ----a-w c:\windows\DUMP562e.tmp 2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2008-11-27 16:14 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-11-27 16:14 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-11-27 16:14 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-11-27 16:14 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-11-27 16:14 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2008-09-15 08:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091520080916\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk * [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"= "c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\groove.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= R2 VaultClientUpgrade;Personal Vault Upgrade Service;c:\program files\Personal Vault\VaultClientUpgrade.exe [2008-03-07 53248] S0 yogodjvv;yogodjvv;c:\windows\system32\drivers\ojmpkcyu.sys [] S3 Radialpoint Security Services;Sympatico Security Manager;c:\program files\Bell\Security Manager\RpsSecurityAware.exe [2008-03-10 67824] S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys --> c:\windows\system32\XDva143.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c047c248-1f9e-11dd-929f-00016c2deccd}] \Shell\AutoRun\command - I:\start.exe . Contents of the 'Scheduled Tasks' folder 2005-12-23 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-06-18 17:17] 2009-02-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20] 2009-02-04 c:\windows\Tasks\Registry OK Schedule.job - c:\program files\Registry OK\RegistryOK.exe [] 2009-02-05 c:\windows\Tasks\HP WEP.job - c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 14:28] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\5nquye0b.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-05 03:54:28 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(680) c:\program files\CA\PPRT\bin\CACheck.dll c:\program files\CA\PPRT\bin\CAHook.dll c:\program files\CA\PPRT\bin\CAServer.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\BELL\SECURITY MANAGER\FWS.EXE c:\windows\SYSTEM32\LEXBCES.EXE c:\windows\SYSTEM32\LEXPPS.EXE c:\program files\COMMON FILES\AUTHENTIUM\ANTIVIRUS\DVPAPI.EXE c:\program files\CA\PPRT\BIN\ITMRTSVC.EXE c:\windows\SYSTEM32\WDFMGR.EXE c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-02-05 3:56:09 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-05 08:56:08 ComboFix2.txt 2009-02-05 08:13:38 Pre-Run: 46,057,455,616 bytes free Post-Run: 46,036,287,488 bytes free 155 --- E O F --- 2009-01-19 08:04:27 p.s. i could not find out how to turn off some avirl antivir, and i ran hyjack this after and i got the same files as before with some new ones for pop ups i need assistance bad please help me.
  12. not sure i gave enough info both programs could not delete those malware for good whats next step.
  13. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:05:52 AM, on 2/5/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Bell\Security Manager\Fws.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Personal Vault\VaultClientUpgrade.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing) O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing) O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe -- End of file - 2606 bytes Malwarebytes' Anti-Malware 1.33 Database version: 1730 Windows 5.1.2600 Service Pack 3 2/4/2009 9:04:05 PM mbam-log-2009-02-04 (21-04-05).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|) Objects scanned: 116200 Time elapsed: 26 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Awaiting further instuction
  14. OK I have downloaded hijaker and malware, By reading hijack report it seems that there are malwarebytes on my microsoft nt 2003 or xp, it says these are hard to remove. I have aslo used malware bytes and there are two malware they dellete succefuly but they come back in my next scan. I need help to remove this crap from my system what is my next logical step besides thoughing my computer in the garbage. and here are my logs. and quarintine does not work in malwarebyte, says error Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:01:58 PM, on 2/4/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Bell\Security Manager\Fws.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Personal Vault\VaultClientUpgrade.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing) O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing) O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe -- End of file - 2674 bytes Malwarebytes' Anti-Malware 1.33 Database version: 1730 Windows 5.1.2600 Service Pack 3 2/4/2009 9:04:05 PM mbam-log-2009-02-04 (21-04-05).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|) Objects scanned: 116200 Time elapsed: 26 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.