Jump to content

Regedit and task manager hijack


Recommended Posts

So, I ran my spyware and got this.

Malwarebytes' Anti-Malware 1.34

Database version: 1814

Windows 5.1.2600 Service Pack 2

3/3/2009 9:22:13 AM

mbam-log-2009-03-03 (09-22-13).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)

Objects scanned: 107511

Time elapsed: 1 hour(s), 15 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

It says that it has "deleted Successfully" the 2 hijacks but they are still there every time I try to use task manager, and every time I rescan Malwarebytes the problem still exists.. after i've turned off my computer and everything.

So I used Combofix, as that was my next option I believe.. this is what it gave me:

ComboFix 09-03-02.03 - censoredhead 2009-03-03 9:47:59.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.241 [GMT -6:00]

Running from: c:\documents and settings\censoredhead\Desktop\ComboFix.exe

AV: PC Tools AntiVirus 6.0.0.17 *On-access scanning enabled* (Updated)

FW: AVG Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\ssembl~1

.

((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))

.

2009-03-02 20:43 . 2009-03-02 20:43 268 --ah----- C:\sqmdata17.sqm

2009-03-02 20:43 . 2009-03-02 20:43 244 --ah----- C:\sqmnoopt17.sqm

2009-03-02 17:26 . 2009-03-02 17:26 <DIR> d-------- c:\documents and settings\censoredhead\Application Data\PC Tools

2009-03-02 17:20 . 2009-03-02 17:31 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-03-02 17:19 . 2009-03-02 20:40 <DIR> d-------- c:\program files\PC Tools AntiVirus

2009-03-02 17:19 . 2009-03-02 17:19 <DIR> d-------- c:\program files\Common Files\PC Tools

2009-03-02 17:19 . 2009-03-02 17:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools

2009-03-02 17:19 . 2009-02-23 10:11 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys

2009-03-02 17:19 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys

2009-03-02 17:19 . 2009-02-10 11:13 28,560 --a------ c:\windows\system32\drivers\AVHook.sys

2009-03-02 17:19 . 2009-02-10 11:13 21,904 --a------ c:\windows\system32\drivers\AVRec.sys

2009-03-02 17:19 . 2009-02-10 11:13 21,904 --a------ c:\windows\system32\drivers\AVFilter.sys

2009-03-02 10:39 . 2009-03-02 10:39 268 --ah----- C:\sqmdata16.sqm

2009-03-02 10:39 . 2009-03-02 10:39 244 --ah----- C:\sqmnoopt16.sqm

2009-03-01 19:20 . 2009-03-01 19:20 268 --ah----- C:\sqmdata15.sqm

2009-03-01 19:20 . 2009-03-01 19:20 244 --ah----- C:\sqmnoopt15.sqm

2009-03-01 18:33 . 2009-03-01 18:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-01 18:33 . 2009-03-01 18:33 <DIR> d-------- c:\documents and settings\censoredhead\Application Data\Malwarebytes

2009-03-01 18:33 . 2009-03-01 18:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-01 18:33 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-01 18:33 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-01 18:26 . 2009-03-01 18:26 <DIR> d-------- c:\documents and settings\censoredhead\Application Data\AVGTOOLBAR

2009-03-01 18:22 . 2009-03-01 18:22 50,968 --a------ c:\windows\system32\avgfwdx.dll

2009-03-01 18:22 . 2009-03-01 18:22 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys

2009-03-01 18:21 . 2009-03-01 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-03-01 17:52 . 2009-03-01 17:52 <DIR> d-------- c:\documents and settings\censoredhead\Application Data\AVG8

2009-03-01 17:40 . 2009-03-01 17:40 268 --ah----- C:\sqmdata14.sqm

2009-03-01 17:40 . 2009-03-01 17:40 244 --ah----- C:\sqmnoopt14.sqm

2009-03-01 13:33 . 2009-03-01 13:33 268 --ah----- C:\sqmdata13.sqm

2009-03-01 13:33 . 2009-03-01 13:33 244 --ah----- C:\sqmnoopt13.sqm

2009-03-01 11:53 . 2009-03-01 11:53 <DIR> d--h----- c:\windows\system32\GroupPolicy

2009-03-01 08:00 . 2009-03-01 08:00 268 --ah----- C:\sqmdata12.sqm

2009-03-01 08:00 . 2009-03-01 08:00 244 --ah----- C:\sqmnoopt12.sqm

2009-02-28 23:16 . 2009-02-28 23:15 410,984 --a------ c:\windows\system32\deploytk.dll

2009-02-28 23:06 . 2009-02-28 23:06 268 --ah----- C:\sqmdata11.sqm

2009-02-28 23:06 . 2009-02-28 23:06 244 --ah----- C:\sqmnoopt11.sqm

2009-02-20 07:30 . 2009-02-20 07:30 268 --ah----- C:\sqmdata10.sqm

2009-02-20 07:30 . 2009-02-20 07:30 244 --ah----- C:\sqmnoopt10.sqm

2009-02-19 22:27 . 2009-02-19 22:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard

2009-02-19 19:02 . 2009-02-19 19:03 <DIR> d-------- c:\program files\Google

2009-02-19 10:54 . 2009-02-19 10:54 268 --ah----- C:\sqmdata09.sqm

2009-02-19 10:54 . 2009-02-19 10:54 244 --ah----- C:\sqmnoopt09.sqm

2009-02-19 10:48 . 2009-02-19 10:48 268 --ah----- C:\sqmdata08.sqm

2009-02-19 10:48 . 2009-02-19 10:48 244 --ah----- C:\sqmnoopt08.sqm

2009-02-17 19:50 . 2009-02-17 19:50 268 --ah----- C:\sqmdata07.sqm

2009-02-17 19:50 . 2009-02-17 19:50 244 --ah----- C:\sqmnoopt07.sqm

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-03 11:59 --------- d-----w c:\program files\FunPix

2009-03-03 02:45 --------- d-----w c:\program files\World of Warcraft

2009-03-01 05:15 --------- d-----w c:\program files\Java

2009-02-20 05:52 --------- d-----w c:\program files\Common Files\Blizzard Entertainment

2009-01-04 00:16 --------- d-----w c:\documents and settings\censoredhead\Application Data\U3

2009-01-04 00:13 --------- d-----w c:\documents and settings\All Users\Application Data\FunPix

2009-01-04 00:12 --------- d-----w c:\program files\MSN Messenger

2007-06-04 03:44 11,761,512 ----a-w c:\program files\NapsterSetup-US-NCOM-3.8.1.4.exe

2007-02-21 21:51 66,672 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2007-02-21 21:51 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2007-02-21 21:51 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2007-02-21 21:51 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2007-02-21 21:51 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4748792]

"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]

"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5752176]

"Octoshape Streaming Services"="c:\documents and settings\censoredhead\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2008-05-22 226576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 955392]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-28 214424]

"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 446530]

"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-12-23 155648]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 263720]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3817472]

"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2009-02-19 1374096]

c:\documents and settings\censoredhead\Start Menu\Programs\Startup\

iFunPix.lnk - c:\program files\FunPix\FunPixApp.exe [2008-07-01 348160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2002-01-09 278528]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2004-02-20 05:38 110592 c:\windows\system32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-01-03 10:15 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]

--a------ 2006-06-17 19:28 606208 c:\program files\VIAudioi\SBADeck\ADeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoAds]

--a------ 2006-06-17 19:24 200704 c:\program files\NoAds\NoAds.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Walgreens PhotoShow Media Manager]

--a------ 2006-04-20 00:35 319488 c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2007-03-27 14:22 4748792 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wscsvc"=2 (0x2)

"BITS"=3 (0x3)

"6to4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE"=

"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Documents and Settings\\censoredhead\\Local Settings\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\FunPix\\FunPixService.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Documents and Settings\\All Users\\Documents\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=

"c:\\WINDOWS\\system32\\LXSUPMON.EXE"=

"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=

"c:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\WINDOWS\\system32\\netsh.exe"=

"c:\\Program Files\\FunPix\\FunPixApp.exe"=

"c:\\Program Files\\AIM6\\aolsoftware.exe"=

"c:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundTimestampRequest"= 1 (0x1)

"AllowInboundMaskRequest"= 1 (0x1)

"AllowInboundRouterRequest"= 1 (0x1)

"AllowRedirect"= 1 (0x1)

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-02 130424]

R2 iFunPixAgent;iFunPixAgent;c:\program files\FunPix\FunPixService.exe [2008-07-01 20480]

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-04-10 24652]

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\emgngr.sys --> c:\windows\system32\drivers\emgngr.sys [?]

S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-03-01 29208]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-03-01 29208]

S3 HwIOctl;HwIOctl;\??\c:\program files\Setup\MS-7043 v2.00\HwIOctl.sys --> c:\program files\Setup\MS-7043 v2.00\HwIOctl.sys [?]

S3 Vsp;Vsp;\??\c:\windows\system32\drivers\Vsp.sys --> c:\windows\system32\drivers\Vsp.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{718f0be4-f3e6-11dc-994c-0018f80856fa}]

\Shell\AutoRun\command - F:\LaunchU3.exe

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-REGSHAVE - c:\program files\REGSHAVE\REGSHAVE.EXE

MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe

MSConfigStartUp-YBrowser - c:\program files\Yahoo!\browser\ybrwicon.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?p=1150228762

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-03 09:54:04

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\LgNotify.dll

c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'lsass.exe'(944)

c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'explorer.exe'(13808)

c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'csrss.exe'(860)

c:\program files\PC Tools AntiVirus\PCTAVHook.dll

.

Completion time: 2009-03-03 9:59:42

ComboFix-quarantined-files.txt 2009-03-03 15:59:33

Pre-Run: 44,697,075,712 bytes free

Post-Run: 45,697,708,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

239

So after all that I still can't use my task manager, did I miss something? how do i finally fix this!! Help ;)

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.