Jump to content

undeleteable virus?


Recommended Posts

Hi,

im encountering a annoying virus, Everytime I run a full system scan using Malwarebytes Anti-Malware, it identifies the following issues:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify

c:\hguby.exe (Malware.Packer.Gen)

i removed them and even removed them from regedit, and after a few seconds, it spawn up again.

if anyone could assist with how I clean up these items once and for all, and advise if I am able to clean my computer it would be much appreciated.

Thanks

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

hi,

i scanned 1 more time and here's the result:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8095

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/7/2011 3:58:45 PM

mbam-log-2011-11-07 (15-58-45).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 121100

Time elapsed: 1 hour(s), 10 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 30

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\hguby.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\Games\the sims 2\TSBin\sims 2 +3 trainer.exe (HackTool.GamesCheat.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-746137067-299502267-1801674531-1003\Dc76.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-746137067-299502267-1801674531-1003\Dc78.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-746137067-299502267-1801674531-1003\Dc79.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-746137067-299502267-1801674531-1003\Dc80.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-746137067-299502267-1801674531-1003\Dc81.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-746137067-299502267-1801674531-1003\Dc83.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-746137067-299502267-1801674531-1003\Dc84.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-746137067-299502267-1801674531-1003\Dc85.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-746137067-299502267-1801674531-1003\Dc86.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0032438.exe (HackTool.GamesCheat.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034223.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034250.exe (HackTool.GamesCheat.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034415.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034416.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034418.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034570.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034776.exe (HackTool.GamesCheat.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034817.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034818.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034819.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034820.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034821.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034823.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034824.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034825.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0034826.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{9723f1bc-6cf2-4766-8bae-8d7664535597}\RP13\A0035568.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

d:\documents and settings\user\local settings\Temp\Rar$EX00.922\yu-gi-oh! power of chaos yugi the destiny trainer +4.exe (HackTool.GamesCheat.Gen) -> Quarantined and deleted successfully.

if flash scan:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8095

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/7/2011 4:01:28 PM

mbam-log-2011-11-07 (16-01-28).txt

Scan type: Flash scan

Objects scanned: 118113

Time elapsed: 1 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.................................................

the virus keep increasing...

My computer behaving:

1. doesn't show up AVG icon on taskbar, but i shown malwarebyte anti-malware

2. i can't access task manager and regedit

3. i can't access my Data(C:) automatically, the first time i double click the folder, malwarebyte anti-malware detect a virus named hugby.exe. the second time i double click i will shown "open with" dialog box.

Link to post
Share on other sites

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

thanks for the combofix.

but i'm sorry to say that it only fix number 3 problem :

3. i can't access my Data(C:) automatically, the first time i double click the folder, malwarebyte anti-malware detect a virus named hugby.exe. the second time i double click it will shown "open with" dialog box.

if you can help me more, it would be be much appreciate...

Link to post
Share on other sites

thanks, here's the report.

ComboFix 11-11-11.02 - user 11/11/2011 14:52:29.1.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1892.1117 [GMT -8:00]

Running from: d:\documents and settings\user\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\autorun.inf

C:\hotqe.pif

D:\autorun.inf

d:\documents and settings\user\Application Data\Toolbar4

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\07342a6755dee760339186a222929be2

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\1a9351a4bb94258aae1a132d1df6bbd6

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\27c746d432b7a753a0af8d7c033b46fe

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\29821809b7cb6f67e31db41dec5e381f

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\2b4ad282984708f7b89800e17a257476

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\2cc60d08b36af576b11419505050cc6e

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\392a700638f235a296b69d16949f5de4

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\44567846e0387d6a62062ab4dbf9ae96

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\476e581759e584c2c282de2998241067

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\52b66d6979ef2abcea9a736d1b4dbc82

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\757a20d7a75ae93435ac64a6095eab39

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\89c35566d3dfdce78572ff8c2a627ad2

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\9840cd5f73490a37d4f3e47107ced675

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\9956734e872eec3ea3e17f52e84dc6cc

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\9d810aab3f7bcbacb07c241f8d726714

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\a2c186b67472c6e600e20a266c490399

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\a95eb0e6de33d7634932d4e6a0a8fcb1

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\ab175bcff5c73a195b31011921537077

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\acfc834035dccfb94e7f9067f5d48a83

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\b19a226e37d70388c09e79d59e928706

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\b60520640d82e970595e95ad6eed09a5

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\ba2b10a34ec5487830bcffd24e6ce6a6

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\bdcf0ed363b85538f740c9b718bf611c

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c3a959e6bb881e61278a5411610b65c8

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c48c9e27c16419ab995d48b077a802ff

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\c594d37e13c887da6ddc9975fa9aae82

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\cc68743a659d204f1d8ed9e6ccf8ce9a

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\e13b2994352b9b3027a914debb087454

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\e6f9cd396acf3782de6615e7be7146d0

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\faeabe2383655e57bfe411d09932eca8

d:\documents and settings\user\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache\fc57bf3aee1b4ac0db547af3a4f4a1b1

d:\program files\Pivot Stickfigure DB Toolbar\tbHElper.dll

d:\winxp\TEMP\GuardGuard.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_AMSINT32

-------\Service_amsint32

.

.

((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))

.

.

2011-11-11 04:53 . 2011-11-11 04:53 -------- d-----w- d:\program files\AhnLab

2011-11-11 04:53 . 2011-11-11 04:53 -------- d-----w- d:\documents and settings\user\AppData

2011-11-07 03:11 . 2011-11-07 03:11 -------- d--h--w- d:\winxp\PIF

2011-11-06 23:35 . 2011-11-06 23:35 1018368 ----a-w- D:\Empires2.exe

2011-11-06 19:07 . 2011-11-06 19:07 -------- d--h--w- d:\winxp\system32\GroupPolicy

2011-11-06 02:15 . 2011-11-06 02:15 -------- d-----w- d:\program files\Common Files\InstallShield

2011-11-04 22:25 . 2009-09-05 00:29 1892184 ----a-w- d:\winxp\system32\D3DX9_42.dll

2011-11-04 22:03 . 2011-11-10 01:04 -------- d-----w- d:\winxp\Logs

2011-11-04 04:20 . 2011-11-04 04:20 -------- d-----w- d:\program files\RealArcade

2011-10-30 23:03 . 2011-10-30 23:03 -------- d-----w- d:\documents and settings\user\Application Data\Moyea

2011-10-25 04:03 . 2011-10-25 04:04 -------- d-----w- d:\documents and settings\user\Local Settings\Application Data\._LiveCode_

2011-10-25 04:00 . 2011-11-11 22:56 -------- d-----w- d:\program files\Pivot Stickfigure DB Toolbar

2011-10-25 03:59 . 2011-10-26 22:57 -------- d-----w- d:\documents and settings\user\Local Settings\Application Data\WMTools Downloaded Files

2011-10-25 03:58 . 2011-10-25 04:04 -------- d-----w- d:\documents and settings\user\Application Data\Stykz

2011-10-15 22:22 . 2011-10-15 22:22 -------- d-----w- d:\documents and settings\user\Local Settings\Application Data\uTorrent

2011-10-15 22:22 . 2011-10-15 22:22 -------- d-----w- d:\documents and settings\user\Application Data\uTorrent

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-09 06:15 . 2011-10-09 06:15 286720 ------w- d:\winxp\Setup1.exe

2011-10-09 06:15 . 2011-10-09 06:15 73216 ----a-w- d:\winxp\ST6UNST.EXE

2011-10-06 02:24 . 2011-10-06 02:24 1409 ----a-w- d:\winxp\system32\tmp7ABD1.FOT

2011-10-06 02:24 . 2011-10-06 02:24 1409 ----a-w- d:\winxp\system32\tmp5FBD1.FOT

2011-09-23 02:10 . 2011-09-23 02:10 414368 ----a-w- d:\winxp\system32\FlashPlayerCPLApp.cpl

2011-09-23 02:02 . 2011-09-23 02:02 1060864 ----a-w- d:\winxp\system32\mfc71.dll

2011-09-23 02:02 . 2011-09-23 02:02 348160 ----a-w- d:\winxp\system32\msvcr71.dll

2011-09-23 02:02 . 2011-09-23 02:02 1700352 ----a-w- d:\winxp\system32\gdiplus.dll

2011-09-01 00:00 . 2011-09-23 05:33 22216 ----a-w- d:\winxp\system32\drivers\mbam.sys

2011-08-29 08:00 . 2011-09-23 02:11 74752 ----a-w- d:\winxp\system32\ff_vfw.dll

2011-06-16 04:17 . 2011-09-23 05:21 142296 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]

@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"

[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]

2011-05-30 16:50 21864 ----a-w- c:\internet download manager\IDMShellExt.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IDMan"="c:\internet download manager\IDMan.exe" [2011-10-25 3437976]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="d:\winxp\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"MSPY2002"="d:\winxp\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"PHIME2002ASync"="d:\winxp\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="d:\winxp\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"SynTPLpr"="d:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-04-10 192512]

"SynTPEnh"="d:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-10 1716224]

"Guard.Mail.ru.gui"="d:\program files\Mail.Ru\Guard\GuardMailRu.exe" [2011-09-23 1472720]

"Malwarebytes' Anti-Malware"="c:\malwarebytes' anti-malware\mbamgui.exe" [2011-09-01 449608]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvUpdater]

2011-04-28 08:27 192856 ----a-w- d:\documents and settings\user\Application Data\DRPSu\DrvUpdater.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2006-10-27 07:47 112936 ----a-w- d:\program files\Microsoft Office\Office12\GrooveMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Guard.Mail.ru.gui]

2011-09-23 01:31 1472720 ----a-w- d:\program files\Mail.Ru\Guard\GuardMailRu.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2011-03-02 14:51 182296 ----a-w- d:\winxp\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2011-03-02 14:52 142360 ----a-w- d:\winxp\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]

2011-01-01 04:05 1029200 ----a-w- d:\program files\Launch Manager\LManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2010-11-05 04:04 6243640 ----a-w- d:\program files\Yahoo!\Messenger\YahooMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NUSB3MON]

2010-11-17 01:53 195208 ----a-w- d:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2011-03-02 14:51 166424 ----a-w- d:\winxp\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2011-01-21 18:27 20026472 ----a-w- d:\winxp\RTHDCPL.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2010-12-02 15:56 156672 ----a-w- d:\program files\Winamp\winampa.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\Mail.Ru\\Sputnik\\SputnikHelper.exe"=

"d:\\Program Files\\Mail.Ru\\Sputnik\\SputnikFlashPlayer.exe"=

"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"d:\\Program Files\\Winamp\\winamp.exe"=

"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Games\\Condition Zero\\hl.exe"=

"c:\\Games\\Counter-Strike Online\\Bin\\cstrike-online.exe"=

"c:\\Games\\Counter-Strike Online\\Bin\\NMService.exe"=

"c:\\Program Files\\PopCap Games\\Zuma Deluxe\\Zuma.exe"=

"c:\\Games\\MapleStorySEA\\Patcher.exe"=

"c:\\Games\\cs2d\\CounterStrike2D.exe"=

"c:\\Games\\Warcraft III\\war3.exe"=

"c:\\GameHouse\\Plants vs. Zombies\\PlantsVsZombies.exe"=

"d:\\Program Files\\Mail.Ru\\Guard\\GuardMailRu.exe"=

"d:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"=

"c:\\Internet Download Manager\\IEMonitor.exe"=

"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Malwarebytes' Anti-Malware\\mbamgui.exe"=

"c:\\Program Files\\PopCap Games\\Dynomite Deluxe\\Dynomite.exe"=

"d:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=

"d:\\Program Files\\WinRAR\\WinRAR.exe"=

"d:\\Documents and Settings\\user\\Desktop\\ComboFix.exe"=

"c:\\Games\\AOE II AGE OF KINGS\\empires2.exe"=

.

R1 IDMTDI;IDMTDI;d:\winxp\system32\drivers\idmtdi.sys [7/18/2011 5:25 AM 101616]

R2 DsiWMIService;Dritek WMI Service;d:\program files\Launch Manager\dsiwmis.exe [12/31/2010 8:05 PM 310864]

R2 Guard.Mail.ru;Guard.Mail.ru;d:\program files\Mail.Ru\Guard\GuardMailRu.exe [9/22/2011 5:31 PM 1472720]

R2 MBAMService;MBAMService;c:\malwarebytes' anti-malware\mbamservice.exe [9/22/2011 9:33 PM 366152]

R3 IntcDAud;Intel® Display Audio;d:\winxp\system32\drivers\IntcDAud.sys [9/22/2011 5:02 PM 260864]

R3 k57w2k;Broadcom NetLink Gigabit Ethernet;d:\winxp\system32\drivers\k57xp32.sys [9/22/2011 5:00 PM 228392]

R3 MBAMProtector;MBAMProtector;d:\winxp\system32\drivers\mbam.sys [9/22/2011 9:33 PM 22216]

R3 MEI;Intel® Management Engine Interface;d:\winxp\system32\drivers\HECI.sys [9/22/2011 4:58 PM 41088]

R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;d:\winxp\system32\drivers\nusb3xhc.sys [9/22/2011 4:58 PM 141568]

R3 vmmouse;VMware Pointing Device;d:\winxp\system32\drivers\vmmouse.sys [9/22/2011 5:02 PM 11440]

S3 Ambfilt;Ambfilt;d:\winxp\system32\drivers\Ambfilt.sys [9/22/2011 5:01 PM 1691480]

S3 EagleXNt;EagleXNt;\??\d:\winxp\system32\drivers\EagleXNt.sys --> d:\winxp\system32\drivers\EagleXNt.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\d:\winxp\system32\drivers\mbamswissarmy.sys --> d:\winxp\system32\drivers\mbamswissarmy.sys [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - AMSINT32

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bigseekpro.com/pivotstickfigure/{5F724DE1-8D45-4093-82E9-CEEE499B63F4}

mStart Page = hxxp://www.bigseekpro.com/pivotstickfigure/{5F724DE1-8D45-4093-82E9-CEEE499B63F4}

IE: Download all links with IDM - c:\internet download manager\IEGetAll.htm

IE: Download with IDM - c:\internet download manager\IEExt.htm

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 125.162.123.248 202.134.0.155

FF - ProfilePath - d:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\p4f4e67t.default\

FF - prefs.js: browser.startup.homepage - hxxp://google.com/

FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/pivotstickfigure/{5F724DE1-8D45-4093-82E9-CEEE499B63F4}?q=

FF - prefs.js: network.proxy.type - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-11 14:58

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3404)

d:\winxp\system32\WININET.dll

d:\winxp\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\internet download manager\IDMShellExt.dll

c:\internet download manager\IDMNetMon.DLL

d:\winxp\system32\ieframe.dll

d:\winxp\system32\webcheck.dll

d:\winxp\system32\wpdshserviceobj.dll

d:\winxp\system32\portabledevicetypes.dll

d:\winxp\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\internet download manager\IEMonitor.exe

d:\winxp\TEMP\GuardGuard.exe

.

**************************************************************************

.

Completion time: 2011-11-11 15:02:14 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-11 23:02

.

Pre-Run: 236,445,106,176 bytes free

Post-Run: 236,605,726,720 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINXP

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINXP="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - D89F305BC57D591F2E1996575E4E1F11

Link to post
Share on other sites

Yes.

Do you still have the same issues?

yes, it is. i still can't open task manager. other than decreasing problem, more problem come out. like my maplestory.exe file. the first time i'm able to open it, now i can't anymore( when i double click it, nothing happen).

i think it's virus problem, because i downloaded new exe file from the website and played it. but the second time i play it( double click the exe ), nothing happened.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.