WiredWX Hobby Weather ToolsLog in

 


System Security 2009

3 posters

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Hello.
Were still gonna need Combofix to stop whatever it was from being downloaded again.

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Yea. Just took awhile to scan everything. All done now. Here are the combofix log

ComboFix 09-08-04.04 - PatrickC 08/06/2009 8:38.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.766 [GMT -7:00]
Running from: c:\documents and settings\PatrickC\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\92089676.ini
c:\documents and settings\All Users\Application Data\99037176.ini
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\Installer\21042.msi
c:\windows\kb913800.exe
c:\windows\system32\drivers\SKYNETyxyxjcbr.sys
c:\windows\system32\SKYNETpqxovmpf.dat
c:\windows\system32\SKYNETrpuhnpwq.dll
c:\windows\system32\SKYNETtcripmba.dll
c:\windows\system32\SKYNETvhowxnri.dat
c:\windows\system32\temp.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETiqakyxul
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-06 15:47 . 2009-08-06 15:47 -------- d-sh--w- C:\found.000
2009-08-05 23:08 . 2009-08-06 00:02 -------- d-----w- c:\documents and settings\PatrickC\Application Data\dvdcss
2009-08-04 12:12 . 2009-08-06 15:19 -------- d-----w- c:\program files\PrivacyCenter
2009-08-04 03:39 . 2009-08-04 03:39 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-03 19:06 . 2009-08-03 19:06 -------- d-s---w- c:\documents and settings\PatrickC\UserData
2009-08-01 18:47 . 2009-08-01 18:47 -------- d-----w- c:\program files\Warkeys
2009-07-31 23:11 . 2009-07-31 23:11 -------- d-----w- c:\program files\DotA Gaming Network
2009-07-31 23:11 . 2007-08-31 04:57 196608 ----a-w- c:\windows\system32\BNCSutil.dll
2009-07-30 00:41 . 2009-07-30 00:41 16141 ----a-w- c:\documents and settings\PatrickC\Application Data\Azureus\flamiks32.exe
2009-07-30 00:41 . 2009-07-30 00:41 422 ----a-w- c:\documents and settings\PatrickC\Application Data\Apple Computer\mario.exe
2009-07-30 00:41 . 2009-07-30 00:41 145131 ----a-w- c:\documents and settings\PatrickC\Application Data\AVG8\pingo.dll
2009-07-30 00:41 . 2009-07-30 00:41 13221 ----a-w- c:\documents and settings\PatrickC\Application Data\Adobe\xl12.exe
2009-07-30 00:41 . 2009-07-30 00:41 11232 ----a-w- c:\documents and settings\PatrickC\Application Data\.purple\norigami.dll
2009-07-29 17:49 . 2006-11-20 08:57 60800 ----a-w- c:\windows\system32\drivers\arp1394.sys
2009-07-29 17:49 . 2004-08-03 22:05 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys
2009-07-29 17:43 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-29 17:31 . 2009-07-29 17:31 -------- d-----w- c:\documents and settings\PatrickC\Application Data\AVG8
2009-07-29 17:29 . 2009-07-29 17:29 -------- d-----w- c:\documents and settings\PatrickC\Application Data\IObit
2009-07-29 17:28 . 2009-07-29 17:28 -------- d-----w- c:\program files\IObit
2009-07-19 10:34 . 2009-07-19 10:34 2161 ----a-w- c:\documents and settings\PatrickC\Application Data\.purple\certificates\x509\tls_peers\contacts.msn.com
2009-07-19 10:34 . 2009-07-19 10:34 2095 ----a-w- c:\documents and settings\PatrickC\Application Data\.purple\certificates\x509\tls_peers\login.live.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 07:52 . 2008-10-28 10:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-06 07:48 . 2008-10-28 09:17 -------- d-----w- c:\documents and settings\PatrickC\Application Data\.purple
2009-08-06 05:58 . 2009-03-02 09:03 -------- d-----w- c:\program files\Warcraft III
2009-08-05 17:35 . 2008-10-28 10:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 17:32 . 2008-10-28 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-05 17:31 . 2009-06-24 17:16 -------- d-----w- c:\program files\Lavasoft
2009-08-04 19:32 . 2009-03-05 05:45 77131 -c--a-w- c:\windows\War3Unin.dat
2009-08-04 03:39 . 2009-06-24 18:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 20:36 . 2009-06-24 18:09 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-06-24 18:09 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 22:57 . 2009-06-25 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\99037176
2009-07-26 08:01 . 2009-01-28 22:54 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-07-23 18:23 . 2008-10-28 10:07 -------- d-----w- c:\program files\Steam
2009-07-21 05:20 . 2008-10-29 06:53 -------- d-----w- c:\documents and settings\PatrickC\Application Data\gtk-2.0
2009-07-01 20:45 . 2009-03-09 07:40 -------- d-----w- c:\program files\StarCraft
2009-06-30 16:21 . 2009-03-02 09:42 -------- d-----w- c:\documents and settings\PatrickC\Application Data\Azureus
2009-06-29 07:06 . 2009-06-24 10:36 0 ----a-w- c:\windows\system32\drivers\596ebd87.sys
2009-06-24 20:26 . 2009-06-24 10:31 -------- d-----w- c:\documents and settings\All Users\Application Data\92089676
2009-06-24 20:26 . 2009-06-24 10:31 -------- d-----w- c:\documents and settings\All Users\Application Data\12079684
2009-06-24 18:09 . 2009-06-24 18:09 -------- d-----w- c:\documents and settings\PatrickC\Application Data\Malwarebytes
2009-06-24 18:09 . 2009-06-24 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-24 18:02 . 2009-06-24 10:30 104908 ----a-w- c:\windows\system32\drivers\e9ccdd83.sys
2009-06-24 17:16 . 2008-10-28 10:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-24 11:07 . 2008-11-13 19:33 -------- d-----w- c:\documents and settings\PatrickC\Application Data\Apple Computer
2009-06-24 10:38 . 2009-06-24 02:55 -------- d-----w- c:\program files\Lemonade Tycoon 2
2009-06-24 10:21 . 2009-06-24 10:21 10684866 ----a-w- c:\documents and settings\PatrickC\Application Data\Azureus\plugins\azump\mplayer.exe
2009-06-15 20:25 . 2008-10-28 09:47 -------- d-----w- c:\program files\Gravity
2009-06-12 17:36 . 2008-10-28 09:08 -------- d-----w- c:\program files\EternityRO
2006-11-20 08:48 . 2006-11-20 08:48 161768 --sha-r- c:\windows\system32\qsxutg.dll
.

------- Sigcheck -------

[7] 2005-05-28 07:14 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\system32\dllcache\aec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

c:\documents and settings\PatrickC\Start Menu\Programs\Startup\
Warkeys Update.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2009-5-3 244736]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"Steam"="c:\program files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\xchung\\counter-strike\\hl.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\xchung\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4618:TCP"= 4618:TCP:gjdeaxb

R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\ngrpci.sys [6/24/2009 10:41 AM 32840]
S1 596ebd87;596ebd87;c:\windows\system32\drivers\596ebd87.sys [6/24/2009 3:36 AM 0]
S1 e9ccdd83;e9ccdd83;c:\windows\system32\drivers\e9ccdd83.sys [6/24/2009 3:30 AM 104908]
S2 lich;lich;"c:\windows\system32\lich.exe" --> c:\windows\system32\lich.exe [?]
S2 qfokkmpyfjzhu;qfokkmpyfjzhu;\??\c:\windows\system32\drivers\yequlrxd.sys --> c:\windows\system32\drivers\yequlrxd.sys [?]
S2 tcjubxi;ikxkl;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 4:56 PM 14336]
S2 uqbbd;Task System;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 4:56 PM 14336]
S2 zugvu;Security Installer;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 4:56 PM 14336]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/24/2009 10:41 AM 32512]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
uqbbd
zugvu
tcjubxi
.
Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-07-29 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\PatrickC\Application Data\Mozilla\Firefox\Profiles\rpty7eqc.default\

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 08:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tcjubxi]
"ServiceDll"="c:\windows\system32\qsxutg.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uqbbd]
"ServiceDll"="c:\windows\system32\liorlu.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zugvu]
"ServiceDll"="c:\windows\system32\qsxutg.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3996)
c:\windows\system32\msi.dll
c:\windows\system32\browselc.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\devldr32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-06 8:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-06 15:54

Pre-Run: 108,506,107,904 bytes free
Post-Run: 108,561,383,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

190

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Hello.
A rootkit was causing the problem, that's gone now, so just need to tidy the rest up.

Now open a new notepad file.
Input this into the notepad file:

Folder::
C:\found.000
c:\program files\PrivacyCenter

Driver::
596ebd87
e9ccdd83
lich
qfokkmpyfjzhu
tcjubxi
uqbbd
zugvu

NetSvc::
uqbbd
zugvu
tcjubxi

File::
c:\windows\system32\drivers\596ebd87.sys
c:\windows\system32\drivers\e9ccdd83.sys

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4618:TCP"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tcjubxi]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uqbbd]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zugvu]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
System Security 2009 - Page 2 Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Okay thank you so much for your help. I really appreciate it. I will post the log files of CF after i did what you told me. It scanned restarted and came up with this log :

ComboFix 09-08-04.04 - PatrickC 08/06/2009 11:43.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.501 [GMT -7:00]
Running from: c:\documents and settings\PatrickC\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\PatrickC\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\596ebd87.sys"
"c:\windows\system32\drivers\e9ccdd83.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\found.000
c:\found.000\file0000.chk
c:\program files\PrivacyCenter
c:\program files\PrivacyCenter\main.ico
c:\program files\PrivacyCenter\sound.wav
c:\windows\system32\drivers\596ebd87.sys
c:\windows\system32\drivers\e9ccdd83.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_lich
-------\Legacy_QFOKKMPYFJZHU
-------\Legacy_TCJUBXI
-------\Legacy_uqbbd
-------\Legacy_ZUGVU
-------\Service_596ebd87
-------\Service_e9ccdd83
-------\Service_lich
-------\Service_qfokkmpyfjzhu
-------\Service_tcjubxi
-------\Service_uqbbd
-------\Service_zugvu


((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-05 23:08 . 2009-08-06 00:02 -------- d-----w- c:\documents and settings\PatrickC\Application Data\dvdcss
2009-08-04 03:39 . 2009-08-04 03:39 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-03 19:06 . 2009-08-03 19:06 -------- d-s---w- c:\documents and settings\PatrickC\UserData
2009-08-01 18:47 . 2009-08-01 18:47 -------- d-----w- c:\program files\Warkeys
2009-07-31 23:11 . 2009-07-31 23:11 -------- d-----w- c:\program files\DotA Gaming Network
2009-07-31 23:11 . 2007-08-31 04:57 196608 ----a-w- c:\windows\system32\BNCSutil.dll
2009-07-30 00:41 . 2009-07-30 00:41 16141 ----a-w- c:\documents and settings\PatrickC\Application Data\Azureus\flamiks32.exe
2009-07-30 00:41 . 2009-07-30 00:41 422 ----a-w- c:\documents and settings\PatrickC\Application Data\Apple Computer\mario.exe
2009-07-30 00:41 . 2009-07-30 00:41 145131 ----a-w- c:\documents and settings\PatrickC\Application Data\AVG8\pingo.dll
2009-07-30 00:41 . 2009-07-30 00:41 13221 ----a-w- c:\documents and settings\PatrickC\Application Data\Adobe\xl12.exe
2009-07-30 00:41 . 2009-07-30 00:41 11232 ----a-w- c:\documents and settings\PatrickC\Application Data\.purple\norigami.dll
2009-07-29 17:49 . 2006-11-20 08:57 60800 ----a-w- c:\windows\system32\drivers\arp1394.sys
2009-07-29 17:49 . 2004-08-03 22:05 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys
2009-07-29 17:43 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-29 17:31 . 2009-07-29 17:31 -------- d-----w- c:\documents and settings\PatrickC\Application Data\AVG8
2009-07-29 17:29 . 2009-07-29 17:29 -------- d-----w- c:\documents and settings\PatrickC\Application Data\IObit
2009-07-29 17:28 . 2009-07-29 17:28 -------- d-----w- c:\program files\IObit
2009-07-19 10:34 . 2009-07-19 10:34 2161 ----a-w- c:\documents and settings\PatrickC\Application Data\.purple\certificates\x509\tls_peers\contacts.msn.com
2009-07-19 10:34 . 2009-07-19 10:34 2095 ----a-w- c:\documents and settings\PatrickC\Application Data\.purple\certificates\x509\tls_peers\login.live.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 07:52 . 2008-10-28 10:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-06 07:48 . 2008-10-28 09:17 -------- d-----w- c:\documents and settings\PatrickC\Application Data\.purple
2009-08-06 05:58 . 2009-03-02 09:03 -------- d-----w- c:\program files\Warcraft III
2009-08-05 17:35 . 2008-10-28 10:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 17:32 . 2008-10-28 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-05 17:31 . 2009-06-24 17:16 -------- d-----w- c:\program files\Lavasoft
2009-08-04 19:32 . 2009-03-05 05:45 77131 -c--a-w- c:\windows\War3Unin.dat
2009-08-04 03:39 . 2009-06-24 18:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 20:36 . 2009-06-24 18:09 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-06-24 18:09 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 22:57 . 2009-06-25 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\99037176
2009-07-26 08:01 . 2009-01-28 22:54 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-07-23 18:23 . 2008-10-28 10:07 -------- d-----w- c:\program files\Steam
2009-07-21 05:20 . 2008-10-29 06:53 -------- d-----w- c:\documents and settings\PatrickC\Application Data\gtk-2.0
2009-07-01 20:45 . 2009-03-09 07:40 -------- d-----w- c:\program files\StarCraft
2009-06-30 16:21 . 2009-03-02 09:42 -------- d-----w- c:\documents and settings\PatrickC\Application Data\Azureus
2009-06-24 20:26 . 2009-06-24 10:31 -------- d-----w- c:\documents and settings\All Users\Application Data\92089676
2009-06-24 20:26 . 2009-06-24 10:31 -------- d-----w- c:\documents and settings\All Users\Application Data\12079684
2009-06-24 18:09 . 2009-06-24 18:09 -------- d-----w- c:\documents and settings\PatrickC\Application Data\Malwarebytes
2009-06-24 18:09 . 2009-06-24 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-24 17:16 . 2008-10-28 10:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-24 11:07 . 2008-11-13 19:33 -------- d-----w- c:\documents and settings\PatrickC\Application Data\Apple Computer
2009-06-24 10:38 . 2009-06-24 02:55 -------- d-----w- c:\program files\Lemonade Tycoon 2
2009-06-24 10:21 . 2009-06-24 10:21 10684866 ----a-w- c:\documents and settings\PatrickC\Application Data\Azureus\plugins\azump\mplayer.exe
2009-06-15 20:25 . 2008-10-28 09:47 -------- d-----w- c:\program files\Gravity
2009-06-12 17:36 . 2008-10-28 09:08 -------- d-----w- c:\program files\EternityRO
2006-11-20 08:48 . 2006-11-20 08:48 161768 --sha-r- c:\windows\system32\qsxutg.dll
.

------- Sigcheck -------

[7] 2005-05-28 07:14 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\system32\dllcache\aec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

c:\documents and settings\PatrickC\Start Menu\Programs\Startup\
Warkeys Update.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2009-5-3 244736]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"Steam"="c:\program files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\xchung\\counter-strike\\hl.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\xchung\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=

R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\ngrpci.sys [6/24/2009 10:41 AM 32840]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/24/2009 10:41 AM 32512]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\PatrickC\Application Data\Mozilla\Firefox\Profiles\rpty7eqc.default\

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 11:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3112)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2009-08-06 11:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-06 18:54
ComboFix2.txt 2009-08-06 15:54

Pre-Run: 108,542,160,896 bytes free
Post-Run: 108,496,494,592 bytes free

161


Thanks again in advance. You've been a great help and my computer is running more smoothly now.

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Hello.
Just a few leftover folders to get rid of now.

Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    c:\documents and settings\PatrickC\Application Data\Azureus
    c:\documents and settings\All Users\Application Data\99037176
    c:\documents and settings\All Users\Application Data\92089676
    c:\documents and settings\All Users\Application Data\12079684


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
========== FILES ==========
c:\documents and settings\PatrickC\Application Data\Azureus\torrents moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\tmp moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\shares moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\plugins\azupnpav moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\plugins\azump\mplayer moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\plugins\azump moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\plugins moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\net moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\media\azpd moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\media moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\logs\save moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\logs moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\dht moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\devices moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\cache moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus\active moved successfully.
c:\documents and settings\PatrickC\Application Data\Azureus moved successfully.
c:\documents and settings\All Users\Application Data\99037176 moved successfully.
c:\documents and settings\All Users\Application Data\92089676 moved successfully.
c:\documents and settings\All Users\Application Data\12079684 moved successfully.

OTM by OldTimer - Version 3.0.0.5 log created on 08062009_124320

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Can you run another Malwarebytes scan and post the results back here.

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
When i try updating it says "An error occurred. Please report the following error code to Malwarebytes' Anti-Malware support team. Error Code: 732 (0,0) should i just re-install? I am running a quick scan right now

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Malwarebytes' Anti-Malware 1.40
Database version: 2565
Windows 5.1.2600 Service Pack 2

8/6/2009 2:49:17 PM
mbam-log-2009-08-06 (14-49-17).txt

Scan type: Quick Scan
Objects scanned: 90029
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

System Security 2009 - Page 2 CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Does that uninstall it? And yes. My system is running fine now. However, when I run Warcraft III : Frozen Throne in windows mode, during a game, it sometimes restart. Is that just because I am working my computer too hard?
Thanks for the help!

Edit: Also when i try updating Malwarebyte's Anti-Malware i get an error report saying : "An error occurred. Please report hte following error code to Malwarebytte's Anti-Malware support team. Error code: 732 (0, 0)" I've tried re-downloading and re-installing as well.

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Hello.
The restarting during the game could be overloading the graphics card.

If the game is loading many graphics at once, like when your firing at someone and moving at the same time and doing other things all at once, it basically overloads the machines graphics and causes it to restart.

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Hello, Recently I have been trying to update Malwarebytes but I am unable to through the program because I get an error. Instead I tried doing hte manual update through the Malwarebytes forum, however, that site is not working for me either. I get the "server not found" page, try again.

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Post a new Hijack This log.

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
Here is the Hijack this Logs :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:18 PM, on 9/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Warkeys Update.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA-OMEGA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 3335 bytes


And here is the installation list :
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9
AGEIA PhysX v7.11.13
Apple Mobile Device Support
Apple Software Update
Counter-Strike
DotA Client Build 2.31 Beta
DotA Client Build 2.4 Beta
Full Tilt Poker
GTK+ Runtime 2.12.12 rev a (remove only)
HijackThis 2.0.2
iTunes
Malwarebytes' Anti-Malware
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.3)
NVIDIA Drivers
Nvidia Omega Drivers v2.169.21 Setup Files
Pidgin
QuickTime
RagnarokOnline
Smart Defrag 1.20
Spybot - Search & Destroy
StarCraft
Steam
Sylvanas RO Small Installer
Team Fortress 2
Ventrilo Client
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 0.9.9
Warkeys 1.14.1.0b
WC3Banlist
WinPcap 3.1
WinRAR archiver

descriptionSystem Security 2009 - Page 2 EmptyRe: System Security 2009

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum