Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

virus and/or trojan fake scanner "total security"

Started by illuminati , Aug 15 2009 09:04 PM

  • Please log in to reply

#1
illuminati
Posted 15 August 2009 - 09:04 PM

illuminati

    Member

  • Member
  • PipPip
  • 56 posts
Awesome. its been like..weeks since i last got help here
I have officially learned my lesson.
but i am in need of your help again!

i still have OTL, Rooter, SDFix and stuff installed from my last one but it wont let me open
it has a little box saying "the file mcrdsvc.exe is infected" so idk what to do and i have no logs i can post
i also can't use firefox and google chrome i am using IE

What do i do? You guys are so amazing here thanks in advance!

EDIT**
while i was waiting for you guys i looked at a couple other posts and i downloaded the new combo fix.
restarted my computer in safe mode
ran combo fix
heres the new log it has.
the main virus thing is gone but there are a couple other popups still there.
also i ran malwarebytes anti malware but that was outdated and probably not much help but heres the new log.txt

ComboFix 09-08-10.06 - ning yang 08/16/2009 18:39.8.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.795 [GMT -5:00]
Running from: c:\documents and settings\ning yang\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\16359534
c:\documents and settings\All Users\Application Data\16359534\16359534
c:\documents and settings\All Users\Application Data\16359534\16359534.exe
c:\documents and settings\All Users\Application Data\16359534\pc16359534ins
c:\documents and settings\All Users\Application Data\96865926.ini
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\run.log
c:\windows\system32\15160186.dll
c:\windows\system32\duhopadi.dll
c:\windows\system32\fekabota.dll
c:\windows\system32\getofenu.dll
c:\windows\system32\hewemaha.dll
c:\windows\system32\lebovepe.dll
c:\windows\system32\mejaware.dll
c:\windows\system32\nipuruwi.dll
c:\windows\system32\padanoku.dll
c:\windows\system32\pibujudo.dll
c:\windows\system32\pitajayi.dll
c:\windows\system32\temeyuhu.dll
c:\windows\system32\vokelabe.dll
c:\windows\system32\wahawiye.dll
c:\windows\system32\wiyuwode.dll
c:\windows\system32\woninari.dll
c:\windows\system32\yiperido.dll
c:\windows\system32\zubadabo.dll

----- BITS: Possible infected sites -----

hxxp://82.98.231.96
c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-15 15:30 . 2009-08-15 16:38 84480 ----a-w- c:\windows\system32\pesimira.dll
2009-08-15 13:39 . 2006-03-15 12:00 82944 ---h-tw- c:\windows\system32\95385b8.dll
2009-08-15 13:39 . 2006-03-15 12:00 82944 ---h-tw- c:\windows\system32\18eb25e.dll
2009-08-15 04:09 . 2006-03-15 12:00 82944 ---h-tw- c:\windows\system32\d93b57c.dll
2009-08-13 15:38 . 2009-08-13 15:38 84992 --sha-w- c:\windows\system32\tibibove.dll
2009-08-10 03:05 . 2009-08-10 03:06 -------- d-----w- c:\documents and settings\ning yang\Local Settings\Application Data\Temp
2009-08-09 15:42 . 2009-08-09 15:42 84992 --sha-w- c:\windows\system32\fomofege.dll
2009-07-28 18:26 . 2009-07-28 18:26 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-07-28 17:06 . 2009-07-28 17:06 -------- d-----w- C:\nDoors

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 00:12 . 2009-02-14 06:27 -------- d-----w- c:\documents and settings\ning yang\Application Data\LimeWire
2009-08-15 04:42 . 2006-09-15 18:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-15 03:38 . 2009-05-15 03:38 84992 --sha-w- c:\windows\system32\gozesifu.dll
2009-08-15 03:00 . 2007-09-02 05:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-14 15:38 . 2009-05-14 15:38 83968 --sha-w- c:\windows\system32\nurobumo.dll
2009-08-14 03:37 . 2009-05-14 03:37 83968 --sha-w- c:\windows\system32\halegibu.dll
2009-08-13 14:07 . 2006-09-01 22:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-13 03:37 . 2009-05-13 03:37 49152 --sha-w- c:\windows\system32\muhugumi.dll
2009-08-13 03:37 . 2009-05-13 03:37 84992 --sha-w- c:\windows\system32\mokodime.dll
2009-08-12 03:36 . 2009-05-12 03:36 84992 --sha-w- c:\windows\system32\zenafasi.dll
2009-08-11 15:36 . 2009-05-11 15:36 84992 --sha-w- c:\windows\system32\yeyikufa.dll
2009-08-10 15:36 . 2009-05-10 15:36 50176 --sha-w- c:\windows\system32\wiseyiwi.dll
2009-08-10 15:36 . 2009-05-10 15:36 83968 --sha-w- c:\windows\system32\renukahi.dll
2009-08-10 03:36 . 2009-05-10 03:36 83968 --sha-w- c:\windows\system32\rabutine.dll
2009-08-09 03:36 . 2009-05-09 03:35 49664 --sha-w- c:\windows\system32\fegibayu.dll
2009-08-09 03:35 . 2009-05-09 03:35 85504 --sha-w- c:\windows\system32\larahujo.dll
2009-08-08 15:35 . 2009-05-08 15:35 85504 --sha-w- c:\windows\system32\juhijudu.dll
2009-08-08 15:00 . 2006-09-15 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-30 12:18 . 2009-06-29 14:17 -------- d-----w- c:\program files\Vuze
2009-07-30 12:18 . 2009-06-29 14:18 -------- d-----w- c:\documents and settings\ning yang\Application Data\Azureus
2009-07-28 16:47 . 2009-01-09 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-07-04 04:33 . 2009-07-04 04:33 -------- d-----w- c:\program files\drv
2009-07-01 19:24 . 2006-12-19 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-01 19:24 . 2006-12-19 02:35 -------- d-----w- c:\program files\Viewpoint
2009-07-01 05:01 . 2006-11-01 23:52 -------- d-----w- c:\documents and settings\ning yang\Application Data\Apple Computer
2009-07-01 04:58 . 2007-09-05 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-01 04:25 . 2006-11-01 23:50 -------- d-----w- c:\program files\Apple Software Update
2009-07-01 04:20 . 2009-07-01 04:19 -------- d-----w- c:\program files\Safari
2009-07-01 04:14 . 2009-07-01 04:12 -------- d-----w- c:\program files\iTunes
2009-07-01 04:14 . 2009-07-01 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-01 04:13 . 2009-07-01 04:13 -------- d-----w- c:\program files\iPod
2009-07-01 04:13 . 2007-09-05 23:28 -------- d-----w- c:\program files\Common Files\Apple
2009-07-01 04:09 . 2007-11-04 19:04 -------- d-----w- c:\program files\Bonjour
2009-07-01 04:08 . 2007-09-05 23:30 -------- d-----w- c:\program files\QuickTime
2009-07-01 03:58 . 2009-07-01 03:58 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-29 18:03 . 2009-06-29 18:03 -------- d-----w- c:\program files\Croteam
2009-06-29 14:22 . 2008-07-01 00:25 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-06-29 14:19 . 2006-09-15 18:45 45936 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 14:18 . 2009-06-29 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-06-29 01:20 . 2008-04-13 02:12 -------- d-----w- c:\documents and settings\ning yang\Application Data\dvdcss
2009-06-16 16:55 . 2009-05-07 15:13 127872 ----a-w- c:\documents and settings\ning yang\Application Data\Move Networks\uninstall.exe
2009-06-16 16:55 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\ning yang\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-06-16 16:55 . 2009-06-16 16:55 1685856 ----a-w- c:\documents and settings\ning yang\Application Data\Move Networks\MoveMediaPlayerWinSilent_071503000010.exe
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\ning yang\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-05 16:42 . 2009-07-01 04:04 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 16:42 . 2009-07-01 04:04 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-19 06:36 . 2009-06-15 16:17 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 06:36 . 2009-06-15 16:17 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 06:36 . 2009-06-15 16:17 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 06:36 . 2009-06-15 16:17 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 06:36 . 2009-06-15 16:17 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 06:36 . 2009-06-15 16:17 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 06:36 . 2009-06-15 16:17 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 06:36 . 2009-06-15 16:17 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2006-12-08 19:16 . 2006-12-08 19:16 91265 ------w- c:\program files\OCT2006_xinput_x64.cab
2008-12-07 17:15 . 2008-12-07 17:15 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-11-21 04:20 . 2007-11-21 04:20 24 --sha-w- c:\windows\SCE29FF40.tmp
2009-05-10 15:37 . 2009-05-10 15:37 50176 --sha-w- c:\windows\system32\birakuze.dll.tmp
2009-05-09 03:36 . 2009-05-09 03:36 49664 --sha-w- c:\windows\system32\damameni.dll.tmp
2009-05-09 03:36 . 2009-05-09 03:36 49664 --sha-w- c:\windows\system32\juvilisi.dll.tmp
2009-05-10 15:37 . 2009-05-10 15:37 50176 --sha-w- c:\windows\system32\liwiyase.dll.tmp
2009-05-10 15:37 . 2009-05-10 15:37 50176 --sha-w- c:\windows\system32\nizosole.dll.tmp
2009-05-08 15:30 . 2009-05-08 15:30 50176 --sha-w- c:\windows\system32\rasefaki.dll.tmp
2009-05-09 03:36 . 2009-05-09 03:36 49664 --sha-w- c:\windows\system32\vapisoto.dll.tmp
2009-05-08 15:30 . 2009-05-08 15:30 50176 --sha-w- c:\windows\system32\yofabutu.dll.tmp
2009-05-08 15:30 . 2009-05-08 15:30 50176 --sha-w- c:\windows\system32\yumamano.dll.tmp
.

((((((((((((((((((((((((((((( SnapShot_2009-07-04_05.09.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-17 00:00 . 2009-08-17 00:00 16384 c:\windows\temp\Perflib_Perfdata_7cc.dat
+ 2009-08-17 00:00 . 2009-08-17 00:00 16384 c:\windows\temp\Perflib_Perfdata_618.dat
+ 2007-06-01 03:44 . 2009-08-08 22:53 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2007-06-01 03:44 . 2009-03-24 22:57 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-04 16:57 . 2009-08-16 23:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-09-01 22:18 . 2009-08-16 23:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-09-01 22:18 . 2009-06-29 01:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-09-01 22:18 . 2009-08-16 23:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-28 17:13 . 2009-07-28 17:13 49152 c:\windows\Installer\{1A4E71A5-643D-4536-B624-995F7E212272}\UNINST_Uninstall_W_6B6272B7BA494E89A724FFF5411D943D.exe
+ 2009-07-28 17:13 . 2009-07-28 17:13 45056 c:\windows\Installer\{1A4E71A5-643D-4536-B624-995F7E212272}\Load.exe1_3BB43529106C4AC6B6C61C8F4EC0EC3E.exe
+ 2009-07-28 17:13 . 2009-07-28 17:13 45056 c:\windows\Installer\{1A4E71A5-643D-4536-B624-995F7E212272}\Load.exe_79A62B4A246342D7AB3FF9D1A91C9626.exe
+ 2009-07-28 17:13 . 2009-07-28 17:13 53248 c:\windows\Installer\{1A4E71A5-643D-4536-B624-995F7E212272}\ARPPRODUCTICON.exe
+ 2009-08-13 14:07 . 2009-08-13 14:07 10134 c:\windows\Installer\{13515135-48BB-4184-8C1F-2FAE0138E200}\ARPPRODUCTICON.exe
+ 2009-08-16 23:55 . 2009-08-16 23:55 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-08-13 14:07 . 2009-08-13 14:07 902656 c:\windows\Installer\13c8067b.msi
+ 2009-08-16 23:55 . 2009-08-16 23:55 221184 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-16 23:55 . 2009-08-16 23:55 245760 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-07-28 17:13 . 2009-07-28 17:13 1223168 c:\windows\Installer\227721d.msi
+ 2009-08-16 23:55 . 2009-08-16 23:55 11210752 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-04-04 1368064]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-04-27 50736]
"Google Update"="c:\documents and settings\ning yang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-10 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-03-15 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-14 136600]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-10 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"DISCover"="c:\program files\DISC\DISCover.exe" [2006-06-02 1077248]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-06 26248]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"WatchDog"="c:\program files\mobile PhoneTools\WatchDog.exe" [2004-08-14 36864]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-07 30192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"CPM47eb97b5"="c:\windows\system32\gozesifu.dll" [2009-08-15 84992]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]

c:\documents and settings\ning yang\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-1-29 139776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
Trend Micro Anti-Spyware.lnk - c:\program files\Trend Micro\Tmas\Tmas.exe [2006-9-15 1310720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\gozesifu.dll" [2009-08-15 84992]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= "c:\program files\Trend Micro\Tmas\sshook.dll" [2006-09-15 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gozesifu.dll [2009-08-15 84992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 23:11 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Sony\\VAIO Media 5.0\\Vc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Sony\\VAIO Event Service\\VESMgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"57745:TCP"= 57745:TCP:Pando Media Booster
"57745:UDP"= 57745:UDP:Pando Media Booster
"8085:TCP"= 8085:TCP:drv
"58245:TCP"= 58245:TCP:Pando Media Booster
"58245:UDP"= 58245:UDP:Pando Media Booster

R1 drvdrv;drvdrv;c:\program files\drv\drv.sys [7/3/2009 11:33 PM 9344]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/31/2007 4:10 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2007 12:35 PM 112688]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [9/1/2006 4:56 PM 226304]
S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe --> c:\cygwin\bin\cygrunsrv.exe [?]
S3 CEDRIVER53;CEDRIVER53;\??\c:\program files\Cheat Engine\dbk32.sys --> c:\program files\Cheat Engine\dbk32.sys [?]
S3 geebers12;geebers12;\??\c:\documents and settings\ning yang\Desktop\BUFFY ENGINE!\nvid888.sys --> c:\documents and settings\ning yang\Desktop\BUFFY ENGINE!\nvid888.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/7/2008 12:15 PM 30192]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sejt1;sejt1;\??\c:\documents and settings\ning yang\Desktop\AkumaEngine33\sejt.sys --> c:\documents and settings\ning yang\Desktop\AkumaEngine33\sejt.sys [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv
.
Contents of the 'Scheduled Tasks' folder

2009-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 17:34]

2009-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-805219305-77767833-262220036-1005Core.job
- c:\documents and settings\ning yang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-10 03:05]

2009-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-805219305-77767833-262220036-1005UA.job
- c:\documents and settings\ning yang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-10 03:05]

2009-08-15 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - ning yang.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 05:38]
.
- - - - ORPHANS REMOVED - - - -

BHO-{123c6ce5-af94-4e98-9377-c4aa8cb6fd02} - c:\windows\system32\tonigili.dll
HKLM-Run-16359534 - c:\documents and settings\All Users\Application Data\16359534\16359534.exe
HKLM-Run-huyalolupo - c:\windows\system32\rasipuhe.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
FF - ProfilePath - c:\documents and settings\ning yang\Application Data\Mozilla\Firefox\Profiles\lck460yz.default\
FF - prefs.js: browser.startup.homepage - gmail.com
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\ning yang\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\ning yang\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\ning yang\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-16 19:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(5248)
c:\windows\system32\gozesifu.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\DISC\DiscStreamHub.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-08-17 19:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-17 00:23
ComboFix2.txt 2009-08-16 22:54
ComboFix3.txt 2009-08-16 04:27
ComboFix4.txt 2009-08-09 18:14
ComboFix5.txt 2009-08-16 23:38

Pre-Run: 7,952,818,176 bytes free
Post-Run: 6,827,585,536 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
363 --- E O F --- 2008-08-14 08:02

Edited by illuminati, 16 August 2009 - 06:58 PM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP