Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Skynet virus removal


  • Please log in to reply

#1
Flowbert

Flowbert

    New Member

  • Member
  • Pip
  • 2 posts
Kaspersky detected some skynet viruses on my computer, but couldn't remove them.

I did a combofix scan, and i have the log here.

What do i do to delete the virus?


ComboFix 09-08-22.06 - Philip Yeung 08/23/2009 19:21.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.893.528 [GMT -7:00]
Running from: c:\documents and settings\Philip Yeung\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.
/wow section - STAGE 32A


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-603682670-807078939-456122966-1003
c:\windows\Downloaded Program Files\PurpleBean.exe
c:\windows\Installer\13c1bd.msi
c:\windows\Installer\24fde8.msp
c:\windows\ONSPCLCK.exe
c:\windows\system32\drivers\SKYNETriurrvit.sys
c:\windows\system32\drivers\Sonyhcp.dll
c:\windows\system32\SKYNETcchxnseq.dll
c:\windows\system32\SKYNETdavntqbu.dat
c:\windows\system32\SKYNETfasrshky.dat
c:\windows\system32\SKYNETibavhevi.dat
c:\windows\system32\SKYNETmdxvcpfu.dll
c:\windows\system32\SKYNETmqeexuet.dll
c:\windows\system32\SKYNETnbqpfwor.dll
c:\windows\system32\SKYNETnqevwbwu.dll
c:\windows\system32\SKYNETpqparstt.dat
c:\windows\system32\SKYNETpylptego.dll
c:\windows\system32\SKYNETqfuxjvrj.dll
c:\windows\system32\SKYNETqxtnnsee.dll
c:\windows\system32\SKYNETrjuykxns.dll
c:\windows\system32\SKYNETtdltapqj.dat
c:\windows\system32\SKYNETterttxhi.dat
c:\windows\system32\SKYNETuyptxotu.dll
c:\windows\system32\SKYNETwrtlilrm.dat
c:\windows\system32\SKYNETwxwaoevs.dat
c:\windows\system32\SKYNETxvbcvpxo.dat
c:\windows\system32\SKYNETyarmtasw.dat
c:\windows\system32\SKYNETycbvttnp.dat
c:\windows\system32\TIControlPanel.cpl.manifest
c:\windows\system32\wr26412.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETqowupkro
-------\Legacy_SKYNETqowupkro


((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.

2009-08-24 02:19 . 2009-08-24 02:19 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-08-24 02:03 . 2009-08-24 02:03 -------- d-----w- c:\documents and settings\Philip Yeung\Application Data\Malwarebytes
2009-08-24 02:03 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-24 02:03 . 2009-08-24 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-24 02:03 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-24 02:03 . 2009-08-24 02:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 18:19 . 2006-12-11 17:20 180224 ----a-w- c:\documents and settings\Philip Yeung\Application Data\U3\000016718671771F\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\U3AppWrapper.exe
2009-08-23 18:19 . 2006-12-11 17:20 983829 ----a-w- c:\documents and settings\Philip Yeung\Application Data\U3\000016718671771F\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\master.exe
2009-08-23 18:19 . 2006-12-11 17:20 72192 ----a-w- c:\documents and settings\Philip Yeung\Application Data\U3\000016718671771F\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKLIST.EXE
2009-08-23 18:19 . 2006-12-11 17:20 72192 ----a-w- c:\documents and settings\Philip Yeung\Application Data\U3\000016718671771F\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKKILL.EXE
2009-08-23 18:19 . 2006-12-11 17:20 325 ----a-w- c:\documents and settings\Philip Yeung\Application Data\U3\000016718671771F\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\stopApp.bat
2009-08-23 18:19 . 2006-12-11 17:20 15 ----a-w- c:\documents and settings\Philip Yeung\Application Data\U3\000016718671771F\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\run_me.bat
2009-08-23 18:19 . 2006-12-11 17:20 40960 ----a-w- c:\documents and settings\Philip Yeung\Application Data\U3\000016718671771F\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\appstop.exe
2009-08-21 19:20 . 2009-08-21 19:20 -------- d-----w- c:\program files\ParetoLogic
2009-08-21 19:20 . 2009-08-21 19:20 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-08-21 19:20 . 2009-08-21 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-08-21 19:19 . 2009-08-21 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Cached Installations
2009-08-21 05:41 . 2009-08-21 05:41 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-08-21 05:41 . 2009-08-21 05:41 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-08-21 05:40 . 2009-08-24 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-08-21 05:40 . 2009-08-21 05:40 -------- d-----w- c:\program files\Kaspersky Lab
2009-08-21 05:39 . 2009-08-21 05:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-08-12 17:52 . 2009-08-12 17:52 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-12 17:52 . 2009-08-12 17:52 -------- d-----w- c:\windows\system32\AGEIA
2009-08-12 17:42 . 2009-08-12 18:58 -------- d-----w- c:\windows\nview
2009-08-12 17:42 . 2009-02-18 21:44 453152 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-12 17:41 . 2009-02-17 06:17 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-08-12 16:48 . 2009-08-12 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-08-12 16:27 . 2009-08-12 17:47 -------- d-----w- c:\program files\NVIDIA Corporation
2009-08-12 16:27 . 2009-08-12 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-08-12 16:10 . 2009-08-04 06:13 2061592 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-08-12 16:10 . 2009-08-04 06:13 3476760 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-08-12 16:10 . 2009-08-04 06:13 2000152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-08-12 16:10 . 2009-08-04 06:13 1213720 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfrw.exe
2009-08-10 04:46 . 2009-08-10 04:46 152576 ----a-w- c:\documents and settings\Philip Yeung\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-08 03:20 . 2009-08-21 05:36 -------- d-----w- c:\program files\Lavasoft
2009-08-07 06:29 . 2009-08-07 06:29 -------- d-----w- c:\documents and settings\Administrator.FAMILYCOMPUTER\Application Data\DivX
2009-08-07 06:29 . 2009-08-07 06:29 -------- d-----w- c:\documents and settings\Administrator.FAMILYCOMPUTER\Application Data\Media Player Classic
2009-08-07 06:03 . 2009-08-07 06:03 1475352 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\prepare\avgupd.dll
2009-08-07 03:41 . 2009-08-21 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-04 20:23 . 2009-08-04 21:47 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-04 06:13 . 2009-08-04 05:48 12936 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrkx86.sys
2009-08-04 06:13 . 2009-08-04 05:48 10520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2009-08-04 06:13 . 2009-08-04 05:48 98440 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-08-04 06:13 . 2009-08-04 05:48 90632 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtdix.sys
2009-08-04 06:13 . 2009-08-04 05:48 287000 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-08-04 06:13 . 2009-08-04 05:48 26824 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2009-08-04 06:10 . 2009-08-04 06:10 1126168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-08-04 06:10 . 2009-08-04 06:10 758040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-08-04 06:10 . 2009-08-04 06:10 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-08-04 06:10 . 2009-08-04 06:10 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-08-04 05:48 . 2009-08-21 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-04 05:48 . 2009-08-04 05:48 -------- d-----w- c:\program files\AVG
2009-08-04 01:51 . 2009-08-04 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-04 01:51 . 2009-08-04 01:51 -------- d-----w- c:\documents and settings\Philip Yeung\Local Settings\Application Data\Downloaded Installations
2009-08-03 16:43 . 2009-08-03 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-08-03 16:43 . 2009-08-04 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-03 16:42 . 2009-08-04 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-03 16:32 . 2009-08-03 16:32 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2009-08-03 03:31 . 2009-08-03 03:31 -------- d--h--w- c:\documents and settings\Philip Yeung\Application Data\IFViewer
2009-07-29 01:03 . 2009-07-29 01:03 -------- d-----w- c:\program files\Red Kawa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 18:13 . 2006-10-11 23:31 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2009-08-23 03:16 . 2007-06-04 00:57 -------- d-----w- c:\documents and settings\Philip Yeung\Application Data\U3
2009-08-21 16:24 . 2008-02-26 06:24 -------- d-----w- c:\documents and settings\Philip Yeung\Application Data\uTorrent
2009-08-21 06:25 . 2006-10-11 23:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 06:25 . 2008-06-09 21:33 -------- d-----w- c:\program files\CyberLink
2009-08-14 00:54 . 2009-03-28 16:28 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-13 19:03 . 2009-03-29 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-12 17:52 . 2007-02-08 03:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-12 17:40 . 2006-12-24 01:50 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-12 16:12 . 2009-07-22 17:32 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-10 04:47 . 2006-10-11 23:16 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2006-04-30 05:11 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-04 02:38 . 2006-10-11 23:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-04 01:50 . 2006-10-11 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-03 03:44 . 2009-04-18 07:53 -------- d-----w- c:\program files\Cheat Engine
2009-07-31 02:22 . 2008-08-11 17:38 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 12:23 . 2009-01-07 06:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2006-04-30 05:10 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2006-04-30 05:11 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-11 04:49 . 2009-06-04 06:31 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-11 04:49 . 2008-01-31 00:31 -------- d-----w- c:\documents and settings\Philip Yeung\Application Data\SystemRequirementsLab
2009-07-11 04:49 . 2009-07-11 04:49 207872 ----a-w- c:\documents and settings\Philip Yeung\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-07-11 04:49 . 2009-07-11 04:49 207872 ----a-w- c:\documents and settings\Philip Yeung\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-07-11 04:49 . 2009-07-11 04:49 207872 ----a-w- c:\documents and settings\Philip Yeung\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-07-11 04:49 . 2009-07-11 04:49 207872 ----a-w- c:\documents and settings\Philip Yeung\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-07-09 15:52 . 2009-07-09 15:52 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.463\English\setup.exe
2009-07-09 15:52 . 2009-07-09 15:52 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.463\English\setup.exe
2009-07-03 22:48 . 2009-07-03 22:48 219664 ----a-w- c:\windows\system32\klogon.dll
2009-07-03 22:45 . 2009-07-03 22:45 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-07-03 17:09 . 2006-04-30 05:11 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 02:59 . 2009-07-02 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2009-07-02 20:19 . 2008-01-09 00:00 -------- d--h--w- c:\documents and settings\Philip Yeung\Application Data\ijjigame
2009-07-02 19:55 . 2009-07-02 19:55 220926964 ----a-w- c:\documents and settings\Philip Yeung\Application Data\ijjigame\U_GUNZ_setup.exe
2009-07-02 19:54 . 2008-01-09 00:00 480688 -c--a-w- c:\documents and settings\Philip Yeung\Application Data\ijjigame\ijjistarter2FxB.exe
2009-07-02 19:49 . 2006-11-25 01:49 81232 ----a-w- c:\documents and settings\Philip Yeung\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-01 20:32 . 2009-03-30 00:07 -------- d-----w- c:\program files\Microsoft Works
2009-07-01 19:47 . 2006-12-25 01:48 -------- d-----w- c:\program files\Ahead
2009-07-01 04:21 . 2009-06-30 21:17 -------- d-----w- c:\documents and settings\Philip Yeung\Application Data\dvdcss
2009-06-30 21:16 . 2009-04-01 00:01 -------- d-----w- c:\documents and settings\Philip Yeung\Application Data\DAEMON Tools Lite
2009-06-21 19:11 . 2009-06-21 19:11 10344 ----a-w- c:\windows\system32\drivers\symlcbrd.sys
2009-06-16 14:36 . 2006-04-30 05:11 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-04-30 05:10 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-15 21:01 . 2009-06-15 21:01 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-06-12 12:31 . 2006-04-30 05:10 76288 ------w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2006-04-30 05:30 2066432 ------w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2006-04-30 05:10 84992 ------w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2006-04-30 05:11 132096 ------w- c:\windows\system32\wkssvc.dll
2009-06-04 06:31 . 2009-06-04 06:31 290816 -c--a-w- c:\documents and settings\Philip Yeung\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-06-04 06:31 . 2009-06-04 06:31 290816 -c--a-w- c:\documents and settings\Philip Yeung\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-06-04 06:31 . 2009-06-04 06:31 290816 -c--a-w- c:\documents and settings\Philip Yeung\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-06-04 06:31 . 2009-06-04 06:31 290816 ----a-w- c:\documents and settings\Philip Yeung\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-06-03 19:09 . 2006-04-30 05:11 1291264 ------w- c:\windows\system32\quartz.dll
2009-04-01 05:47 . 2009-04-01 02:00 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2007-06-21 18:00 . 2006-11-25 01:48 88 --sh--r- c:\windows\system32\4D6021DBCD.sys
2008-10-12 23:08 . 2006-11-25 01:48 4184 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-12-11 536576]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2006-07-03 110592]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"AMSG"="c:\progra~1\THINKV~1\AMSG\amsg.exe" [2005-11-22 507904]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-07-03 303376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-12-20 16860672]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2005-04-13 49152]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-12-24 25214]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"63908:TCP"= 63908:TCP:*:Disabled:SolidNetworkManager
"63908:UDP"= 63908:UDP:*:Disabled:SolidNetworkManager
"56965:TCP"= 56965:TCP:*:Disabled:SolidNetworkManager
"56965:UDP"= 56965:UDP:*:Disabled:SolidNetworkManager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [3/28/2009 6:00 PM 13696]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [12/11/2008 7:08 AM 3575808]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 3:55 PM 3968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/22/2008 9:48 PM 24652]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [3/30/2009 4:28 PM 1533808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [3/28/2009 9:09 AM 26272]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [10/11/2006 4:13 PM 16384]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBLF.SYS [10/11/2006 4:13 PM 9216]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 maxD20081102;maxD20081102;\??\c:\documents and settings\Philip Yeung\Desktop\binary\max20081102.sys --> c:\documents and settings\Philip Yeung\Desktop\binary\max20081102.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SoRa_DRIVER53;SoRa_DRIVER53;\??\c:\documents and settings\Philip Yeung\Desktop\H\Hack pack\SoRa 4.6\SoRa_.sys --> c:\documents and settings\Philip Yeung\Desktop\H\Hack pack\SoRa 4.6\SoRa_.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3971450374-1987798764-102444739-1006Core.job
- c:\documents and settings\Philip Yeung\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-23 02:20]

2009-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3971450374-1987798764-102444739-1006UA.job
- c:\documents and settings\Philip Yeung\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-23 02:20]

2009-08-24 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 19:25]

2009-08-21 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 19:25]

2009-08-23 c:\windows\Tasks\User_Feed_Synchronization-{54E501AB-AB24-4C1C-9CF3-1A40BB5C8508}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} - hxxp://s.nx.com/activex/public_new/nxpm.cab
FF - ProfilePath - c:\documents and settings\Philip Yeung\Application Data\Mozilla\Firefox\Profiles\j9avk0mw.default\
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Philip Yeung\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npssn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\windows\system32\SolidStateNetworks\SolidStateION\npssn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 19:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3971450374-1987798764-102444739-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3288)
c:\windows\system32\WININET.dll
c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\pelscrll.dll
c:\windows\system32\PELCOMM.dll
c:\windows\system32\PELHOOKS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\PELMICED.EXE
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe
.
**************************************************************************
.
Completion time: 2009-08-24 19:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-24 02:41

Pre-Run: 190,692,270,080 bytes free
Post-Run: 190,622,580,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

423 --- E O F --- 2009-08-18 23:21
  • 0

Advertisements


#2
Flowbert

Flowbert

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I also did a malwarebytes scan, but i think i still have the virus. Here is the log for the scan


Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/23/2009 8:40:14 PM
mbam-log-2009-08-23 (20-40-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 186724
Time elapsed: 25 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETnqevwbwu.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wr26412.dll.vir (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP7\A0022125.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP7\A0022132.dll (Trojan.BHO) -> Quarantined and deleted successfully.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP