Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Taskmgr + Regedit Disabled
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 01-17-2009, 07:59 AM   #1 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Taskmgr + Regedit Disabled
Hi TSF, after a little over a week since my previous thread without any replies (and a bump), I've decided to try my luck and make a new thread with updated logs. I check TSF every 2-3 hours, so it was quite anticipating. Anyway, my computer has been infected with win32.worm.warezov for a while now, and task manager and registry edit has been disabled. I've tried clearing it out with Spydot, but it just kept coming back.

I did download something called "XP Security Console" by Doug Knox to try re-enable my task manager, because it has been pretty annoying not being able to use it. The console did help me, but only when I left the thing on, after I enabled task+reg, and closed the program, they would just go back to being disabled again. And what's worse is, the console won't work a second time, I have to unzip it again for it to work. Some programs don't work twice on my computer, requiring a reboot for them to work. I've noticed a lot of processes running in the task manager that I've never seen before, that's when I realized I should really repost this with updated logs.


DDS (Ver_09-01-07.01) - NTFSx86
Run by HP_Administrator at 9:07:00.85 on Sat 01/17/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1426 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wincrwmvs.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winlkpntc.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\iqklxg.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ywqtnq.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winlegejk.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\nyay.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winxsnhl.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\dsnwp.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winskrcw.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\losekc.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\eauo.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\xfsv.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winxsmkr.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winpunsun.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winpbusi.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winjhkkto.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winedlv.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winlvjh.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\nwru.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\bxwja.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winmnwndv.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wineafv.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\boisp.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winmxnt.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winmckmyx.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\rwudbp.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\tlnugl.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winwhurda.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\sqdle.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: trymedia.com
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\elmmpp.sys --> c:\windows\system32\drivers\elmmpp.sys [?]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-9 33752]

=============== Created Last 30 ================

2009-01-15 04:44 <DIR> --d----- c:\program files\VSTplugins
2009-01-15 04:33 <DIR> --d----- c:\program files\Sony
2009-01-15 04:33 <DIR> --d----- c:\program files\Sony Setup
2009-01-15 04:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-01-15 03:46 <DIR> --d----- c:\program files\Bonjour
2009-01-15 03:35 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-15 02:48 32,592 a------- c:\windows\system32\msonpmon.dll
2009-01-15 02:40 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-01-10 23:46 2,924,712 a------- c:\windows\system32\mi2.exe
2009-01-10 23:46 1,105,002 a------- c:\windows\system32\mi1.exe
2009-01-10 19:36 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-01-10 19:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-10 03:23 250 a------- c:\windows\gmer.ini
2009-01-10 02:36 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\True Sword
2009-01-10 01:12 <DIR> --d----- C:\EmergencyUtils
2009-01-09 03:44 17,876 a---h--- c:\windows\system32\wcdrtc32.dl_
2009-01-09 03:44 25,600 a------- c:\windows\system32\wcdrtc32.dll
2009-01-09 01:36 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-09 01:23 <DIR> --d----- c:\windows\system32\URTTemp
2009-01-09 00:24 <DIR> --d----- c:\windows\SxsCaPendDel
2009-01-08 23:31 <DIR> --d----- c:\windows\system32\appmgmt
2009-01-08 22:27 14,048 -------- c:\windows\system32\spmsg2.dll
2009-01-08 03:32 <DIR> --d----- C:\Fraps
2009-01-05 21:07 <DIR> --d----- c:\program files\common files\xing shared
2008-12-30 10:26 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-30 10:09 <DIR> --d----- c:\program files\SystemRequirementsLab
2008-12-30 08:16 4,682 a------- c:\windows\system32\npptNT2.sys
2008-12-30 08:16 5,174 a------- c:\windows\system32\nppt9x.vxd
2008-12-30 06:51 <DIR> --d----- c:\program files\Lavasoft
2008-12-30 06:41 157,152 a------- c:\windows\system32\PubPlugin.dll
2008-12-30 06:41 58,800 a------- c:\windows\system32\ijjiPlugin2.dll
2008-12-30 06:41 710,064 a------- c:\windows\system32\ijjiSetup.exe
2008-12-30 06:31 66,082 a------- c:\windows\system32\dllcache\c_10021.nls
2008-12-30 06:31 66,082 a------- c:\windows\system32\c_10021.nls
2008-12-30 06:31 6,144 a------- c:\windows\system32\ftlx041e.dll
2008-12-30 06:31 6,144 a------- c:\windows\system32\dllcache\ftlx041e.dll
2008-12-30 06:04 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2008-12-30 06:04 9,600 a------- c:\windows\system32\drivers\hidusb.sys
2008-12-30 05:13 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-30 05:13 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-30 05:10 <DIR> --dshr-- C:\cmdcons
2008-12-30 05:10 <DIR> --d----- c:\windows\setupupd
2008-12-30 05:08 1,901 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_EX276AA-ABA a1540n_YC_0Pavi_QCNH625_E63NAemMPA2_48_INODUSM_SASUSTek Computer INC._V1.03_B3.04_T060614_WXP2_L409_M1983_J250_7AMD_8Athlon 64 X2 Dual Core_92.2_#060810_N_Z14F12F20_G10DE0241.MRK
2008-12-30 05:04 <DIR> --d----- c:\documents and settings\hp_administrator\WINDOWS
2008-12-30 05:04 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Symantec
2008-12-30 05:04 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Intuit
2008-12-30 05:04 <DIR> --d----- c:\documents and settings\HP_Administrator
2008-12-30 04:54 <DIR> --dshr-- c:\windows\system32\dllcache
2008-12-20 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2008-12-19 03:01 <DIR> --d----- c:\windows\ie8updates

==================== Find3M ====================

2008-11-06 11:35 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-06 11:35 200,704 a------- c:\windows\system32\ssldivx.dll
2008-10-26 05:24 4,844 a------- c:\windows\mozver.dat
2008-05-10 01:01 577,536 a------- c:\documents and settings\hp_administrator\GoToAssist_phone__317_en.exe

============= FINISH: 9:07:17.70 ===============
Attached Files
File Type: zip Attach.zip (4.7 KB, 2 views)
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 01-18-2009, 06:22 PM   #2 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Re: Taskmgr + Regedit Disabled
This might be a little too early to bump, but it has been 8 days since my first thread, this being #2 with updated logs, and the condition of my computer has worsened. I don't even know what I'm infected with anymore, because after uninstalling Spybot and avast!, something is preventing me from downloading and installing any other virus protection software.

I can't install Spybot S&D, can't even visit the Kaspersky webpage, Ad-Aware won't install, and Shield Deluxe 2009 trial won't install. I don't want to bother with anymore AV software, since they're most likely not going to help. Task manager and regedit are both disabled, and my internet has been going on and off tonight. (I'm being disconnected on AIM every so often, while my dad and is doing fine on his brand new laptop he purchased at Circuit City.)

I tried doing a system recover, but it failed to get rid of the infections. I don't have a system restore point to restore to, so that's not even an option. I'm not sure why I'm not getting any replies, if there's something preventing the staff from giving me assistance, please point it out so I can either try and resolve it, or so I don't have to keep checking this thread.
Last edited by kwu1993; 01-18-2009 at 06:32 PM.
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-18-2009, 08:09 PM   #3 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,665
OS: XP SP3


Re: Taskmgr + Regedit Disabled
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

The reason you probably didn't get a reply is there was no antivirus program showing in your log, and you didn't explain why until your second post. Helpers sometimes pass over logs with no antivirus program running.

Please keep this computer offline unless posting in the forum or downloading tools, until we get an antivirus program installed.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-18-2009, 08:46 PM   #4 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Re: Taskmgr + Regedit Disabled
Thanks for the quick reply, you don't know how worried I am. My task bar suddenly went back in time, and it looks like I'm running a Windows 98 task bar! Running Combo Fix now!

Edit: Hey chemist, I'm on my laptop editing this post. Combo Fix is running, a little pause at stage 50, not too sure why. I'll be using this laptop for web browsing and checking on this thread from now on. This laptop needs serious help too, since I keep getting BSODs and it lags horribly. I might make a post in the mean time, since my desktops running Combo Fix.

(My dad used this laptop for a while, and I have no idea what he did with it. He bought a new notebook yesterday, so I can use this for simple web browsing.)
Last edited by kwu1993; 01-18-2009 at 08:59 PM.
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-18-2009, 09:10 PM   #5 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Re: Taskmgr + Regedit Disabled
Alas! Combo Fix has finished! Here's the log, I'm not sure whether you wanted it attached or not, but since you said post I'll just post it.

ComboFix 09-01-18.01 - HP_Administrator 2009-01-18 22:49:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1532 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: The Shield Deluxe 2009 *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\program files\Common Files\ystem3~1
c:\program files\wnsxs~1
c:\temp\tn3
c:\temp\vtmp2
c:\temp\vtmp2\ktnv33.log
c:\windows\asks~1
c:\windows\asks~1\?asks\
c:\windows\IE4 Error Log.txt
c:\windows\mainms.vpi
c:\windows\megavid.cdt
c:\windows\muotr.so
c:\windows\struct~.ini
c:\windows\wiaservv.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-18 22:43 . 2009-01-18 22:43 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-18 22:43 . 2009-01-18 22:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-18 21:48 . 2009-01-18 21:49 <DIR> d-------- c:\program files\CCleaner
2009-01-18 20:33 . 2003-07-17 13:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-01-18 20:33 . 2005-01-01 04:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-01-18 20:13 . 2009-01-18 20:13 96,976 --a------ c:\windows\system32\drivers\klin.dat
2009-01-18 20:13 . 2009-01-18 20:13 87,855 --a------ c:\windows\system32\drivers\klick.dat
2009-01-18 20:12 . 2009-01-18 20:12 <DIR> d-------- c:\program files\PCSecurityShield
2009-01-18 20:12 . 2009-01-18 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSecurityShield
2009-01-18 20:12 . 2009-01-18 23:03 2,480,160 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-01-18 20:12 . 2009-01-18 23:04 23,328 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-01-18 20:12 . 2009-01-18 21:33 3,044 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-01-18 20:12 . 2009-01-18 21:33 2,228 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-01-18 20:11 . 2009-01-18 20:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSecurityShield Setup Files
2009-01-18 18:58 . 2008-06-17 19:28 710,064 --a------ c:\windows\system32\ijjiSetup.exe
2009-01-18 18:58 . 2008-04-23 14:02 157,152 --a------ c:\windows\system32\PubPlugin.dll
2009-01-18 18:58 . 2008-06-11 23:01 58,800 --a------ c:\windows\system32\ijjiPlugin2.dll
2009-01-18 16:56 . 2008-10-16 15:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2009-01-18 16:56 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-18 16:56 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-18 16:56 . 2008-10-16 15:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-01-18 16:56 . 2008-10-16 15:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-18 16:56 . 2008-10-16 15:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-01-18 16:56 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-01-18 16:56 . 2008-10-16 15:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-18 16:56 . 2008-10-16 08:11 34,304 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-01-18 16:49 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-01-18 16:49 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-01-18 16:32 . 2008-08-14 05:00 2,180,352 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-18 16:32 . 2008-08-14 04:58 2,136,064 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-18 16:32 . 2008-08-14 04:22 2,057,728 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-18 16:32 . 2008-08-14 04:22 2,015,744 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-18 15:22 . 2009-01-18 15:22 <DIR> d-------- c:\program files\Sony Setup
2009-01-18 15:22 . 2009-01-18 15:22 <DIR> d-------- c:\program files\Sony
2009-01-18 14:43 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-01-18 14:26 . 2001-08-17 16:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-18 14:26 . 2001-08-17 17:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-18 14:00 . 2009-01-18 14:00 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-18 13:59 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-18 13:45 . 2009-01-18 13:46 <DIR> d-------- c:\windows\system32\URTTemp
2009-01-18 13:23 . 2009-01-18 17:44 <DIR> dr-hs---- c:\windows\system32\dllcache
2009-01-18 13:04 . 2009-01-18 21:35 25,600 --a------ c:\windows\system32\wcdrtc32.dll
2009-01-18 13:04 . 2009-01-18 21:35 17,876 --ah----- c:\windows\system32\wcdrtc32.dl_
2009-01-18 13:03 . 2009-01-18 13:03 1,901 -rahs---- c:\windows\system32\drivers\103C_HP_CPC_EX276AA-ABA a1540n_YC_0Pavi_QCNH625_E63NAemMPA2_48_INODUSM_SASUSTek Computer INC._V1.03_B3.04_T060614_WXP2_L409_M1983_J250_7AMD_8Athlon 64 X2 Dual Core_92.2_#060810_N_Z14F12F20_G10DE0241.MRK
2009-01-18 13:01 . 2006-05-23 22:42 <DIR> d-------- c:\documents and settings\HP_Administrator\WINDOWS
2009-01-18 13:01 . 2009-01-18 16:47 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Symantec
2009-01-18 13:01 . 2006-05-23 22:44 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Intuit
2009-01-18 13:01 . 2009-01-18 16:48 <DIR> d-------- c:\documents and settings\HP_Administrator
2009-01-18 12:59 . 2006-05-23 22:42 <DIR> d-------- c:\windows\system32\config\systemprofile\WINDOWS
2009-01-18 12:59 . 2006-05-23 23:06 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-01-18 12:59 . 2006-05-23 22:44 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Intuit
2009-01-15 04:44 . 2009-01-15 04:44 <DIR> d-------- c:\program files\VSTplugins
2009-01-15 04:34 . 2009-01-15 04:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2009-01-15 04:00 . 2009-01-15 04:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-01-15 03:51 . 2009-01-18 13:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-15 03:46 . 2009-01-15 03:46 <DIR> d-------- c:\program files\Bonjour
2009-01-15 03:35 . 2009-01-15 03:35 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-01-15 02:40 . 2009-01-15 02:51 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-01-15 02:39 . 2009-01-18 14:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-15 02:37 . 2009-01-15 02:37 <DIR> dr-h----- C:\MSOCache
2009-01-10 23:48 . 2009-01-10 23:53 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Lavasoft
2009-01-10 19:36 . 2009-01-10 19:36 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-10 19:36 . 2009-01-10 19:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-10 03:23 . 2009-01-17 09:14 250 --a------ c:\windows\gmer.ini
2009-01-10 02:36 . 2009-01-10 02:36 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\True Sword
2009-01-10 01:12 . 2009-01-10 01:12 <DIR> d-------- C:\EmergencyUtils
2009-01-09 17:50 . 2009-01-09 17:57 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\U3
2009-01-09 02:19 . 2009-01-09 02:19 <DIR> d-------- c:\program files\NOS
2009-01-09 02:19 . 2009-01-09 02:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-09 01:39 . 2009-01-09 01:39 <DIR> d-------- c:\program files\MSBuild
2009-01-09 00:24 . 2009-01-09 00:55 <DIR> d-------- c:\windows\SxsCaPendDel
2009-01-08 23:45 . 2009-01-08 23:45 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Sony
2009-01-08 23:45 . 2009-01-08 23:45 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Publish Providers
2009-01-08 22:08 . 2009-01-08 22:08 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Sony Setup
2009-01-08 03:32 . 2009-01-18 14:32 <DIR> d-------- C:\Fraps
2009-01-02 22:56 . 2009-01-02 22:57 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\vlc
2008-12-30 10:27 . 2008-12-30 10:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\NVIDIA
2008-12-30 10:09 . 2008-12-30 10:09 <DIR> d-------- c:\program files\SystemRequirementsLab
2008-12-30 08:16 . 2009-01-18 13:53 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Aim
2008-12-30 06:51 . 2009-01-10 23:53 <DIR> d-------- c:\program files\Lavasoft
2008-12-20 20:13 . 2008-12-21 15:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\PMB Files
2008-12-19 12:45 . 2008-12-19 12:45 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-12-19 03:01 . 2008-12-25 09:13 <DIR> d-------- c:\windows\ie8updates

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 23:30 --------- d-----w c:\program files\HP Games
2009-01-18 23:29 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-18 21:51 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-18 21:51 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-18 20:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-18 19:40 --------- d-----w c:\program files\Microsoft Works
2009-01-17 04:58 --------- d-----w c:\program files\Boletrice AIM Fader
2009-01-15 19:54 --------- d-----w c:\program files\DivX
2009-01-15 12:50 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Xfire
2009-01-15 11:10 --------- d-----w c:\program files\Xfire
2009-01-15 09:40 --------- d-----w c:\program files\Vodei
2009-01-14 10:10 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-01-14 10:00 --------- d-----w c:\program files\uTorrent
2009-01-11 04:50 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-10 17:39 --------- d-----w c:\program files\XviD
2008-12-29 15:11 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-22 03:11 --------- d--h--w c:\documents and settings\HP_Administrator\Application Data\ijjigame
2008-12-21 22:50 --------- d-----w c:\program files\MediaInfo
2008-12-21 22:50 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Netscape
2008-12-14 13:00 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\gtk-2.0
2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2008-12-08 12:20 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2008-12-04 11:42 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-30 20:26 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Ventrilo
2008-11-24 00:28 --------- d-----w c:\program files\Ventrilo
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-05-10 06:01 577,536 ----a-w c:\documents and settings\HP_Administrator\GoToAssist_phone__317_en.exe
2008-12-29 14:39 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-29 14:39 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-29 14:39 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-29 14:39 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-29 14:39 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]
"Google Update"="c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-18 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 108840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-18 210328]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 134144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-05-23 36903]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\windows\\i386\\winnt32.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55555:TCP"= 55555:TCP:BitComet 55555 TCP
"55555:UDP"= 55555:UDP:BitComet 55555 UDP

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\lmrhgn.sys --> c:\windows\system32\drivers\lmrhgn.sys [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
S3 dump_wmimmc;dump_wmimmc;\??\c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys --> c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - APPMGMT
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4136239115-1155340432-2530458903-1008.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-18 20:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: *.trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 23:03:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\klogon.dll
.
Completion time: 2009-01-18 2347
ComboFix-quarantined-files.txt 2009-01-19 0431

Pre-Run: 142,093,692,928 bytes free
Post-Run: 143,384,395,776 bytes free

267 --- E O F --- 2009-01-18 22:42:51
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-18-2009, 10:11 PM   #6 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,665
OS: XP SP3


Re: Taskmgr + Regedit Disabled
Hello kwu1993.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

I see you have WildTangent Web Driver installed on your system. Although not technically spyware, it does have built-in components to update itself and collect information about your computer. We recommend uninstalling it. Please read here for information, removal instructions, and a link to an automatic removal tool.

If you uninstall it, delete the following Folder if it still exists:

C:\Program Files\WildTangent

------------------------------------------------------

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/335753-taskmgr-regedit-disabled.html#post1920539

Collect::
c:\windows\system32\wcdrtc32.dll
c:\windows\system32\wcdrtc32.dl_

Folder::
c:\documents and settings\HP_Administrator\Application Data\Symantec
c:\windows\system32\config\systemprofile\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Symantec

Driver::
abp470n5
dump_wmimmc

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55555:TCP"=-
"55555:UDP"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
"UacDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"FirewallOverride"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"UacDisableNotify"=dword:00000000

DDS::
Trusted Zone: *.trymedia.com
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-18-2009, 10:50 PM   #7 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Re: Taskmgr + Regedit Disabled
Thanks chemist, I really appreciate you helping me out. I'm going to enroll myself in the Academy, or try to. I'll have my laptop open while I'm carrying out the procedures. I have no idea where WildTanget came from, and I've never used uTorrent before so I'll have both uninstalled. I'll get back to you ASAP!

Edit: For WildTanget, do I have to uninstall all of it or just the web driver? There are a few offline games in the same folder I would like to keep, but that's a luxury I don't need. If it's recommended I uninstall everything along with the web driver, I will. <- After uninstalling just the web driver, WildTanget disappeared from Add/Remove programs, so I don't know what to do.

Edit2: I can't find uTorrent in my Add/Remove programs window, probably because I ran a system recover. A lot of installed programs don't show up after a system recovery. I'll proceed without removing uTorrent until further notice. Moving on to run CFScript now!
Last edited by kwu1993; 01-18-2009 at 11:18 PM.
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-18-2009, 11:33 PM   #8 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Re: Taskmgr + Regedit Disabled
Alright, so chemist, here's the deal. I think I might've done something wrong, but I don't know for sure. The first time I downloaded ComboFix was when you first requested me to, I ran it and posted the log. Then without thinking, I dumped ComboFix. When I realized I needed it again, I downloaded a new copy, and dragged the script into the new ComboFix. I noticed you said that after deleting and doing it's job, ComboFix would restart my computer, which it did, and give me a log, which it did. But, however, it did not give me an option to send in information for analysis. Task manager and regedit are both still disabled by administrator.

Here is the log: (I'm not sure whether I did anything wrong, please inform me if I did.)

ComboFix 09-01-18.01 - HP_Administrator 2009-01-19 1:16:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1551 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: The Shield Deluxe 2009 *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Symantec\DSA\V_G\DSASL.xml
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PEPCollectors\HBPep1.5_{F073BDC9-0D67-4ff0-879E-27241C843828}.dat
c:\documents and settings\All Users\Application Data\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PEPCollectors\Pep1.5_{F073BDC9-0D67-4ff0-879E-27241C843828}.dat
c:\documents and settings\All Users\Application Data\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PEPCollectors\System_.dat
c:\documents and settings\All Users\Application Data\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PEPCollectors\System_.tmp
c:\documents and settings\All Users\Application Data\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PollManager\PollManager_Current.dat
c:\documents and settings\All Users\Application Data\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PollManager\PollManager_Job.dat
c:\documents and settings\All Users\Application Data\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\SVAR\SVAR_{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}.dat
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\BBValid.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\Shl_{00060EAD-5F56-4A55-9627-55B85289B57C}.sds
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\Shl_{1FBB2336-F761-49C2-9860-DF23F5FB7399}.sds
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\Shl_{2BD24D25-0660-42CB-9F52-BB5CFCE5EF2A}.sds
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\SPStart.log
c:\documents and settings\All Users\Application Data\Symantec\SPBBC\SPStop.log
c:\documents and settings\All Users\Application Data\Symantec\wcid0.log
c:\documents and settings\HP_Administrator\Application Data\Symantec
c:\documents and settings\HP_Administrator\Application Data\Symantec\Cleanup\cuUser.cfg
c:\windows\system32\config\systemprofile\Application Data\Symantec
c:\windows\system32\config\systemprofile\Application Data\Symantec\PendingAlertsQueue.log
c:\windows\system32\wcdrtc32.dl_
c:\windows\system32\wcdrtc32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Legacy_DUMP_WMIMMC
-------\Service_abp470n5
-------\Service_dump_wmimmc


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-19 01:09 . 2009-01-19 01:09 <DIR> d-------- c:\program files\Trend Micro
2009-01-18 22:43 . 2009-01-18 22:43 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-18 22:43 . 2009-01-18 22:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-18 20:33 . 2003-07-17 13:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-01-18 20:33 . 2005-01-01 04:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-01-18 18:58 . 2008-06-17 19:28 710,064 --a------ c:\windows\system32\ijjiSetup.exe
2009-01-18 18:58 . 2008-04-23 14:02 157,152 --a------ c:\windows\system32\PubPlugin.dll
2009-01-18 18:58 . 2008-06-11 23:01 58,800 --a------ c:\windows\system32\ijjiPlugin2.dll
2009-01-18 16:56 . 2008-10-16 15:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2009-01-18 16:56 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-18 16:56 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-18 16:56 . 2008-10-16 15:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-01-18 16:56 . 2008-10-16 15:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-18 16:56 . 2008-10-16 15:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-01-18 16:56 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-01-18 16:56 . 2008-10-16 15:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-18 16:56 . 2008-10-16 08:11 34,304 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-01-18 16:49 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-01-18 16:49 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-01-18 16:32 . 2008-08-14 05:00 2,180,352 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-18 16:32 . 2008-08-14 04:58 2,136,064 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-18 16:32 . 2008-08-14 04:22 2,057,728 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-18 16:32 . 2008-08-14 04:22 2,015,744 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-18 15:22 . 2009-01-18 15:22 <DIR> d-------- c:\program files\Sony Setup
2009-01-18 15:22 . 2009-01-18 15:22 <DIR> d-------- c:\program files\Sony
2009-01-18 14:43 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-01-18 14:26 . 2001-08-17 16:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-18 14:26 . 2001-08-17 17:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-18 14:00 . 2009-01-18 14:00 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-18 13:59 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-18 13:45 . 2009-01-18 13:46 <DIR> d-------- c:\windows\system32\URTTemp
2009-01-18 13:23 . 2009-01-18 17:44 <DIR> dr-hs---- c:\windows\system32\dllcache
2009-01-18 13:03 . 2009-01-18 13:03 1,901 -rahs---- c:\windows\system32\drivers\103C_HP_CPC_EX276AA-ABA a1540n_YC_0Pavi_QCNH625_E63NAemMPA2_48_INODUSM_SASUSTek Computer INC._V1.03_B3.04_T060614_WXP2_L409_M1983_J250_7AMD_8Athlon 64 X2 Dual Core_92.2_#060810_N_Z14F12F20_G10DE0241.MRK
2009-01-18 13:01 . 2006-05-23 22:42 <DIR> d-------- c:\documents and settings\HP_Administrator\WINDOWS
2009-01-18 13:01 . 2006-05-23 22:44 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Intuit
2009-01-18 13:01 . 2009-01-18 16:48 <DIR> d-------- c:\documents and settings\HP_Administrator
2009-01-18 12:59 . 2006-05-23 22:42 <DIR> d-------- c:\windows\system32\config\systemprofile\WINDOWS
2009-01-18 12:59 . 2006-05-23 22:44 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Intuit
2009-01-15 04:44 . 2009-01-15 04:44 <DIR> d-------- c:\program files\VSTplugins
2009-01-15 04:34 . 2009-01-15 04:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2009-01-15 04:00 . 2009-01-15 04:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-01-15 03:51 . 2009-01-18 13:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-15 03:46 . 2009-01-15 03:46 <DIR> d-------- c:\program files\Bonjour
2009-01-15 03:35 . 2009-01-15 03:35 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-01-15 02:40 . 2009-01-15 02:51 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-01-15 02:39 . 2009-01-18 14:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-15 02:37 . 2009-01-15 02:37 <DIR> dr-h----- C:\MSOCache
2009-01-10 23:48 . 2009-01-10 23:53 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Lavasoft
2009-01-10 19:36 . 2009-01-10 19:36 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-10 19:36 . 2009-01-10 19:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-10 03:23 . 2009-01-17 09:14 250 --a------ c:\windows\gmer.ini
2009-01-10 02:36 . 2009-01-10 02:36 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\True Sword
2009-01-10 01:12 . 2009-01-10 01:12 <DIR> d-------- C:\EmergencyUtils
2009-01-09 17:50 . 2009-01-09 17:57 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\U3
2009-01-09 02:19 . 2009-01-09 02:19 <DIR> d-------- c:\program files\NOS
2009-01-09 02:19 . 2009-01-09 02:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-09 01:39 . 2009-01-09 01:39 <DIR> d-------- c:\program files\MSBuild
2009-01-09 00:24 . 2009-01-09 00:55 <DIR> d-------- c:\windows\SxsCaPendDel
2009-01-08 23:45 . 2009-01-08 23:45 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Sony
2009-01-08 23:45 . 2009-01-08 23:45 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Publish Providers
2009-01-08 22:08 . 2009-01-08 22:08 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Sony Setup
2009-01-08 03:32 . 2009-01-18 14:32 <DIR> d-------- C:\Fraps
2009-01-02 22:56 . 2009-01-02 22:57 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\vlc
2008-12-30 10:27 . 2008-12-30 10:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\NVIDIA
2008-12-30 10:09 . 2008-12-30 10:09 <DIR> d-------- c:\program files\SystemRequirementsLab
2008-12-30 08:16 . 2009-01-18 13:53 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Aim
2008-12-30 06:51 . 2009-01-10 23:53 <DIR> d-------- c:\program files\Lavasoft
2008-12-20 20:13 . 2008-12-21 15:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\PMB Files
2008-12-19 12:45 . 2008-12-19 12:45 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-12-19 03:01 . 2008-12-25 09:13 <DIR> d-------- c:\windows\ie8updates

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 05:56 --------- d-----w c:\program files\WildTangent
2009-01-18 23:30 --------- d-----w c:\program files\HP Games
2009-01-18 23:29 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-18 21:51 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-18 20:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-18 19:40 --------- d-----w c:\program files\Microsoft Works
2009-01-17 04:58 --------- d-----w c:\program files\Boletrice AIM Fader
2009-01-15 19:54 --------- d-----w c:\program files\DivX
2009-01-15 12:50 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Xfire
2009-01-15 11:10 --------- d-----w c:\program files\Xfire
2009-01-15 09:40 --------- d-----w c:\program files\Vodei
2009-01-14 10:10 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-01-14 10:00 --------- d-----w c:\program files\uTorrent
2009-01-11 04:50 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-10 17:39 --------- d-----w c:\program files\XviD
2008-12-29 15:11 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-22 03:11 --------- d--h--w c:\documents and settings\HP_Administrator\Application Data\ijjigame
2008-12-21 22:50 --------- d-----w c:\program files\MediaInfo
2008-12-21 22:50 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Netscape
2008-12-14 13:00 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\gtk-2.0
2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys
2008-12-08 12:20 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2008-12-04 11:42 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-30 20:26 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Ventrilo
2008-11-24 00:28 --------- d-----w c:\program files\Ventrilo
2008-05-10 06:01 577,536 ----a-w c:\documents and settings\HP_Administrator\GoToAssist_phone__317_en.exe
2008-12-29 14:39 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-29 14:39 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-29 14:39 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-29 14:39 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-29 14:39 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-18_23.04.39.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-01-19 06:23:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_264.dat
+ 2009-01-19 06:23:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_a68.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]
"Google Update"="c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-18 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 108840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-18 210328]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 134144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-05-23 36903]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\windows\\i386\\winnt32.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\HP_Administrator\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\winewqgq.exe"=
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\winfkei.exe"=
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\sfqfax.exe"=


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4136239115-1155340432-2530458903-1008.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-18 20:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: *.trymedia.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 01:23:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\winewqgq.exe
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\winfkei.exe
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\sfqfax.exe
.
**************************************************************************
.
Completion time: 2009-01-19 1:30:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 06:30:30
ComboFix2.txt 2009-01-19 0448

Pre-Run: 152,267,522,048 bytes free
Post-Run: 152,155,783,168 bytes free

277 --- E O F --- 2009-01-18 22:42:51
Last edited by kwu1993; 01-18-2009 at 11:38 PM.
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 05:12 AM   #9 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,665
OS: XP SP3


Re: Taskmgr + Regedit Disabled
Hello again, kwu1993.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please don't do any fixing on your own as it makes it very difficult for me to know if my fixes are working.

------------------------------------------------------

Quote:
it did not give me an option to send in information for analysis.
That's OK. We can submit the file another way:

There should be a file named [4]-Submit_date@time.zip located here:

C:\QooBox\Quarantine\[4]-Submit_Date@Time.zip

Please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

and include this link in the message:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/335753-taskmgr-regedit-disabled.html#post1920539

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

Quote:
Driver::
ABP470N5

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\winewqgq.exe"=-
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\winfkei.exe"=-
"c:\\DOCUME~1\\HP_ADM~1\\LOCALS~1\\Temp\\sfqfax.exe"=-
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

------------------------------------------------------

You have old versions of Java still installed. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and click on Add or Remove Programs
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name except Java(TM) 6 Update 11 which is the current version.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Keep Java(TM) 6 Update 11 as it is the current version.
  • Reboot your computer once all Java components are removed.
------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected.
  • It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
Kaspersky report
report on system behavior
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 08:09 AM   #10 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Re: Taskmgr + Regedit Disabled
Thanks chemist, I have successfully submitted the data, included the link and file. When I proceeded to run CF with your script, a prompt appeared offering me to update CF, at first I decided not to, but I guess I really should. Going to update and run CF.

I'm not too sure about Java, since it's not in my control panel. I did have Java Runtime Environment 5 update 10 or something which I uninstalled and updated yesterday. Like a lot of things, many of my installed software don't appear after a system recovery, which I ran yesterday morning due to worsening conditions of my computer. It didn't do much, but thankfully you came to pull me out of my hole that same night!

^Any advice or programs I can use to get everything I have installed back onto my Add/Remove programs panel?
Last edited by kwu1993; 01-19-2009 at 08:21 AM.
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 08:59 AM   #11 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Re: Taskmgr + Regedit Disabled
My ability to edit has expired, so I'll make a second post. ComboFix seems like it's done, my computer is almost silent aside from the occasional split second chugging noise. I'm afraid to do anything.

ComboFix has already restarted my computer, but no log has appeared. It's been well over 30 minutes now.

Edit: My computer just went to standby and back. ComboFix is still running, preparing the log report like it has been doing for a while. (Does this have anything to do with the fact that I updated ComboFix? I'm starting to feel that that was a mistake on my part.)
Last edited by kwu1993; 01-19-2009 at 09:18 AM.
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 10:18 AM   #12 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Re: Taskmgr + Regedit Disabled
Been over an hour, or two, I lost count. I'm going to shut down ComboFix in 30 minutes and disconnect my desktop from the internet if the log doesn't show up. ComboFix has been shut down, no log has been produced. I attempted to run the ATF Cleaner, but when I check select all, a ton of errors pop up. They're like, infinite if I didn't hold enter.

---------------------------------------
Exception EAccessViolation in modfle ATF-Cleaner.exe at 0040BBF6.
Acess violation at address 0040BBF6. Read of address 59F8B7E.

Exception EAccessViolation in modfle ATF-Cleaner.exe at 0040A224.
Acess violation at address 0040A224. Read of address 59E3BD4.

And 65 (and counting) error prompts with the same error layout, different addresses.
---------------------------------------

I'm not going to attempt and follow anymore directions until I get a reply from a professional. I don't want to skip any steps or do anything wrong.
Last edited by kwu1993; 01-19-2009 at 10:46 AM.
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 11:38 AM   #13 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,665
OS: XP SP3


Re: Taskmgr + Regedit Disabled
Quote:
Any advice or programs I can use to get everything I have installed back onto my Add/Remove programs panel?
Since you have done a system recovery, we will essentially have to start all over. When you do a system recovery, you lose all your installed programs. You will have to re-install them after we are done.

Run dds and gmer again and post/attach the files as you did in your first post.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 11:48 AM   #14 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Re: Taskmgr + Regedit Disabled
Sorry about the inconvenience chemist. Really, I am.

The thing I don't understand is, why is it that some installed software remain to work, while others don't after a recovery. Turning desktop on right now and running dds and gmer.

Here it is!


DDS (Ver_09-01-18.01) - NTFSx86
Run by HP_Administrator at 13:56:33.14 on 2009-01-19
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1549 [GMT -5:00]

AV: The Shield Deluxe 2009 *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\hp_administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: trymedia.com
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\lmrhgn.sys --> c:\windows\system32\drivers\lmrhgn.sys [?]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2009-01-19 10:28 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-01-19 10:13 161,792 a------- c:\windows\SWREG.exe
2009-01-19 10:13 458,240 a------- c:\windows\system32\CF26068.exe
2009-01-19 10:13 <DIR> --d----- C:\ComboFix
2009-01-19 10:10 98,816 a------- c:\windows\sed.exe
2009-01-19 10:03 17,876 a---h--- c:\windows\system32\wcdrtc32.dl_
2009-01-19 10:03 25,600 a------- c:\windows\system32\wcdrtc32.dll
2009-01-19 01:09 <DIR> --d----- c:\program files\Trend Micro
2009-01-18 22:43 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-18 22:43 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-18 22:43 <DIR> --d----- c:\windows\system32\appmgmt
2009-01-18 20:33 4,682 a------- c:\windows\system32\npptNT2.sys
2009-01-18 20:33 5,174 a------- c:\windows\system32\nppt9x.vxd
2009-01-18 18:58 157,152 a------- c:\windows\system32\PubPlugin.dll
2009-01-18 18:58 58,800 a------- c:\windows\system32\ijjiPlugin2.dll
2009-01-18 18:58 710,064 a------- c:\windows\system32\ijjiSetup.exe
2009-01-18 16:56 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-01-18 16:56 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-18 16:56 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2009-01-18 16:56 2,455,488 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-18 16:56 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-18 16:56 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-18 16:56 267,776 -------- c:\windows\system32\dllcache\iertutil.dll
2009-01-18 16:56 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2009-01-18 16:56 34,304 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-01-18 16:49 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-01-18 16:49 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-01-18 16:32 2,136,064 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-18 16:32 2,180,352 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-18 16:32 2,015,744 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-18 16:32 2,057,728 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-18 15:57 <DIR> --d----- c:\windows\system32\PreInstall
2009-01-18 15:22 <DIR> --d----- c:\program files\Sony
2009-01-18 15:22 <DIR> --d----- c:\program files\Sony Setup
2009-01-18 14:43 32,592 a------- c:\windows\system32\msonpmon.dll
2009-01-18 14:26 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-01-18 14:26 9,600 a------- c:\windows\system32\drivers\hidusb.sys
2009-01-18 14:00 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-18 13:59 14,048 -------- c:\windows\system32\spmsg2.dll
2009-01-18 13:45 <DIR> --d----- c:\windows\system32\URTTemp
2009-01-18 13:23 <DIR> --dshr-- c:\windows\system32\dllcache
2009-01-18 13:22 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-01-18 13:05 <DIR> --dshr-- C:\cmdcons
2009-01-18 13:05 <DIR> --d----- c:\windows\setupupd
2009-01-18 13:03 1,901 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_EX276AA-ABA a1540n_YC_0Pavi_QCNH625_E63NAemMPA2_48_INODUSM_SASUSTek Computer INC._V1.03_B3.04_T060614_WXP2_L409_M1983_J250_7AMD_8Athlon 64 X2 Dual Core_92.2_#060810_N_Z14F12F20_G10DE0241.MRK
2009-01-18 13:01 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Intuit
2009-01-18 13:01 <DIR> --d----- c:\documents and settings\hp_administrator\WINDOWS
2009-01-18 13:01 <DIR> --d----- c:\documents and settings\HP_Administrator
2009-01-15 04:44 <DIR> --d----- c:\program files\VSTplugins
2009-01-15 04:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-01-15 03:46 <DIR> --d----- c:\program files\Bonjour
2009-01-15 03:35 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-15 02:40 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-01-10 19:36 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-01-10 19:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-10 03:23 250 a------- c:\windows\gmer.ini
2009-01-10 02:36 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\True Sword
2009-01-10 01:12 <DIR> --d----- C:\EmergencyUtils
2009-01-09 00:24 <DIR> --d----- c:\windows\SxsCaPendDel
2009-01-08 03:32 <DIR> --d----- C:\Fraps
2008-12-30 10:09 <DIR> --d----- c:\program files\SystemRequirementsLab
2008-12-30 06:51 <DIR> --d----- c:\program files\Lavasoft
2008-12-20 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PMB Files

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 -------- c:\windows\system32\drivers\srv.sys
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-10-26 05:24 4,844 a------- c:\windows\mozver.dat
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-05-10 01:01 577,536 a------- c:\documents and settings\hp_administrator\GoToAssist_phone__317_en.exe

============= FINISH: 13:57:19.23 ===============
Attached Files
File Type: zip Attach.zip (5.6 KB, 2 views)
Last edited by kwu1993; 01-19-2009 at 12:15 PM.
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 12:11 PM   #15 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,665
OS: XP SP3


Re: Taskmgr + Regedit Disabled
A System Recovery returns your computer to factory settings. Applications already installed at the factory remain, while any installed after you bought it are lost.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 12:17 PM   #16 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Re: Taskmgr + Regedit Disabled
Quote:
Originally Posted by chemist View Post
A System Recovery returns your computer to factory settings. Applications already installed at the factory remain, while any installed after you bought it are lost.
Really now, that's a bit odd. I'm not doubting you at all, please don't misunderstand, but some software like my Tudou Video Accelerator stilll works perfectly. The same goes for BitComet and Mozilla. Anyway, I've posted the new logs above!
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 12:30 PM   #17 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,665
OS: XP SP3


Re: Taskmgr + Regedit Disabled
Did you do a System Recovery or a System Restore? They're not the same thing.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 12:34 PM   #18 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Re: Taskmgr + Regedit Disabled
Quote:
Originally Posted by chemist View Post
Did you do a System Recovery or a System Restore? They're not the same thing.
Recovery. I pressed F10 at startup, and did a destructive recovery. My system can't perform a system restore because I don't have a restore point.
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 01:44 PM   #19 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,665
OS: XP SP3


Re: Taskmgr + Regedit Disabled
Hello again, kwu1993. It appears you did a repair install of Windows. A destructive recovery would have wiped your hard drive clean.

The reason some of your programs don't work is because of the infection you have.

I hate to be the bearer of bad news, but you have onboard a polymorphic file infector, Win32.Sality, which infects .exe and .scr files. Some of the files may be disinfectable, but others will be corrupted beyond repair. I can continue to try and clean this computer, however, you will have to reinstall one or more programs and I cannot guarantee the integrity of your system when we are done, nor can I guarantee that your system is clear of the infection.

Read here

As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. It can penetrate and infect .exe files inside compressed files too.

------------------------------------------------------

Win32.Sality is also a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

Please read this: When should I re-format? How should I reinstall?

------------------------------------------------------

Let me know what you decide.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-19-2009, 02:36 PM   #20 (permalink)
Registered User
 
Join Date: Apr 2008
Posts: 41
OS: XP SP2


Re: Taskmgr + Regedit Disabled
If a clean reformat is a must, I'll do it. I can't believe I have Win32.Sality. Are you 100% positive? Where could I have possibly gotten that ruddy piece of dirt?

I don't have much worth saving on my computer, aside from some old school paperwork, photos, and videos.

Please do your best to help me disinfect as many files as you can, and we'll see what happens from there. (If you feel that it's a useless attempt, please do tell me.) I noticed you said some files would be corrupt beyond repair, couldn't I just delete those files permanently from my system?

Also

Do I need a Windows XP cd to reformat? Because if I remembered correctly, I don't have a Windows XP cd, because when I purchased my computer at Best Buy, it wasn't included. Before reformating, I'm going to have to go and purchase a flash drive.
Last edited by kwu1993; 01-19-2009 at 02:53 PM.
kwu1993 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:10 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85