Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Autorun/TaskManager/Regedit Disabling stuff


  • This topic is locked This topic is locked
2 replies to this topic

#1 aslk76

aslk76

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 31 October 2009 - 01:59 PM

Hello there respective Helper ,
I have this following issue/problem on 3 different computer of mine ...... one of which i formatted the hell ot of it with loosing all my data (eg. full HDD re-partition) and its gone from there , second one i did System restore on it and it solved the issue there , now this one which is my 3-rd i cant system restore it cause apperantly it was turned off so i dont have any restore points and the formatting i cant even think about it here :(
My problem started with my first laptop (source of infection) not connecting to wireless network so i went to Device Manager to check if the driers went missing or smthing like that , so when i opened that i had notepad opened with file called "mmc" in it with some wired texts in it instead of actual Device Manager , so at that point i tried to run antivirus scan which didnt help me and got me to format my laptop eventually but before that i moved couple pictures/videos which i couldnt afford to lose to this computer with a flash USB disk , and at the moment i inserted the flash on this PC my BitDefender went crazy telling me that it Blocked/Removed [driveletter]:\autorun.inf (Trojan.Autorun.AKY) and it kept spamming .
I tried to search for solution for this and installed many applications (eg Exterminator , MABAM , SAS ,Ad-Aware ...) they all found stuff but cudnt remove any thing basicly the reason was cause my RegEdit not working (Registry editing has beed disabled by your administrator) same with Task Manager which i cant open up , now i did that DDS + RootRepeal but i have un-installed every thing i have including my antvirus (bitdefender) and only have windows fire wall "on" ...... sorry for the wall of text but im trying to be explining as much as i can .

---------------------------------------------------------------------------------------------------


DDS (Ver_09-10-26.01) - NTFSx86
Run by User at 20:24:55.04 on Sat 10/31/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1256.962.1033.18.1534.1009 [GMT 2:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\DOCUME~1\User\LOCALS~1\Temp\svchost.com
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\System\cftmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Documents and Settings\User\Desktop\dds.EXE

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Bar =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant =
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
mWinlogon: Shell=explorer.exe c:\windows\system32\fdisk.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\fdisk.com
uWindows: run=c:\docume~1\user\locals~1\temp\svchost.com
uWindows: load=c:\docume~1\user\locals~1\temp\svchost.com
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [User Agent] c:\docume~1\user\locals~1\temp\svchost.com
uRun: [HotKey] c:\documents and settings\user\templates\cache\SFCsrvc.pif
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [HotKey] c:\documents and settings\user\templates\cache\SFCsrvc.pif
mRun: [User Agent] c:\windows\system32\fdisk.com
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\user\start menu\programs\startup\sndvol32.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\sndvol32.exe
uPolicies-explorer: NofolderOptions = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
IFEO: ashdisp.exe - notepad
IFEO: AVGNT.EXE - notepad
IFEO: AVP.EXE - notepad
IFEO: mmc.exe - notepad
IFEO: msconfig.exe - notepad

Note: multiple IFEO entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\user\locals~1\temp\dca33.tmp --> c:\docume~1\user\locals~1\temp\DCA33.tmp [?]
S3 ncvhook;ncvhook;c:\windows\system32\drivers\ncvhook.sys [2009-8-25 3200]
S4 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]

=============== Created Last 30 ================

2009-10-31 18:15:23 19968 ----a-w- c:\windows\system32\SKYNETwsp.dll
2009-10-31 18:15:18 22016 ----a-w- c:\windows\system32\drivers\extit.sys
2009-10-31 18:15:11 1433 ----a-w- c:\windows\system32\SKYNETlog.dat
2009-10-31 18:07:34 19968 ----a-w- c:\windows\system32\SKYNETbpxmdxnx.dll
2009-10-31 18:07:33 1016 ----a-w- c:\windows\system32\SKYNETipuftkox.dat
2009-10-31 18:07:00 43520 ----a-w- c:\windows\system32\SKYNETvsgxeixj.dll
2009-10-31 16:39:34 0 d-----w- C:\New Folder
2009-10-31 16:21:32 288 --sha-r- C:\autorun.inf
2009-10-31 13:47:27 0 d-----w- c:\program files\Exterminate It!
2009-10-31 12:56:28 146432 ----a-w- c:\windows\regedit.com
2009-10-31 10:32:00 662 ----a-w- c:\windows\wininit.ini
2009-10-31 08:02:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-31 08:02:27 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-31 08:02:27 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-10-31 07:52:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Autorun Eater
2009-10-31 07:42:35 284675 --sha-r- C:\Thumbs.db
2009-10-31 07:42:35 0 d-sha-r- C:\$RECYCLE.BIN
2009-10-31 07:42:28 284675 --sha-r- c:\windows\system32\fdisk.com
2009-10-30 10:42:30 0 d-----w- c:\docume~1\user\applic~1\Subversion
2009-10-30 10:41:47 0 d-----w- c:\program files\GUI Design Studio
2009-10-27 18:45:09 0 d-----w- C:\database
2009-10-27 18:44:45 0 d-----w- c:\program files\faisal_khader
2009-10-27 18:44:21 0 d-----w- c:\program files\common files\Business Objects
2009-10-22 12:32:48 237568 ----a-w- c:\windows\system\glut32.dll
2009-10-22 12:17:43 143360 ----a-w- c:\windows\system32\isdbgi51.dll
2009-10-22 12:17:43 0 d-----w- C:\My Installations
2009-10-22 12:17:43 0 ----a-w- c:\windows\Isdbg.ini
2009-10-22 12:17:34 0 d-----w- c:\program files\InstallShield
2009-10-22 12:12:19 126 ----a-w- c:\windows\mdm.ini
2009-10-22 12:10:40 0 d-----w- c:\program files\Web Publish
2009-10-12 13:10:59 56320 ------w- c:\windows\system32\iyvu9_32.dll
2009-10-12 13:10:59 136704 ----a-w- c:\windows\system32\iacenc.dll
2009-10-12 13:10:58 0 d-----w- c:\program files\Ligos
2009-10-12 13:06:53 0 d-----w- c:\program files\Disney Interactive
2009-10-12 12:25:16 1344 ----a-w- c:\windows\disney.ini
2009-10-12 12:25:13 0 d-----w- c:\documents and settings\user\WINDOWS
2009-10-12 12:25:11 203 ----a-w- c:\windows\disneysy.ini
2009-10-12 07:12:12 4096 ----a-w- c:\windows\d3dx.dat
2009-10-12 07:11:24 0 d-----w- c:\program files\directx
2009-10-12 06:07:44 0 d-----w- c:\program files\Steam
2009-10-11 19:34:32 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-10-11 19:34:31 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-10-11 13:19:19 221 ----a-w- c:\windows\NCLogConfig.ini

==================== Find3M ====================

2009-10-31 18:06:00 67584 ----a-w- c:\windows\system32\drivers\SKYNETkbekvdna.sys
2009-10-31 16:58:59 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-02 07:52:42 139264 ----a-w- c:\windows\system32\hpzjrd01.dll
2009-08-25 12:15:31 1536 ----a-w- c:\windows\system32\bcevent.dll
2009-08-24 11:42:31 112884 ----a-w- c:\windows\hpoins07.dat
2009-05-02 08:48:47 438592 ----a-w- c:\program files\msgr9us.exe

============= FINISH: 20:26:30.89 ===============



Thanks in advance.
Regards.
Qais(ASLK76)

Attached Files



BC AdBot (Login to Remove)

 


#2 aslk76

aslk76
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 02 November 2009 - 10:42 AM

i think im safe for now i did more researches and figured out how to fix my issues some how ...... thx anyway

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 02 November 2009 - 10:47 AM

Thanks for letting us know aslk76. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users