Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Can't open Task Manager and Regedit

  • This topic is locked This topic is locked
4 replies to this topic

#1 ermat_46


  • Members
  • 27 posts
  • Local time:06:41 AM

Posted 19 November 2009 - 05:20 AM

Good day.

I noticed that my Task Manager and Regedit is disabled by the "administrator". So I decided to scan my PC using Malwarebytes. It detected a 2 Trojan.Downloader which is winrmey.exe stored in D:\WINDOWS\Temp folder and winnlptpo.exe also stored in the Temp folder of the Local Settings folder in the Documents and Settings folder and a Hijack.Taskmanager and a Hijack.Regedit log. I fixed it, then I can use my task manager now. But then, when I restarted my PC, I can't open my task manager and registry editor again. And when I scanned it with Malwarebytes, it detected another Trojan.Downloader with a seemingly random filename (By the way, I googled winrmey.exe and there were no results).

So I decided to download HouseCall from TrendMicro and scanned it. It detected 79 threats (78 PE_SALITY EN-1, and a Trojan), fixed and then restarted my PC. But then, the same happened. I can't still open my Task Manager.

Anyway, there isn't any other manifestations of the malware that infected my PC aside from blocking the Task Manager and Registry Editor. Anyway, everytime I start my PC, the time and date always revert to March 8, 2006 12:00AM due to a BIOS Checksum Error.

Root Repeal Log

ROOTREPEAL © AD, 2007-2009
Scan Start Time: 2006/03/08 00:16
Program Version: Version
Windows Version: Windows XP SP2

Name: dump_atapi.sys
Image Path: D:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF7139000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: D:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF9F82000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: D:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF45F3000 Size: 49152 File Visible: No Signed: -
Status: -

Image Path: SYMEFA.SYS
Address: 0xF98F5000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
Path: D:\hiberfil.sys
Status: Locked to the Windows API!

Status: Invisible to the Windows API!

Status: Visible to the Windows API, but not on disk.

Path: d:\documents and settings\fuuka academy\local settings\temp\fla5.tmp
Status: Size mismatch (API: 7210106, Raw: 5682594)

Path: D:\Documents and Settings\Fuuka Academy\Application Data\Mozilla\Firefox\Profiles\zsim1yt6.default\D92F81F6d01
Status: Locked to the Windows API!

Path: d:\documents and settings\fuuka academy\local settings\application data\mozilla\firefox\profiles\zsim1yt6.default\cache\0d2d609ed01
Status: Size mismatch (API: 24723456, Raw: 24444928)

#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x818cc160

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x818cc650

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0xff4c4518

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x819d6280

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x81639828

#: 041 Function Name: NtCreateKey
Status: Hooked by "D:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf7e7d130

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0xff4d45c0

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0xff4c7fc0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x818c8608

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x81a740f0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "D:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf7e7d3b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "D:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf7e7d910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0xff38b380

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x818b3d80

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x818cbb18

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x818cbd70

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x81a7b008

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8191e150

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x818cb470

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xff494548

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x818d1c90

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x818ded38

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xff48e3c0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0xff3d2b28

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x818d6750

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x818cd458

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0xff3ea008

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x81a3e1b8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "D:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf7e7db60

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x815f5280

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x818cc880

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x818d60a0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x818cd200

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x818ce9d0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xff4a4f80

Shadow SSDT
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8161a4b0

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0xff40e1a8

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x817e07f0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x816032f0

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x81a88460

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0xff4da260

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0xff435260

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0xff4d80c0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x81b9ae58

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x81b328d0


DDS (Ver_09-10-26.01) - NTFSx86
Run by Fuuka Academy at 0:11:27.10 on Wed 03/08/2006
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.39 [GMT -8:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Windows Security Suite *On-access scanning enabled* (Updated) {46CB9E97-5715-4E6E-95DB-4FC9C845F537}
FW: Windows Security Suite *enabled* {B8E1F7F7-2C7B-43D2-A7DD-AF5436330A5E}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Norton AntiVirus\Engine\\ccSvcHst.exe
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Norton SystemWorks Premier Edition\NswUiTray.exe
D:\Program Files\Norton AntiVirus\Engine\\ccSvcHst.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
D:\Documents and Settings\Fuuka Academy\Desktop\HiJackThis\HijackThis.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Fuuka Academy\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - d:\program files\norton antivirus\engine\\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - d:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - d:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - d:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "d:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Messenger (Yahoo!)] "d:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [VeohPlugin] "d:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [HijackThis startup scan] d:\documents and settings\fuuka academy\desktop\hijackthis\HijackThis.exe /startupscan
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SW20] d:\windows\system32\sw20.exe
mRun: [SW24] d:\windows\system32\sw24.exe
mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "d:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "d:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NSWosCheck] "d:\program files\norton systemworks premier edition\osCheck.exe"
mRun: [NswUiTray] d:\program files\norton systemworks premier edition\NswUiTray.exe
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [FixCamera] d:\windows\FixCamera.exe
mRun: [snpstd3] d:\windows\vsnpstd3.exe
mRun: [tsnpstd3] d:\windows\tsnpstd3.exe
mRun: [EPSON Stylus C59 Series] d:\windows\system32\spool\drivers\w32x86\3\e_fatibhp.exe /fu "d:\windows\temp\E_S1D4.tmp" /EF "HKLM"
mRun: [AdobeCS4ServiceManager] "d:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [<NO NAME>]
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to AMV Converter... - d:\program files\mp3 player utilities 4.15\amvconverter\grab.html
IE: Add to Media Manager... - d:\program files\mp3 player utilities 4.15\mediamanager\grab.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - d:\program files\norton systemworks premier edition\norton cleanup\WCQuick.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\fuukaa~1\applic~1\mozilla\firefox\profiles\zsim1yt6.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://ph.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=966134&p=
FF - component: d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\bogarts user\alpha dota phi -best dota sorority of philippines-\divx\divx web player\npdivx32.dll
FF - plugin: d:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: d:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;d:\windows\system32\drivers\nav\1007020.00b\SymEFA.sys [2006-3-8 310320]
R1 BHDrvx86;Symantec Heuristics Driver;d:\windows\system32\drivers\nav\1007020.00b\BHDrvx86.sys [2006-3-8 259632]
R1 ccHP;Symantec Hash Provider;d:\windows\system32\drivers\nav\1007020.00b\cchpx86.sys [2006-3-8 482432]
R1 IDSxpx86;IDSxpx86;d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090623.001\IDSXpx86.sys [2006-3-8 276344]
R2 Norton AntiVirus;Norton AntiVirus;d:\program files\norton antivirus\engine\\ccSvcHst.exe [2006-3-8 117640]
R2 NProtectService;Norton UnErase Protection;d:\progra~1\norton~3\norton~1\NPROTECT.EXE [2008-9-25 95600]
S3 getPlus® Helper;getPlus® Helper;d:\program files\nos\bin\getPlus_HelperSvc.exe [2006-3-8 33176]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;c:\documents and settings\bogarts user\animega - path to kefka tower\ml + radical engine\Money1348.sys [2006-3-8 29824]
S3 npggsvc;nProtect GameGuard Service;d:\windows\system32\gamemon.des -service --> d:\windows\system32\GameMon.des -service [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2009-04-15 06:42:06 2134016 ----a-w- d:\windows\system32\python26.dll
2008-09-25 22:53:36 95760 ----a-w- d:\windows\system32\drivers\SdDriver.SYS
2008-09-25 22:53:14 87272 ----a-w- d:\windows\system32\drivers\NPDRIVER.SYS
2008-08-14 15:57:42 74720 ----a-w- d:\windows\system32\drivers\adfs.sys
2008-07-31 18:16:54 947472 ----a-w- d:\windows\system32\msjava.dll
2008-07-25 19:16:58 83968 ----a-w- d:\windows\system32\mscories.dll
2007-05-15 23:43:10 1320800 ----a-w- d:\windows\system32\msxml6.dll
2007-05-09 01:08:12 86728 ----a-w- d:\windows\system32\msxml6r.dll
2007-01-04 19:58:48 1959 ----a-w- d:\windows\AdfuUpdate.inf
2006-10-24 20:30:20 412160 ------w- d:\windows\system32\photometadatahandler.dll
2006-10-24 20:30:06 716288 ------w- d:\windows\system32\WindowsCodecs.dll
2006-10-24 20:30:00 276992 ------w- d:\windows\system32\WMPhoto.dll
2006-10-24 20:29:50 352256 ------w- d:\windows\system32\WindowsCodecsExt.dll
2006-10-19 04:00:46 249856 ------w- d:\windows\system32\drmupgds.exe
2006-10-19 04:00:14 17408 ------w- d:\windows\system32\wpdshextautoplay.exe
2006-09-29 04:13:26 95344 ------w- d:\windows\system32\WUDFCoinstaller.dll
2006-09-29 03:00:34 82944 ------w- d:\windows\system32\drivers\WudfRd.sys
2006-09-29 02:56:38 316416 ------w- d:\windows\system32\WUDFx.dll
2006-09-29 02:56:38 146432 ------w- d:\windows\system32\WudfHost.exe
2006-09-29 02:56:16 165376 ------w- d:\windows\system32\WudfPlatform.dll
2006-09-29 02:56:14 55808 ------w- d:\windows\system32\WudfSvc.dll
2006-09-29 02:55:50 77568 ------w- d:\windows\system32\drivers\WudfPf.sys
2006-08-25 00:15:06 150808 ----a-w- d:\windows\system32\rgb9rast_2.dll
2006-07-12 03:02:30 1053184 ----a-w- d:\windows\system32\mfc71u.dll
2006-07-12 02:43:32 1060864 ----a-w- d:\windows\system32\mfc71.dll
2006-07-12 02:35:42 503808 ----a-w- d:\windows\system32\msvcp71.dll
2006-07-12 02:35:38 348160 ----a-w- d:\windows\system32\msvcr71.dll
2006-07-12 02:07:30 89600 ----a-w- d:\windows\system32\atl71.dll
2006-05-31 02:11:56 0 d-sh--w- d:\documents and settings\all users\DRM
2006-05-31 02:11:31 0 d--h--w- d:\program files\WindowsUpdate
2006-05-31 02:10:30 0 d-----w- d:\program files\common files\MSSoap
2006-05-31 02:09:02 0 d-----w- d:\program files\Online Services
2006-05-31 02:08:56 0 d-----w- d:\program files\Messenger
2006-05-31 02:08:53 0 d-----w- d:\program files\MSN Gaming Zone
2006-05-31 02:08:13 0 d-----w- d:\program files\Windows NT
2006-03-08 19:03:19 0 d-----w- d:\docume~1\alluse~1\applic~1\UDL
2006-03-08 18:47:29 0 d-----w- d:\program files\EPSON
2006-03-08 14:52:12 0 d-----w- d:\program files\common files\snpstd3
2006-03-08 13:55:39 0 d-----w- d:\docume~1\fuukaa~1\applic~1\Thinstall
2006-03-08 13:52:03 0 d-----w- d:\program files\ffdshow
2006-03-08 12:08:42 0 d-----w- d:\program files\StepMania
2006-03-08 11:05:48 0 d-----w- d:\program files\common files\L&H
2006-03-08 11:04:24 0 d-----w- d:\program files\Microsoft ActiveSync
2006-03-08 10:30:28 0 d-----w- d:\program files\MixMeister BPM Analyzer
2006-03-08 10:11:48 0 d-----w- d:\docume~1\alluse~1\applic~1\JCreator
2006-03-08 10:11:47 0 d-----w- d:\docume~1\fuukaa~1\applic~1\JCreator
2006-03-08 10:05:31 0 d-----w- d:\program files\Xinox Software
2006-03-08 09:57:51 0 d-----w- d:\docume~1\fuukaa~1\applic~1\Malwarebytes
2006-03-08 09:57:31 0 d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes
2006-03-08 09:57:29 0 d-----w- d:\program files\Malwarebytes' Anti-Malware
2006-03-08 09:35:20 0 d-----w- d:\program files\mp3DirectCut
2006-03-08 09:26:43 0 d-----w- d:\docume~1\fuukaa~1\applic~1\com.adobe.ExMan
2006-03-08 09:23:33 0 d-----w- d:\program files\Veoh Networks
2006-03-08 09:12:15 0 d-----w- d:\docume~1\alluse~1\applic~1\NokiaMusic
2006-03-08 09:11:45 0 d-----w- d:\program files\YouTube Downloader
2006-03-08 08:59:55 0 d-----w- d:\program files\BlueJ
2006-03-08 08:51:13 0 d-----w- d:\program files\Nokia
2006-03-08 08:41:51 0 d-----w- d:\program files\Yahoo!
2006-03-08 08:37:16 0 d-----w- d:\program files\MP3 Player Utilities 4.15
2006-03-08 08:34:36 0 d-----w- d:\program files\common files\Macrovision Shared
2006-03-08 08:29:11 0 d-----w- d:\program files\Nero
2006-03-08 08:29:11 0 d-----w- d:\docume~1\alluse~1\applic~1\Nero
2006-03-08 08:24:17 0 d-----w- d:\program files\common files\INCA Shared
2006-03-08 08:17:46 0 d-sh--w- d:\docume~1\alluse~1\applic~1\8123eb8
2006-03-08 08:17:29 0 d-----w- d:\program files\PerformanceTest
2006-03-08 08:16:40 0 d-----w- d:\program files\Smith Micro
2006-03-08 08:15:54 0 d-----w- d:\docume~1\alluse~1\applic~1\NortonSystemWorks
2006-03-08 08:15:11 0 d-----w- d:\program files\Norton SystemWorks Premier Edition
2006-03-08 08:14:39 0 d-----w- d:\docume~1\alluse~1\applic~1\Symantec
2006-03-08 08:12:30 0 d-----w- d:\program files\MSXML 6.0
2006-03-08 08:12:15 0 d-----w- d:\program files\Symantec
2006-03-08 08:12:15 0 d-----w- d:\program files\common files\Symantec Shared
2006-03-08 08:11:38 0 d-----w- d:\program files\Norton AntiVirus
2006-03-08 08:11:37 0 d-----w- d:\docume~1\alluse~1\applic~1\Norton
2006-03-08 08:11:14 0 d-----w- d:\program files\NortonInstaller
2006-03-08 08:11:14 0 d-----w- d:\docume~1\alluse~1\applic~1\NortonInstaller
2006-03-08 08:07:52 0 d-----w- d:\program files\C-Media 3D Audio
2006-03-08 08:02:03 0 d-----w- d:\program files\Realtek Sound Manager
2006-03-08 08:02:01 0 d-----w- d:\program files\AvRack
2006-03-08 08:01:57 0 d-----w- d:\program files\Realtek AC97
2006-03-08 00:01:40 0 d-----w- d:\program files\common files\ODBC
2006-03-08 00:01:37 0 d-----w- d:\program files\common files\SpeechEngines
2006-03-08 00:01:09 0 d-----r- d:\documents and settings\all users\Documents

==================== Find3M ====================

2009-09-10 22:54:06 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 22:53:50 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-08-22 06:32:45 36400 ----a-r- d:\windows\system32\drivers\SymIM.sys
2009-02-09 16:37:48 91136 ----a-w- d:\windows\system32\nmwcdcls.dll
2008-12-18 03:22:48 57344 ----a-w- d:\windows\system32\ff_vfw.dll
2008-12-11 21:26:58 60273 ----a-w- d:\windows\system32\pthreadGC2.dll
2008-08-26 18:26:12 18816 ----a-w- d:\windows\system32\drivers\pccsmcfd.sys
2008-07-28 23:15:58 92048 ----a-w- d:\windows\fonts\AGaramondPro-Italic.otf
2008-07-28 23:15:58 76828 ----a-w- d:\windows\fonts\AGaramondPro-BoldItalic.otf
2008-07-28 23:15:58 75116 ----a-w- d:\windows\fonts\AGaramondPro-Bold.otf
2008-07-28 23:15:58 171196 ----a-w- d:\windows\fonts\ACaslonPro-SemiboldItalic.otf
2008-07-28 23:15:58 170992 ----a-w- d:\windows\fonts\ACaslonPro-Semibold.otf
2008-07-28 23:15:58 170012 ----a-w- d:\windows\fonts\ACaslonPro-BoldItalic.otf
2008-07-28 23:15:58 168884 ----a-w- d:\windows\fonts\ACaslonPro-Regular.otf
2008-07-28 23:15:58 168816 ----a-w- d:\windows\fonts\ACaslonPro-Italic.otf
2008-07-28 23:15:58 143692 ----a-w- d:\windows\fonts\ACaslonPro-Bold.otf
2008-07-28 23:15:58 127840 ----a-w- d:\windows\fonts\AGaramondPro-Regular.otf
2008-07-06 12:06:10 575488 ------w- d:\windows\system32\xpsshhdr.dll
2008-07-06 12:06:10 1676288 ------w- d:\windows\system32\xpssvcs.dll
2008-07-06 12:06:10 117760 ------w- d:\windows\system32\prntvpt.dll
2008-03-07 19:21:24 10423680 ----a-w- d:\windows\system32\drivers\snpstd3.sys
2008-02-22 01:15:46 3968 ----a-w- d:\windows\system32\drivers\denoise.sys
2007-12-19 18:31:26 163840 ----a-w- d:\windows\system32\rsnpstd3.dll
2007-11-30 11:18:51 26488 ----a-w- d:\windows\system32\spupdsvc.exe
2007-07-24 02:09:06 57344 ----a-w- d:\windows\system32\vsnpstd3.dll
2007-07-12 00:09:48 20480 ----a-w- d:\windows\FixCamera.exe
2007-05-10 21:18:26 905216 ----a-w- d:\windows\vsnpstd3.exe
2007-04-21 17:37:02 348160 ----a-w- d:\windows\tsnpstd3.exe
2006-10-19 05:58:00 8704 ----a-w- d:\windows\system32\wdfmgr.exe
2006-10-19 05:58:00 8704 ----a-w- d:\windows\system32\uwdf.exe
2006-10-19 04:03:58 100864 ----a-w- d:\windows\system32\logagent.exe
2006-10-19 04:00:00 38528 ----a-w- d:\windows\system32\drivers\wpdusb.sys
2006-09-29 00:05:20 2414360 ----a-w- d:\windows\system32\d3dx9_31.dll
2006-07-03 18:31:54 94208 ----a-w- d:\windows\amcap.exe
2006-05-31 02:09:28 21640 ----a-w- d:\windows\system32\emptyregdb.dat
2006-03-08 17:52:24 806 ----a-w- d:\windows\system32\drivers\SYMEVENT.INF
2006-03-08 17:52:24 7456 ----a-w- d:\windows\system32\drivers\SYMEVENT.CAT
2006-03-08 17:52:24 60808 ----a-w- d:\windows\system32\S32EVNT1.DLL
2006-03-08 17:52:24 124976 ----a-w- d:\windows\system32\drivers\SYMEVENT.SYS
2006-03-08 12:51:09 411368 ----a-w- d:\windows\system32\deploytk.dll
2006-03-08 09:53:17 147456 ----a-r- d:\windows\system32\sw24.exe
2006-03-08 09:53:16 282624 ----a-r- d:\windows\system32\sw20.exe
2006-03-08 09:53:12 1601536 ----a-w- d:\windows\system32\nwiz.exe
2006-03-06 18:41:02 73728 ----a-w- d:\windows\system32\AMV_DecDLL.dll
2006-03-02 16:04:00 73216 ----a-w- d:\windows\system32\E_FLBBHP.DLL
2001-11-23 04:08:20 712704 ----a-r- d:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 0:12:00.64 ===============


DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/30/2006 7:16:12 PM
System Uptime: 3/8/2006 12:00:22 AM (0 hours ago)

Motherboard: ECS | | P4M800-M7
Processor: Intel® Pentium® D CPU 2.66GHz | CPU 1 | 2660/133mhz
Processor: Intel® Pentium® D CPU 2.66GHz | CPU 1 | 2660/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 20 GiB total, 0.085 GiB free.
D: is FIXED (NTFS) - 19 GiB total, 0.165 GiB free.
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F30&SUBSYS_20D514F1&REV_01\3&267A616A&0&48
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F30&SUBSYS_20D514F1&REV_01\3&267A616A&0&48

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
C-Media 3D Audio
CheckIt Diagnostics
Connection Keep Alive
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan Assistant
EPSON Web-To-Page
ESC58_59 User's Guide
ffdshow [rev 2527] [2008-12-19]
HijackThis 2.0.2
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB954550-v5)
Java™ 6 Update 17
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MixMeister BPM Analyzer 1.0
Mozilla Firefox (3.5.2)
MP3 Player Utilities 4.15
MSXML 6.0 Parser (KB933579)
Nokia Connectivity Cable Driver
Nokia Ovi Content Copier
Nokia Ovi Content Copier 6.85.3011
Nokia Ovi One Touch Access
Nokia Ovi One Touch Access 6.85.3019
Nokia Ovi System Utilities
Nokia Ovi System Utilities 6.85.3018
Norton AntiVirus
Norton Cleanup
Norton SystemWorks (Symantec Corporation)
Norton SystemWorks Premier Edition
Norton Utilities
NVIDIA Drivers
PC Connectivity Solution
PDF Settings CS4
Photoshop Camera Raw
Python 2.6.2
Realtek AC'97 Audio
StepMania (remove only)
Suite Shared Configuration CS4
USB PC Camera-168
WebFldrs XP
Windows Driver Package - Nokia pccsmcfd (08/22/2008
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
WinRAR archiver
Yahoo! Messenger
YouTube Downloader 2.5.3

==== Event Viewer Messages From Past Week ========

3/8/2006 4:16:19 AM, error: Service Control Manager [7034] - The NMIndexingService service terminated unexpectedly. It has done this 1 time(s).
3/8/2006 2:05:43 AM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
3/8/2006 12:04:27 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
3/8/2006 12:04:19 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file d:\windows\system32\msxml3r.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 8.20.8730.1, the version of the system file is 8.20.8730.1.
3/8/2006 12:04:19 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file d:\windows\system32\msxml3.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 8.50.2162.0, the version of the system file is 8.50.2162.0.
3/8/2006 12:03:32 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Norton UnErase Protection service to connect.
3/8/2006 12:03:32 AM, error: Service Control Manager [7000] - The Norton UnErase Protection service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/8/2006 12:02:45 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'NPROTECT' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/8/2006 12:01:29 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IDSxpx86

==== End Of File ===========================

BC AdBot (Login to Remove)


#2 myrti



  • Malware Study Hall Admin
  • 33,766 posts
  • Gender:Female
  • Location:At home
  • Local time:12:41 AM

Posted 27 November 2009 - 09:54 AM


I'm sorry I have bad news for you:

You have contracted sality.

Sality is a family of file infecting viruses that spread by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader trojan component that installs additional malware via the Web...

About Sality Virus
Win32/Sality Family

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before co

There is no guarantee the infection can be completely removed. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:Should you decide not to follow that advice, you can try the AVG Win32/Sality Remover. It was last updated in June 2007 and is not always effective for the reasons I indicated above. Follow the instructions exactly as specified and pay close attention to the instructions including the note on administrator rights.
alternate download

You probable got infected by an infected USB drive. We need to clean those, independently from your decision on reformatting:

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 ermat_46

  • Topic Starter

  • Members
  • 27 posts
  • Local time:06:41 AM

Posted 29 November 2009 - 07:37 AM

I'm still trying to backup my data but I have some questions:

1) Are the ZIP files also affected by the infection? I mean is it okay to backup my ZIP files?

2) I tried using the Flash_Disinfector but a warning like "Registry Editing has been disabled my the administator" appears but the program seemed to be successful. Is it just okay?

Thanks. Pls. reply asap.

#4 myrti



  • Malware Study Hall Admin
  • 33,766 posts
  • Gender:Female
  • Location:At home
  • Local time:12:41 AM

Posted 29 November 2009 - 02:59 PM


if you can not run Flash_Disinfector on your infected PC, I would advise that you download it on a clean PC and disinfect your flash drives on the clean PC. Make sure that keep Shift pressed when you attach the flash drives, to prevent possible infected flash drives from spreading the infection.

I do not believe that sality infects zip-files. However there are other viruses that do. So if you want to play it safe, I would advise not to back them up. However, unless the zip files contain exe-files, there should be no risk in extracting all the files and copy them uncompressed onto you backup drive. In any case you should run a on all your files before copying them back on your PC.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#5 myrti



  • Malware Study Hall Admin
  • 33,766 posts
  • Gender:Female
  • Location:At home
  • Local time:12:41 AM

Posted 21 December 2009 - 08:22 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users