3 replies to this topic

[QcFirestartrers]

i had some problem lately with my comp rams ... just tought it was i normal virus !!

i tried running malwaresbytes !! work 1 sec when scanning...then close and say i don,t have enough high rank to use !! same when using sypbot or event rootcleaner .

i don,t have any solution !! tryed to run mbam while renamed, re-install , tryed in safe mod , even tried to stop some process ...tried everything i know now i'm fcked... ill send you the hijackthis in an hour !!

[QcFirestartrers]

QcFirestartrers, on Oct 23 2009, 04:14 PM, said:

i had some problem lately with my comp rams ... just tought it was i normal virus !!

i tried running malwaresbytes !! work 1 sec when scanning...then close and say i don,t have enough high rank to use !! same when using sypbot or event rootcleaner .

i don,t have any solution !! tryed to run mbam while renamed, re-install , tryed in safe mod , even tried to stop some process ...tried everything i know now i'm fcked... ill send you the hijackthis in an hour !!

ok !! can't run hijackthis lol ...unable to do ANYTHING ^^ can,t get on google .. pop-up appear !! i am about to format .... help me lol !!

[QcFirestartrers]

only eset nod32 seems to run ... andi it detected a (( KRYPTIQ virus )) i'll get combofix to see if it work !

[QcFirestartrers]

COMBOFIX WORKED ...here the result !

ComboFix 09-10-22.01 - Marc 2009-10-23 12:18.1.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.2.1036.18.3071.2658 [GMT -4:00]
Lancé depuis: c:\documents and settings\Marc\Bureau\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Un antivirus résident est actif

.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marc\Mes documents\cc_20090713_010916.reg
c:\windows\system32\2CPrG5n2.exe.a_a
c:\windows\system32\Plugins
c:\windows\system32\Plugins\ml\ml_pmp_device_DSM956 Multi MP3 Playe.ini

Une copie infectée de c:\windows\system32\eventlog.dll a été trouvée et désinfectée
Copie restaurée à partir de - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((((((( Fichiers créés du 2009-09-23 au 2009-10-23 ))))))))))))))))))))))))))))))))))))
.

2009-10-23 16:00 . 2009-10-23 16:00 -------- d-----w- c:\program files\Trend Micro
2009-10-22 22:39 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 22:39 . 2009-10-22 22:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 22:39 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-22 14:51 . 2009-10-22 14:51 -------- d-----w- c:\documents and settings\Marc\Application Data\Malwarebytes
2009-10-19 22:23 . 2009-10-23 15:57 0 ----a-r- c:\windows\win32k.sys
2009-10-19 01:55 . 2009-10-19 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\56125322
2009-10-17 15:43 . 2009-10-17 15:43 118272 --sha-r- c:\windows\system32\uwqv.dll
2009-10-16 07:52 . 2009-10-16 07:52 -------- d-----w- c:\documents and settings\Marc\Application Data\nod32 updater
2009-10-14 16:32 . 2009-10-14 16:32 -------- d-----w- c:\windows\Advanced AI Mod
2009-10-08 22:41 . 2009-10-08 22:42 -------- d-----w- c:\program files\Nero
2009-10-08 22:41 . 2009-10-08 22:42 -------- d-----w- c:\program files\Fichiers communs\Nero
2009-10-08 17:15 . 2009-10-08 17:15 -------- d-----w- c:\program files\LimeWire
2009-10-08 17:09 . 2009-10-08 17:09 -------- d-----w- c:\documents and settings\Marc\Application Data\Leadertech
2009-10-08 16:58 . 2009-10-08 16:58 -------- d-----w- c:\program files\EA Sports
2009-10-06 03:36 . 2009-10-06 03:36 -------- d-----w- c:\documents and settings\Marc\Application Data\Office Genuine Advantage
2009-09-30 04:39 . 2009-09-30 04:40 -------- d-----w- c:\windows\system32\Adobe
2009-09-29 17:05 . 2009-09-29 17:05 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-09-29 17:02 . 2009-09-29 17:02 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-09-29 16:56 . 2009-09-29 16:56 116008 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-09-29 13:11 . 2009-10-16 07:47 -------- d-----w- c:\program files\MagicISO
2009-09-27 21:20 . 2009-09-27 21:20 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-09-27 21:20 . 2009-09-27 21:20 -------- d-----w- c:\program files\DIFX
2009-09-27 21:20 . 2009-09-27 21:20 -------- d-----w- c:\program files\Garmin
2009-09-27 14:53 . 2009-09-27 21:05 -------- d-----w- c:\documents and settings\Marc\Application Data\GARMIN
2009-09-26 19:13 . 2009-09-26 19:13 -------- d-----w- c:\program files\uTorrent
2009-09-26 19:12 . 2009-10-16 15:08 -------- d-----w- c:\documents and settings\Marc\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 16:22 . 2008-12-19 20:41 -------- d-----w- c:\program files\Steam
2009-10-23 16:17 . 2001-08-28 12:00 93612 ----a-w- c:\windows\system32\perfc00C.dat
2009-10-23 16:17 . 2001-08-28 12:00 533158 ----a-w- c:\windows\system32\perfh00C.dat
2009-10-22 22:35 . 2008-09-26 19:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-22 22:23 . 2008-09-26 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-22 22:16 . 2008-09-20 19:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-15 18:41 . 2008-09-27 16:53 -------- d-----w- c:\documents and settings\Marc\Application Data\LimeWire
2009-10-12 15:58 . 2008-10-13 23:35 -------- d-----w- c:\program files\Fichiers communs\Blizzard Entertainment
2009-10-09 02:43 . 2008-09-25 02:58 -------- d-----w- c:\documents and settings\Marc\Application Data\dvdcss
2009-10-08 22:47 . 2008-10-31 20:50 -------- d-----w- c:\documents and settings\Marc\Application Data\Nero
2009-10-08 22:41 . 2008-10-31 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-10-06 03:32 . 2009-02-01 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-10-06 03:30 . 2009-01-14 03:31 -------- d-----w- c:\program files\Fichiers communs\Adobe
2009-10-02 18:17 . 2008-09-26 21:26 -------- d-----w- c:\program files\Navilog1
2009-10-01 03:54 . 2008-10-05 14:41 138736 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-01 03:54 . 2008-10-05 14:41 188968 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-30 04:40 . 2008-09-27 16:52 -------- d-----w- c:\program files\Google
2009-09-23 21:59 . 2009-01-18 07:06 -------- d-----w- c:\program files\ma-config.com
2009-09-23 21:59 . 2009-01-18 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\ma-config.com
2009-09-22 22:24 . 2009-09-22 22:23 -------- d-----w- c:\program files\C-Media PCI Audio Device
2009-09-22 22:00 . 2008-09-20 19:35 49944 ----a-w- c:\documents and settings\Marc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-22 21:59 . 2009-09-22 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-09-19 01:09 . 2009-09-19 01:09 -------- d-----w- c:\documents and settings\Marc\Application Data\The Creative Assembly
2009-09-19 00:39 . 2009-09-19 00:39 -------- d-----w- c:\program files\Fichiers communs\Adobe AIR
2009-09-11 14:18 . 2004-08-19 20:09 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:04 . 2004-08-19 20:09 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 20:17 . 2008-10-05 14:40 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-29 07:56 . 2004-08-19 20:09 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:01 . 2004-08-19 20:09 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 21:11 . 2009-08-22 21:11 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-08-22 21:11 . 2009-08-22 21:11 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-08-06 23:24 . 2008-09-20 19:19 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2008-09-20 19:19 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2008-09-20 19:19 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2007-07-30 23:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2008-09-20 19:19 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-19 20:09 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2008-09-20 19:19 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-09-22 20:17 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2008-09-22 20:17 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2008-09-20 19:19 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:00 . 2004-08-19 20:09 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 23:52 . 2009-08-04 23:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 17:27 . 2004-08-19 20:04 2147328 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 17:27 . 2004-08-19 16:04 2025984 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-31 12:47 . 2009-07-31 12:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Steam"="c:\program files\steam\steam.exe" [2009-06-22 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-10-25 16855552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Electronic Arts\\Command & Conquer 3 Kane's Wrath\\RetailExe\\1.0\\cnc3ep1.dat"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\FirstStrike.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-09-29 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-09-29 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-09-29 735960]
.
Contenu du dossier 'Tâches planifiées'

2009-10-23 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-10-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-06-22 02:18]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://google.ca/
mStart Page = hxxp://search.shareware.pro/?lang=en
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHELINS SUPPRIMES - - - -

HKLM-Run-CmPCIaudio - CMICNFG3.cpl
AddRemove-HijackThis - c:\documents and settings\Marc\Local Settings\Temporary Internet Files\Content.IE5\23Q41MG3\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 12:22
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\S-1-5-21-725345543-1960408961-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C363291B-16D1-E368-1FD1-F69A8C8666CF}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abeikpldflbiggjinlnnlojfeomciaiddp"=hex:61,61,00,00
"bbeikpldflbiggjinlcamncfjnaodhnmpagb"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-725345543-1960408961-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:94,ed,93,e2,d3,df,a4,fe,ea,18,7d,fe,51,f3,f9,8c,26,a2,38,b1,df,41,8a,
8b,8f,65,c8,45,c4,b6,de,a5,63,04,96,67,c0,cc,ec,8f,75,04,bd,d4,b1,d6,2f,90,\
"??"=hex:82,56,f2,03,94,44,f6,ce,f0,3c,2c,0e,c5,3d,eb,d1

[HKEY_USERS\S-1-5-21-725345543-1960408961-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:b8,44,62,7e,f2,97,fb,1f,7c,8e,f9,e5,58,18,34,ac,db,bd,eb,44,6e,
80,92,69,6b,8a,e7,36,72,52,3f,8c,eb,35,00,0c,a8,c5,a2,d1,f6,39,e7,ad,88,e5,\
"rkeysecu"=hex:35,93,b7,c0,b2,69,92,5d,95,d0,68,f4,c5,a7,f2,6e

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'explorer.exe'(1812)
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\WgaTray.exe
c:\windows\system32\rundll32.exe
c:\combofix\CF27536.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Fichiers communs\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\RunDll32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Heure de fin: 2009-10-23 12:27 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-10-23 16:27

Avant-CF: 389 583 192 064 octets libres
Après-CF: 389 564 874 752 octets libres

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect

- - End Of File - - FF98A7A411EB89C15CE766920A53AA08