Help! May have Malware

i was check through my autoruns using sysinternals and found this

catchme File not found: C:\DOCUME~1\SKYEKI~1\LOCALS~1\Temp\catchme.sys

Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys

i2omgmt File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys

lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys

kbeepm File not found: C:\DOCUME~1\SKYEKI~1\LOCALS~1\Temp\kbeepm.sys

PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys

PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys

PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys

PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys

PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys

and Seems that Catchme.sys is part of combofix? was searching through majorgeeks. if so then please dealte this post thanks!

 

Hi Dane01,
Welcome to Major Geeks!

Catchme.sys is a virus, but what your scan shows is that it was not found.

abri

 

I do Combofix on my computer atm so..i'll post my logs and such see if there is any malware on my computer

 

Here are my Logs CF and MGtools

And Thanks for Helping guys

 

Hi Dane01,


1) To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 5

3) You're controlling your startup items using msconfig, which is not a good idea. Please go to Start / Run and type in msconfig and click on okay. Then select Normal System Start, click on accept and okay.

4) Now Reboot your computer.

5) After you reboot, install the current version of Sun Java from: Sun Java Runtime Environment

6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


7) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

After you click fix, just close hijackthis.

8) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
kbeepm

FILE::
C:\DOCUME~1\SKYEKI~1\LOCALS~1\Temp\kbeepm.sys

REGISTRY::
[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


9) Now run CCleaner at the default setting with the Windows tab as the top one.

10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

sorry i been away last few days i'll get right on this ASAP Thanks!

 

Odd i cant seem to run Combofix it tells me to a alphanumerical name. When i do that it ran now i cant get a log from it. ><; i'll post MGtools and see avenger works

 

Heres my Mlogs

 

Hi Dane01,

Avenger works differently than Combofix. I don't know what you know or don't know about it?

abri