Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected- XP laptop- wireless


  • This topic is locked This topic is locked
12 replies to this topic

#1 Anna Equus

Anna Equus

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 09 January 2009 - 09:34 AM

Hi,

I was sent he for help.
and Here are my logs -

Mod. edit. For contextual information and to see what's been done, please read this thread: http://www.bleepingcomputer.com/forums/t/192787/help-needed-for-cleaning-of-laptop/ ~ OB


DDS (Ver_09-01-07.01) - NTFSx86
Run by Anna-Lisa Tonge' at 7:20:05.18 on Fri 01/09/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.170 [GMT -7:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gigabyte\Gigabyte WB01GS & WI05GS mini Adapter\Installer\WINXP\GNConfig.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Anna-Lisa Tonge'\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [RestoreIT!] "c:\program files\phoenix technologies\cme\rpro\ xp\VBPTASK.EXE" VBStart
mRun: [Guard] "c:\program files\phoenix technologies\cme\guard\Guard.exe" /background
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [QUICKCARE] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QUICKCARE
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gigaby~1.lnk - c:\program files\gigabyte\gigabyte wb01gs & wi05gs mini adapter\installer\winxp\GNConfig.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922}
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6}
Trusted Zone: asu.edu\myasucourses
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-1-5 34144]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-1-5 28800]
R0 ptpd;Disk Filter Driver;c:\windows\system32\drivers\ptpd.sys [2006-11-10 7680]
R0 RITCPT;RITCPT;c:\windows\system32\drivers\RITCPT.SYS [2006-11-10 43512]
R0 VVBackd5;VVBackd5;c:\windows\system32\drivers\VVBackd5.sys [2007-2-20 183154]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-2 99376]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-4-19 6656]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090108.048\NAVENG.SYS [2009-1-9 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090108.048\NAVEX15.SYS [2009-1-9 876112]
R3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [2006-11-10 44544]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-1-2 1245064]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2006-11-10 7412]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R4 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2006-11-10 2304]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-11-8 14336]
R4 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2006-11-9 8192]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]

=============== Created Last 30 ================

2009-01-06 22:16 --d----- c:\docume~1\anna-l~1\applic~1\Malwarebytes
2009-01-06 22:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-06 22:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 22:15 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 22:15 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-06 10:01 --d----- C:\Lop SD
2009-01-04 08:50 --d----- C:\N360_BACKUP
2009-01-03 06:49 --d----- c:\program files\Lavasoft
2009-01-03 06:48 --d----- c:\program files\common files\Wise Installation Wizard
2009-01-03 00:17 --d----- c:\windows\system32\scripting
2009-01-03 00:17 --d----- c:\windows\l2schemas
2009-01-03 00:17 --d----- c:\windows\system32\en
2009-01-03 00:17 --d----- c:\windows\system32\bits
2009-01-03 00:10 --d----- c:\windows\ServicePackFiles
2009-01-02 09:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-02 08:53 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-02 08:53 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-02 08:53 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-02 08:53 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-02 08:52 --d----- c:\program files\Symantec
2009-01-02 08:52 --d----- c:\docume~1\alluse~1\applic~1\Symantec

==================== Find3M ====================

2009-01-08 22:32 290,216 ac------ c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-01-03 00:23 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 05:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 18:00 666,112 a------- c:\windows\system32\wininet.dll
2008-08-22 10:43 289,504 a------- c:\docume~1\anna-l~1\applic~1\GDIPFONTCACHEV1.DAT
2006-11-10 13:26 56 -c-shr-- c:\windows\system32\F6EF0470C8.sys
2007-08-02 06:11 1,682 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 7:21:30.01 ===============

Attached Files


Edited by Orange Blossom, 09 January 2009 - 10:16 AM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:18 PM

Posted 18 January 2009 - 01:57 PM

Hello Anna Equus,

Sorry it took so long. :)

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Please post back with the Kaspersky report and the ComboFix log.

Greetings,
Thunder

Edited by Thunder, 24 January 2009 - 03:25 PM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Anna Equus

Anna Equus
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 22 January 2009 - 07:44 AM

Good Morning Thunder,

I am glad to here from you.....

I have attemped to run your scan and have not been sucsesful thus far.

1st attempt ran for 6:28:02 and got to 20% (stopped at outlook files (archive))
2nd attempt ranfor 2:00:02 and got to 10% (stopped at video files)

I will try again and let it run while I am at work.

Anna-Lisa

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:18 PM

Posted 22 January 2009 - 08:08 AM

Hello Anna-Lisa,

If the online scan runs to long,
and you can't find how to exclude some folders (video, photo's, ...) or non-system drive's (scanning the C:-drive is the main priority) from the scan,
then please procede running ComboFix. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Anna Equus

Anna Equus
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 23 January 2009 - 09:15 PM

Ok I was able to run as a critical areas-- and this is what I got.

I am trying to follow the Combo-fix directions but the combo fix HTTP says unavailabe.

Anna-Lisa



--------------------------------------------------------------------------------


KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 23, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 23, 2009 17:01:56
Records in database: 1675780
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Anna-Lisa Tonge'\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 73756
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:51:42


File name / Threat name / Threats count
C:\WINDOWS\system32\wdmaud.sys Infected: Rootkit.Win32.Agent.fwt 1

The selected area was scanned.

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:18 PM

Posted 24 January 2009 - 04:11 PM

Hello Anna-Lisa,

There was a typo in the ComboFix link, sorry about that.
The link is corrected now,
and running ComboFix should take care of most of your problems.
Once you've posted the log, we'll take a look if anything is left behind. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Anna Equus

Anna Equus
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 25 January 2009 - 08:57 PM

I love combo fix!!!! :thumbsup:


ComboFix 09-01-21.04 - Anna-Lisa Tonge' 2009-01-23 19:41:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.121 [GMT -7:00]
Running from: c:\documents and settings\Anna-Lisa Tonge'\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\setup.exe
c:\windows\emMON.exe
c:\windows\system32\wdmaud.sys

.
((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))
.

2009-01-18 20:08 . 2009-01-18 20:08 <DIR> d-------- c:\windows\system32\N360_BACKUP
2009-01-06 22:16 . 2009-01-06 22:16 <DIR> d-------- c:\documents and settings\Anna-Lisa Tonge'\Application Data\Malwarebytes
2009-01-06 22:16 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 22:15 . 2009-01-07 05:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 22:15 . 2009-01-06 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 22:15 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 10:01 . 2009-01-06 10:06 <DIR> d-------- C:\Lop SD
2009-01-04 08:50 . 2009-01-04 08:50 <DIR> d-------- C:\N360_BACKUP
2009-01-03 06:49 . 2009-01-03 06:49 <DIR> d-------- c:\program files\Lavasoft
2009-01-03 00:17 . 2009-01-03 00:17 <DIR> d-------- c:\windows\system32\scripting
2009-01-03 00:17 . 2009-01-03 00:17 <DIR> d-------- c:\windows\system32\en
2009-01-03 00:17 . 2009-01-03 00:17 <DIR> d-------- c:\windows\system32\bits
2009-01-03 00:17 . 2009-01-03 00:17 <DIR> d-------- c:\windows\l2schemas
2009-01-03 00:10 . 2009-01-03 00:18 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-02 09:24 . 2009-01-02 09:21 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-02 08:58 . 2009-01-02 08:58 <DIR> d-------- c:\program files\Windows Sidebar
2009-01-02 08:53 . 2009-01-10 04:23 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-02 08:53 . 2009-01-10 04:23 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-01-02 08:53 . 2009-01-10 04:23 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-02 08:53 . 2009-01-10 04:23 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-01-02 08:52 . 2009-01-10 04:23 <DIR> d-------- c:\program files\Symantec
2009-01-02 08:52 . 2009-01-17 21:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 02:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-14 23:56 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-03 10:07 --------- d-----w c:\program files\Norton 360
2009-01-03 02:00 --------- d-----w c:\program files\Windows Live Toolbar
2009-01-03 01:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-03 01:39 --------- d-----w c:\program files\Microsoft ActiveSync
2009-01-03 01:32 --------- d-----w c:\program files\Apple Software Update
2009-01-02 16:19 --------- d-----w c:\program files\Java
2009-01-02 14:56 --------- d-----w c:\documents and settings\Anna-Lisa Tonge'\Application Data\Symantec
2008-12-11 10:57 333,952 ------w c:\windows\system32\drivers\srv.sys
2008-12-11 10:03 --------- d-----w c:\program files\Office10
2008-08-22 17:43 289,504 ----a-w c:\documents and settings\Anna-Lisa Tonge'\Application Data\GDIPFONTCACHEV1.DAT
1999-05-01 00:00 98,304 ----a-w c:\program files\internet explorer\plugins\UPjpeg.dll
2006-11-10 20:26 56 -csh--r c:\windows\system32\F6EF0470C8.sys
2007-08-02 13:11 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"RestoreIT!"="c:\program files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" [2006-08-22 118784]
"Guard"="c:\program files\Phoenix Technologies\cME\Guard\Guard.exe" [2006-08-22 573440]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"QUICKCARE"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2006-11-07 192512]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-17 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SMSERIAL"="sm56hlpr.exe" [2005-11-10 c:\windows\sm56hlpr.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Gigabyte Wireless Utility.lnk - c:\program files\Gigabyte\Gigabyte WB01GS & WI05GS mini Adapter\Installer\WINXP\GNConfig.exe [2006-11-08 720896]
Microsoft Office.lnk - c:\program files\Office10\OSA.EXE [2001-02-13 83360]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
"aux2"= wdmaud.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SkyTel"=SkyTel.EXE
"Alcmtr"=ALCMTR.EXE
"Ulead Photo Express Calendar Checker"=c:\program files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe"
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\pvsw\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Gigabyte\\Gigabyte WB01GS & WI05GS mini Adapter\\Installer\\WINXP\\GNConfig.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\1163097086\\ee\\aolsoftware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-01-05 34144]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-01-05 28800]
R0 ptpd;Disk Filter Driver;c:\windows\system32\drivers\ptpd.sys [2006-11-10 7680]
R0 RITCPT;RITCPT;c:\windows\system32\drivers\RITCPT.SYS [2006-11-10 43512]
R0 VVBackd5;VVBackd5;c:\windows\system32\drivers\VVBackd5.sys [2007-02-20 183154]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-02 99376]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
R3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [2006-11-10 44544]
R4 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2006-11-10 7412]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]
R4 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2006-11-10 2304]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-11-08 14336]
R4 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2006-11-09 8192]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d073e48-901a-11db-a13d-806d6172696f}]
\Shell\AutoRun\command - C:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7426675d-6f1e-11db-b368-806d6172696f}]
\Shell\AutoRun\command - C:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\RegistrySmart Scheduled Scan.job
- c:\program files\RegistrySmart\RegistrySmart.exe []

2009-01-23 c:\windows\Tasks\RegistrySmart Scheduled Scan.job
- c:\program files\RegistrySmart []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\Office10\EXCEL.EXE/3000
Trusted Zone: asu.edu\myasucourses
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 19:44:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1211017097-2831002321-1924606539-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,e1,d2,b8,f1,de,
27,a6,08,e2,63,26,f1,3f,c8,ff,68,a2,e4,68,26,80,19,ec,a8,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,c3,5d,5d,32,5f,
c0,f1,a2,6a,9c,d6,61,af,45,84,18,24,c0,c1,2a,44,64,f3,74,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,79,b5,fd,fd,33,
13,b3,5b,ff,7c,85,e0,43,d4,0e,fe,fa,15,8a,1c,80,67,c1,bd,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,41,51,b7,84,2b,
6a,ad,b4,86,8c,21,01,be,91,eb,e7,24,ba,16,c0,fc,bc,d6,3f,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ad,d7,ad,ff,1d,
00,87,f7,f5,1d,4d,73,a8,13,5c,05,8c,a3,77,a6,ad,a7,78,ae,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,2d,05,24,09,82,
6f,39,55,df,20,58,62,78,6b,cf,c8,d4,b8,4e,c6,10,e8,0d,b7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,16,3e,04,a7,60,
27,e4,72,fb,a7,78,e6,12,2f,9a,ea,ba,c0,de,7f,15,47,2a,3c,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,26,de,5c,34,a1,
81,45,bd,01,3a,48,fc,e8,04,4a,f1,d1,2e,ef,a3,6b,79,6d,79,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,0a,1d,ad,11,ae,
ac,80,97,f6,0f,4e,58,98,5b,89,c9,db,e5,9f,e5,ac,cf,07,3a,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,89,00,32,a9,91,
3e,4b,91,3d,ce,ea,26,2d,45,aa,78,87,89,a2,68,68,e0,bf,d4,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,a6,98,ac,e9,c3,
2d,fa,ce,2a,b7,cc,b5,b9,7f,41,e7,aa,ce,0c,f8,32,e5,e8,01,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,e0,68,38,c5,22,
17,d9,5a,6c,43,2d,1e,aa,22,2f,9c,a0,a8,5b,20,28,8e,59,f0,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-23 19:49:32
ComboFix-quarantined-files.txt 2009-01-24 02:49:18

Pre-Run: 22,558,269,440 bytes free
Post-Run: 22,731,386,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

263 --- E O F --- 2009-01-15 10:04:11

#8 Anna Equus

Anna Equus
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 25 January 2009 - 09:01 PM

What are these ????? Apartment?


From the Combo log????
Anna :thumbsup:

[HKEY_USERS\S-1-5-21-1211017097-2831002321-1924606539-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,e1,d2,b8,f1,de,
27,a6,08,e2,63,26,f1,3f,c8,ff,68,a2,e4,68,26,80,19,ec,a8,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,c3,5d,5d,32,5f,
c0,f1,a2,6a,9c,d6,61,af,45,84,18,24,c0,c1,2a,44,64,f3,74,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,79,b5,fd,fd,33,
13,b3,5b,ff,7c,85,e0,43,d4,0e,fe,fa,15,8a,1c,80,67,c1,bd,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,41,51,b7,84,2b,
6a,ad,b4,86,8c,21,01,be,91,eb,e7,24,ba,16,c0,fc,bc,d6,3f,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ad,d7,ad,ff,1d,
00,87,f7,f5,1d,4d,73,a8,13,5c,05,8c,a3,77,a6,ad,a7,78,ae,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,2d,05,24,09,82,
6f,39,55,df,20,58,62,78,6b,cf,c8,d4,b8,4e,c6,10,e8,0d,b7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,16,3e,04,a7,60,
27,e4,72,fb,a7,78,e6,12,2f,9a,ea,ba,c0,de,7f,15,47,2a,3c,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,26,de,5c,34,a1,
81,45,bd,01,3a,48,fc,e8,04,4a,f1,d1,2e,ef,a3,6b,79,6d,79,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,0a,1d,ad,11,ae,
ac,80,97,f6,0f,4e,58,98,5b,89,c9,db,e5,9f,e5,ac,cf,07,3a,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,89,00,32,a9,91,
3e,4b,91,3d,ce,ea,26,2d,45,aa,78,87,89,a2,68,68,e0,bf,d4,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,a6,98,ac,e9,c3,
2d,fa,ce,2a,b7,cc,b5,b9,7f,41,e7,aa,ce,0c,f8,32,e5,e8,01,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,e0,68,38,c5,22,
17,d9,5a,6c,43,2d,1e,aa,22,2f,9c,a0,a8,5b,20,28,8e,59,f0,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:18 PM

Posted 26 January 2009 - 11:08 AM

Hello Anna,

The "apartments" mentioned in the registry readout, have nothing to do with housing terminology :thumbsup:
Here's some (rather technical) info on the term : http://www.codeguru.com/cpp/com-tech/activ...ticle.php/c5529
And don't worry, there's nothing wrong with those registry keys. :)

Let's clean up some more :)

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
c:\windows\system32\F6EF0470C8.sys
C:\setup.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d073e48-901a-11db-a13d-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7426675d-6f1e-11db-b368-806d6172696f}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 Anna Equus

Anna Equus
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 29 January 2009 - 11:28 AM

Thunder thank you for your help.....

My laptop is getting better...... my mouse is still wild sometimes --- but the redirection of the websites is gone so far.
1.
Internet explorer will open to the Microsoft page instead of the MSN.Com home page ---- kinda weird...

2.
internet explorer will also freeze at times and the task manager shows 190,000K mem usage and I only have one window open.

3.
What are the network and local services that I have on my computer? They seem to take big memory jumps as well.

4.
Too many start up items.


BLah Blah Blah-------- :)



Here is the fresh log. :thumbsup:





ComboFix 09-01-21.04 - Anna-Lisa Tonge' 2009-01-29 8:41:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.129 [GMT -7:00]
Running from: c:\documents and settings\Anna-Lisa Tonge'\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Anna-Lisa Tonge'\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *disabled*
* Created a new restore point

FILE ::
C:\setup.exe
c:\windows\system32\F6EF0470C8.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\F6EF0470C8.sys

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-29 05:41 . 2008-02-03 20:20 <DIR> d-------- C:\Do
2009-01-18 20:08 . 2009-01-18 20:08 <DIR> d-------- c:\windows\system32\N360_BACKUP
2009-01-06 22:16 . 2009-01-06 22:16 <DIR> d-------- c:\documents and settings\Anna-Lisa Tonge'\Application Data\Malwarebytes
2009-01-06 22:16 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 22:15 . 2009-01-07 05:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 22:15 . 2009-01-06 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 22:15 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 10:01 . 2009-01-06 10:06 <DIR> d-------- C:\Lop SD
2009-01-04 08:50 . 2009-01-04 08:50 <DIR> d-------- C:\N360_BACKUP
2009-01-03 06:49 . 2009-01-03 06:49 <DIR> d-------- c:\program files\Lavasoft
2009-01-03 00:17 . 2009-01-03 00:17 <DIR> d-------- c:\windows\system32\scripting
2009-01-03 00:17 . 2009-01-03 00:17 <DIR> d-------- c:\windows\system32\en
2009-01-03 00:17 . 2009-01-03 00:17 <DIR> d-------- c:\windows\system32\bits
2009-01-03 00:17 . 2009-01-03 00:17 <DIR> d-------- c:\windows\l2schemas
2009-01-03 00:10 . 2009-01-03 00:18 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-02 09:24 . 2009-01-02 09:21 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-02 08:58 . 2009-01-02 08:58 <DIR> d-------- c:\program files\Windows Sidebar
2009-01-02 08:53 . 2009-01-10 04:23 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-02 08:53 . 2009-01-10 04:23 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-01-02 08:53 . 2009-01-10 04:23 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-02 08:53 . 2009-01-10 04:23 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-01-02 08:52 . 2009-01-10 04:23 <DIR> d-------- c:\program files\Symantec
2009-01-02 08:52 . 2009-01-17 21:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 15:38 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-14 23:56 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-03 10:07 --------- d-----w c:\program files\Norton 360
2009-01-03 02:00 --------- d-----w c:\program files\Windows Live Toolbar
2009-01-03 01:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-03 01:39 --------- d-----w c:\program files\Microsoft ActiveSync
2009-01-03 01:32 --------- d-----w c:\program files\Apple Software Update
2009-01-02 16:19 --------- d-----w c:\program files\Java
2009-01-02 14:56 --------- d-----w c:\documents and settings\Anna-Lisa Tonge'\Application Data\Symantec
2008-12-11 10:57 333,952 ------w c:\windows\system32\drivers\srv.sys
2008-12-11 10:03 --------- d-----w c:\program files\Office10
2008-08-22 17:43 289,504 ----a-w c:\documents and settings\Anna-Lisa Tonge'\Application Data\GDIPFONTCACHEV1.DAT
1999-05-01 00:00 98,304 ----a-w c:\program files\internet explorer\plugins\UPjpeg.dll
2007-08-02 13:11 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-23_19.46.54.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-28 12:09:01 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_124.dat
+ 2009-01-28 12:09:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_fc.dat
+ 2009-01-29 15:30:55 524,288 ----a-w c:\windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"RestoreIT!"="c:\program files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" [2006-08-22 118784]
"Guard"="c:\program files\Phoenix Technologies\cME\Guard\Guard.exe" [2006-08-22 573440]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"QUICKCARE"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2006-11-07 192512]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-17 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SMSERIAL"="sm56hlpr.exe" [2005-11-10 c:\windows\sm56hlpr.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Gigabyte Wireless Utility.lnk - c:\program files\Gigabyte\Gigabyte WB01GS & WI05GS mini Adapter\Installer\WINXP\GNConfig.exe [2006-11-08 720896]
Microsoft Office.lnk - c:\program files\Office10\OSA.EXE [2001-02-13 83360]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SkyTel"=SkyTel.EXE
"Alcmtr"=ALCMTR.EXE
"Ulead Photo Express Calendar Checker"=c:\program files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe"
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\pvsw\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Gigabyte\\Gigabyte WB01GS & WI05GS mini Adapter\\Installer\\WINXP\\GNConfig.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\1163097086\\ee\\aolsoftware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-01-05 34144]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-01-05 28800]
R0 ptpd;Disk Filter Driver;c:\windows\system32\drivers\ptpd.sys [2006-11-10 7680]
R0 RITCPT;RITCPT;c:\windows\system32\drivers\RITCPT.SYS [2006-11-10 43512]
R0 VVBackd5;VVBackd5;c:\windows\system32\drivers\VVBackd5.sys [2007-02-20 183154]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-02 99376]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
R3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [2006-11-10 44544]
R4 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2006-11-10 7412]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]
R4 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2006-11-10 2304]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-11-08 14336]
R4 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2006-11-09 8192]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - Symantec Core LC
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\RegistrySmart Scheduled Scan.job
- c:\program files\RegistrySmart\RegistrySmart.exe []

2009-01-23 c:\windows\Tasks\RegistrySmart Scheduled Scan.job
- c:\program files\RegistrySmart []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\Office10\EXCEL.EXE/3000
Trusted Zone: asu.edu\myasucourses
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 08:45:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1211017097-2831002321-1924606539-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,e1,d2,b8,f1,de,
27,a6,08,e2,63,26,f1,3f,c8,ff,68,a2,e4,68,26,80,19,ec,a8,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,c3,5d,5d,32,5f,
c0,f1,a2,6a,9c,d6,61,af,45,84,18,24,c0,c1,2a,44,64,f3,74,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,79,b5,fd,fd,33,
13,b3,5b,ff,7c,85,e0,43,d4,0e,fe,fa,15,8a,1c,80,67,c1,bd,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,41,51,b7,84,2b,
6a,ad,b4,86,8c,21,01,be,91,eb,e7,24,ba,16,c0,fc,bc,d6,3f,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ad,d7,ad,ff,1d,
00,87,f7,f5,1d,4d,73,a8,13,5c,05,8c,a3,77,a6,ad,a7,78,ae,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,2d,05,24,09,82,
6f,39,55,df,20,58,62,78,6b,cf,c8,d4,b8,4e,c6,10,e8,0d,b7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,16,3e,04,a7,60,
27,e4,72,fb,a7,78,e6,12,2f,9a,ea,ba,c0,de,7f,15,47,2a,3c,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,26,de,5c,34,a1,
81,45,bd,01,3a,48,fc,e8,04,4a,f1,d1,2e,ef,a3,6b,79,6d,79,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,0a,1d,ad,11,ae,
ac,80,97,f6,0f,4e,58,98,5b,89,c9,db,e5,9f,e5,ac,cf,07,3a,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,89,00,32,a9,91,
3e,4b,91,3d,ce,ea,26,2d,45,aa,78,87,89,a2,68,68,e0,bf,d4,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,a6,98,ac,e9,c3,
2d,fa,ce,2a,b7,cc,b5,b9,7f,41,e7,aa,ce,0c,f8,32,e5,e8,01,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,e0,68,38,c5,22,
17,d9,5a,6c,43,2d,1e,aa,22,2f,9c,a0,a8,5b,20,28,8e,59,f0,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-29 8:50:14
ComboFix-quarantined-files.txt 2009-01-29 15:49:22
ComboFix2.txt 2009-01-24 02:49:34

Pre-Run: 22,593,163,264 bytes free
Post-Run: 22,653,546,496 bytes free

281 --- E O F --- 2009-01-15 10:04:11

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:18 PM

Posted 29 January 2009 - 01:16 PM

Hello Anna,

Network and local services are so to speak the engines behind your applications.
Do not tamper with them ubless you know perfectly well what you're doing.

Using Msconfig however, you can remove these processes from the startup list :sm56hlpr.exe
BrStDvPt.exe
sprtcmd.exe
IndexSearch.exe
brctrcen.exe
BrMfcWnd.exe
realsched.exe
qttask.exe
They do not need to start up with Windows, but can be started whenever needed.

Please keep in mind that Norton/Symantec security packs can be, at times and for somewhat older systems, a real resource drain.
Sometimes it pays off to choose a less demanding security solution. :thumbsup:

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Running smoother now ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#12 Anna Equus

Anna Equus
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 02 February 2009 - 10:33 PM

Thanks Thunder --- This has been great!!!!! My system is much better and I am veryhappy that you helped......


Anna-Lisa

#13 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:18 PM

Posted 03 February 2009 - 04:16 AM

Glad we could help, Anna-Lisa :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users