Jump to content

Recommended Posts

I believe I have a virus

I have tried to run numerous programs, however unsuccessful to get them to run

I had to rename Hijackthis for it to run .....log below

unsuccessful - will not run

Spybot

Malwarebytes' Anti-Malware

Hijackthis LOG -

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:16:15 AM, on 2009-03-10

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

H:\VIRUS\HJTInstall.exe

H:\VIRUS\HJTInstall.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0ca94ca7-e92c-4601-9247-0d2cd3cef8f6} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {d1bdd88d-f1fa-40d8-995b-e1ea32295682} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /nosplash

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'Default user')

O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html

O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224676719937

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: c:\windows\system32\yiyidaju.dll c:\windows\system32\goveyudi.dll njkjft.dll

O20 - Winlogon Notify: rqRjJyyx - rqRjJyyx.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\SYSTEM32\astsrv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

O24 - Desktop Component 1: (no name) - (no file)

--

End of file - 5417 bytes

Link to post
Share on other sites

LOG -----------

AVZ Antiviral Toolkit log; AVZ version is 4.30

Scanning started at 2009-03-10 12:13:24 AM

Database loaded: signatures - 213646, NN profile(s) - 2, microprograms of healing - 56, signature database released 09.03.2009 22:51

Heuristic microprograms loaded: 372

SPV microprograms loaded: 9

Digital signatures of system files loaded: 100531

Heuristic analyzer mode: Medium heuristics level

Healing mode: enabled

Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights

System Restore: enabled

1. Searching for Rootkits and programs intercepting API functions

1.1 Searching for user-mode API hooks

Analysis: kernel32.dll, export table found in section .text

Analysis: ntdll.dll, export table found in section .text

Function ntdll.dll:LdrGetProcedureAddress (65) intercepted, method ProcAddressHijack.GetProcAddress ->7C919B88->144ECF

Function ntdll.dll:LdrLoadDll (70) intercepted, method ProcAddressHijack.GetProcAddress ->7C9161CA->144F34

Function ntdll.dll:LdrUnloadDll (80) intercepted, method APICodeHijack.JmpTo[00E40000]

Function ntdll.dll:NtCreateThread (140) intercepted, method ProcAddressHijack.GetProcAddress ->7C90D7D2->144E9D

Function ntdll.dll:NtQueryDirectoryFile (234) intercepted, method ProcAddressHijack.GetProcAddress ->7C90DF5E->144FE8

Analysis: user32.dll, export table found in section .text

Function user32.dll:GetClipboardData (258) intercepted, method ProcAddressHijack.GetProcAddress ->7E430D7A->1452A1

Function user32.dll:TranslateMessage (683) intercepted, method ProcAddressHijack.GetProcAddress ->7E418BF6->145556

Analysis: advapi32.dll, export table found in section .text

Analysis: ws2_32.dll, export table found in section .text

Function ws2_32.dll:WSASend (76) intercepted, method ProcAddressHijack.GetProcAddress ->71AB6233->14C998

Function ws2_32.dll:WSASendTo (78) intercepted, method ProcAddressHijack.GetProcAddress ->71AC0A95->14C980

Function ws2_32.dll:closesocket (3) intercepted, method ProcAddressHijack.GetProcAddress ->71AB9639->14C971

Function ws2_32.dll:send (19) intercepted, method ProcAddressHijack.GetProcAddress ->71AB428A->14C9F8

Function ws2_32.dll:sendto (20) intercepted, method ProcAddressHijack.GetProcAddress ->71AB2C69->14C9C8

Analysis: wininet.dll, export table found in section .text

Function wininet.dll:HttpQueryInfoA (206) intercepted, method ProcAddressHijack.GetProcAddress ->78060C6D->14B804

Function wininet.dll:HttpQueryInfoW (207) intercepted, method ProcAddressHijack.GetProcAddress ->78067E4E->14B854

Function wininet.dll:HttpSendRequestA (208) intercepted, method ProcAddressHijack.GetProcAddress ->7806CD40->14C39C

Function wininet.dll:HttpSendRequestExA (209) intercepted, method ProcAddressHijack.GetProcAddress ->780CD3CE->14C47A

Function wininet.dll:HttpSendRequestExW (210) intercepted, method ProcAddressHijack.GetProcAddress ->78073532->14C45D

Function wininet.dll:HttpSendRequestW (211) intercepted, method ProcAddressHijack.GetProcAddress ->78080825->14C37F

Function wininet.dll:InternetCloseHandle (224) intercepted, method ProcAddressHijack.GetProcAddress ->7805DA59->14BC76

Function wininet.dll:InternetQueryDataAvailable (272) intercepted, method ProcAddressHijack.GetProcAddress ->7806ADF5->14BE0F

Function wininet.dll:InternetReadFile (276) intercepted, method ProcAddressHijack.GetProcAddress ->7806ABB4->14BDB6

Function wininet.dll:InternetReadFileExA (277) intercepted, method ProcAddressHijack.GetProcAddress ->78082AE2->14BDF1

Function wininet.dll:InternetReadFileExW (278) intercepted, method ProcAddressHijack.GetProcAddress ->78082AAA->14BDD3

Analysis: rasapi32.dll, export table found in section .text

Analysis: urlmon.dll, export table found in section .text

Analysis: netapi32.dll, export table found in section .text

1.4 Searching for masking processes and drivers

Searching for masking processes and drivers - complete

Driver loaded successfully

1.5 Checking of IRP handlers

Checking - complete

2. Scanning memory

Number of processes found: 29

Number of modules loaded: 288

Scanning memory - complete

3. Scanning disks

4. Checking Winsock Layered Service Provider (SPI/LSP)

LSP settings checked. No errors detected

5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)

\\?\globalroot\systemroot\system32\UACqquxiuxn.dll --> Suspicion for Keylogger or Trojan DLL

\\?\globalroot\systemroot\system32\UACqquxiuxn.dll>>> Behavioural analysis

Behaviour typical for keyloggers not detected

Quarantine file: failed (error), attempt of direct disk reading (\\?\globalroot\systemroot\system32\UACqquxiuxn.dll)

Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs

6. Searching for opened TCP/UDP ports used by malicious programs

Checking disabled by user

7. Heuristic system check

Latent loading of libraries through AppInit_DLLs suspected: "c:\windows\system32\yiyidaju.dll c:\windows\system32\goveyudi.dll njkjft.dll"

Checking - complete

8. Searching for vulnerabilities

>> Services: potentially dangerous service allowed: TermService (Terminal Services)

>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)

>> Services: potentially dangerous service allowed: TlntSvr (Telnet)

>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)

>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)

>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)

> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!

>> Security: disk drives' autorun is enabled

>> Security: administrative shares (C$, D$ ...) are enabled

>> Security: anonymous user access is enabled

Checking - complete

9. Troubleshooting wizard

Checking - complete

Files scanned: 317, extracted from archives: 0, malicious software found 0, suspicions - 0

Scanning finished at 2009-03-10 12:13:43 AM

Time of scanning: 00:00:20

If you have a suspicion on presence of viruses or questions on the suspected objects,

Link to post
Share on other sites

ComboFix 09-03-06.02 - King 2009-03-10 1:52:03.1 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2526.2248 [GMT -4:00]

Running from: c:\documents and settings\King.MASTER\Desktop\ComboFix2.exe

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents

c:\windows\a3kebook.ini

c:\windows\akebook.ini

c:\windows\ANS2000.INI

c:\windows\system32\asolatoh.ini

c:\windows\system32\CMVwaJjl.ini

c:\windows\system32\drivers\UACisimvxke.sys

c:\windows\system32\gqcdxadn.dll

c:\windows\system32\ibobeliz.ini

c:\windows\system32\kmd.exe

c:\windows\system32\lydnaoen.dll

c:\windows\system32\twain32

c:\windows\system32\twain32\local.ds

c:\windows\system32\twain32\user.ds

c:\windows\system32\twex.exe

c:\windows\system32\UACdbipvxwo.dll

c:\windows\system32\UACeewipjlk.log

c:\windows\system32\UACerfldyvi.log

c:\windows\system32\uacinit.dll

c:\windows\system32\UACjimlysdf.dat

c:\windows\system32\UACnycyeyik.dll

c:\windows\system32\UACqlokrgbo.log

c:\windows\system32\UACqquxiuxn.dll

c:\windows\system32\UACrornoaal.dll

c:\windows\system32\UACsr.dat

c:\windows\system32\ufigivas.ini

c:\windows\system32\uvasahed.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_OREANS32

-------\Service_oreans32

((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))

.

2009-03-10 00:13 . 2009-03-10 00:13 11,264 --a------ c:\windows\system32\drivers\uzy3nzy2.sys

2009-03-09 15:19 . 2009-03-09 15:19 <DIR> d-------- C:\VundoFix Backups

2009-03-02 07:17 . 2009-03-02 07:17 <DIR> d-------- c:\windows\ERUNT

2009-02-28 14:36 . 2009-02-28 14:36 81,408 --a------ c:\windows\system32\UACevdcikuo.dll

2009-02-25 21:14 . 2009-02-25 21:14 <DIR> d-------- c:\program files\FileZilla FTP Client

2009-02-22 03:30 . 2009-02-22 03:30 <DIR> d-------- c:\windows\Nextgen Server Client

2009-02-22 03:30 . 2009-02-22 03:30 <DIR> d-------- c:\program files\jic technology

2009-02-22 03:30 . 2009-02-22 03:30 33,952 --a------ c:\windows\system32\drivers\oreans32.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-10 03:55 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-10 03:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-09 23:16 --------- d-----w c:\program files\Mozilla Thunderbird

2009-03-09 23:03 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-09 18:48 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI

2009-03-09 18:00 --------- d-----w c:\documents and settings\King.MASTER\Application Data\FileZilla

2009-03-01 17:09 --------- d-----w c:\program files\Google

2009-02-28 18:36 --------- d-----w c:\documents and settings\King.MASTER\Application Data\Azureus

2009-02-18 21:41 --------- d-----w c:\documents and settings\King.MASTER\Application Data\gtk-2.0

2009-02-03 05:40 --------- d-----w c:\documents and settings\King.MASTER\Application Data\dvdcss

2009-01-24 07:20 --------- d-----w c:\program files\Common Files\Adobe

2009-01-19 03:55 --------- d-----w c:\documents and settings\King.MASTER\Application Data\Safer Networking

2009-01-17 08:32 --------- d-----w c:\documents and settings\King.MASTER\Application Data\R-Wipe&Clean

2009-01-12 12:39 --------- d-----w c:\program files\Affiliate Elite

2009-01-12 12:36 --------- d-----w c:\program files\ClickbankElite

2009-01-12 11:28 --------- d-----w c:\program files\FileZilla FTP Client(2)

2009-01-12 11:28 --------- d-----w c:\documents and settings\All Users\Application Data\R-Wipe&Clean

2009-01-12 11:27 --------- d-----w c:\program files\CCleaner

2007-03-07 00:49 774,144 ------w c:\program files\RngInterstitial.dll

2005-09-10 00:55 35 ------w c:\program files\SCSSDist.ini

2007-01-23 19:07 1,847,296 -c----w c:\program files\mozilla firefox\plugins\Seadragon.dll

2008-09-30 00:20 71,680 --sha-w c:\windows\system32\yonetaso.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-02-03 430080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R1 uzy3nzy2;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzy3nzy2.sys [2009-03-10 11264]

S2 trackcam;TrackerCam Video Capture Driver;c:\windows\system32\drivers\trackcam.sys [2008-01-13 70060]

.

Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-01 c:\windows\Tasks\GBM - New Backup Job 01-Full.job

- c:\program files\Genie-Soft\GBMPro8\GBM8.exe []

2009-03-04 c:\windows\Tasks\GBM - New Backup Job-Full.job

- c:\program files\Genie-Soft\GBMPro8\GBM8.exe []

2009-03-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job

- c:\program files\Google\Update\GoogleUpdate.exe []

2009-03-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-412668190-682003330-1003.job

- c:\documents and settings\King.MASTER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe []

2009-03-10 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-06-09 16:45]

2009-02-26 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-06-09 16:45]

2009-03-09 c:\windows\Tasks\User_Feed_Synchronization-{7C95983F-C6C4-464F-AAC5-10A68EABFE8A}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 19:36]

.

- - - - ORPHANS REMOVED - - - -

Notify-rqRjJyyx - rqRjJyyx.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

FF - ProfilePath - c:\documents and settings\King.MASTER\Application Data\Mozilla\Firefox\Profiles\iucdzqle.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\nppsynth.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-10 01:57:46

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1417001333-412668190-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,a6,da,21,85,5b,

c5,57,08,e2,63,26,f1,3f,c8,ff,68,23,f1,76,2b,c3,85,71,61,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,81,ca,e1,a5,06,

0e,10,2b,6a,9c,d6,61,af,45,84,18,6b,5c,71,98,5b,e8,41,57,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,e6,3a,ed,10,fc,

b7,1b,ee,ff,7c,85,e0,43,d4,0e,fe,55,99,d4,69,ca,07,1c,26,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,12,7f,aa,64,35,

aa,54,44,86,8c,21,01,be,91,eb,e7,ee,34,0e,91,53,78,ce,f5,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,03,99,0c,84,57,

c5,20,32,f5,1d,4d,73,a8,13,5c,05,96,ee,f3,a7,0a,8d,e0,29,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,5e,ce,fa,69,f4,

99,7f,aa,df,20,58,62,78,6b,cf,c8,d6,57,b9,c8,8c,80,7d,89,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,18,2a,8b,c5,33,

3a,73,8f,fb,a7,78,e6,12,2f,9a,ea,11,a1,16,e2,5f,1a,eb,1e,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,3f,21,dc,7f,61,

4b,be,6c,01,3a,48,fc,e8,04,4a,f1,00,02,f6,4d,8f,2b,3d,6d,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,e1,48,89,cf,48,

e4,0b,48,f6,0f,4e,58,98,5b,89,c9,cd,31,36,41,22,a9,cf,d1,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,a5,8a,e5,29,62,

0a,3b,8f,3d,ce,ea,26,2d,45,aa,78,c4,43,86,e8,0c,b1,d7,fa,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,57,af,c6,36,bc,

75,5c,27,2a,b7,cc,b5,b9,7f,41,e7,98,6e,c4,cc,8b,62,cf,c5,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,c1,f6,b8,25,ce,

a6,d9,fb,6c,43,2d,1e,aa,22,2f,9c,59,8e,d1,ab,b0,65,4c,da,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]

"OODEFRAG10.00.00.01WORKSTATION"="9EA8604DD5FDF3D85F4ED4061E9BB54F2DAF304A58C09946139101D3260E2380DC3F57A1ECB

4B56FE9A0FAE700D6F0A24166648D33FAD650894692B8231044EF3B422C6E617DB85AB288EA44E2C

4

F2848A5661184C38D3454AF806E77F3B9AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC7

4

CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5

C

BA7FD869164D6794A6A0AC4980AC79330A53B79DFD9233735304BDC19172FAC4CFF9506B25E9C38B

1

7DF38FB5C4021CEC2637B3291ADA14035E5D4B91CF487F8F178BE933BC22400012B10B9FA6435A16

B

24232C344FD719381091B99EEE8F0A8D5D82A2EC505146CDCA7B0B7B8EAB6856BE57B50D22783EBF

F

7B79C9F699C7BB68C92CC4297DD47622E4D158861C2135B4E640A890507C1B287AA56ECA01DA406D

9

105708D1C0BEA7B8FB15112F98DFD4643979D60AEB8A7D1BF3699501E0339890B99DD06B52BF0BBF

2

1D947843065A004EA6968F773D30F823F70EDB01EA48EEE788C7104D2AC7F917E46A01DF18FA2A4B

0

CFF5C84EABDB04DE978E87EECD8D26D4A68271E4BF7AE9F4D1D6EBA81A4033E5BB7AAB90745A58C6

A

2538ECFD63D5CFA03613B0D04747D8C88E9148398E48F8BCB340332E5872D1064DC87A13AC9ACBF4

B

309DB75D6CF2EE881A72966E7E0FC434A666900BE2A177478EE5ABC9E4A3183E528AB27DE2E5EC85

6

F9158568076D9BC1B9D6BC1EECDDE48104F9527C3C31DAD71A530EFDE63774732B4265FE105B6441

A

A9E7BCB4B7C9F850A0EC4B9E038D7FFA47450F69F0A5A871D0BC6A1CE8EA38F2BC8E84BE5E62FE7B

6

92481304CCAAF21FB6E8B8F053318FE0F41AC2F47AA1F3ABCC9719DB1751289ED1069BBFCDACA570

5

89ECE2887F99724E3B301C36CD8FC5C3ECB3E317F2803024E97884E76773D7D55809FA5D0C46A39E

9

453EAC3CF35B121A9CD2AE7F0AB6B38CF7454D0405F1F98810F6ED501C532C59EC6A570D1D25D571

A

170C70A609FC09C1F976F454DAEEA811FD5E37A75A00BE8B92DAAE96BAEA9BBAB8A872F2A1E8ABA7

F

83BFEBA42CC16722BE83EF0563335F18D9EE68657425BE9B2A3A2D512F5E6C735F993AE0980A579B

E

B69AEEA0350BCF688574ACA28D326E59262A738CB036514687C70CB41751DC37EF6C5734355682A1

2

A29BAAD3D74EF4F59A516D6EA485617442556DF63C3B7E3414D86A1A5E0CD122DC7029B04A77A13E

E

262AC73602C9680FAA3239F95E06E9DEC77B8BBBA75962B0087DA7D887FEF21AB1404F6DFA08CDCB

C

86A02B3362D42FCDA5829F1DC308FD996C69BF581D08F11408D6EAA7CCBAF6468EC11AD92703AD4F

8

E34506E442EBD4939D585C38A96191BFEA384E88B849C5604BD0C9F07DF125090ABF7BD9629DD014

E

7D2CE02A4B25A90D4D77DD252A95F"

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

.

**************************************************************************

.

Completion time: 2009-03-10 2:00:51 - machine was rebooted [King]

ComboFix-quarantined-files.txt 2009-03-10 06:00:49

Pre-Run: 10,965,127,168 bytes free

Post-Run: 10,863,206,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /usepmtimer /noexecute=optin

multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Windows XP/2003"

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

230 --- E O F --- 2009-03-01 20:07:42

Link to post
Share on other sites

  • Root Admin

Hello gumgone and Welcome to Malwarebytes.

Just so that others are aware when they come by and read your post I want everyone to be aware that all of these Malware removal sites are supported with VOLUNTEERS and many volunteers WILL NOT help you when they see that you've run these tools on your own as they can damage the system and make a mess and typically they don't want to have to cleanup after both the Malware mess and Your mess.

For those reading this post. DO NOT run other scanning tools in desperation. Post a request for help and someone will assist you much faster than when they come by and read a post where someone has been running amuck on the system with scanning/cleaning tools.

Okay... It's quite late and I have many other posts to review that came before you. So I will help you, but it will have to probably be some time tomorrow.

Thanks.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.