Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows explorer / Dr Watson Repeat Crashes / High cpu - Pushow97.dll

Started by andyds , Mar 11 2009 05:14 AM

  • This topic is locked This topic is locked

#1
andyds
Posted 11 March 2009 - 05:14 AM

andyds

    Member

  • Member
  • PipPip
  • 14 posts
Hello, my name is Andy,

I recently read a topic posted by Yamalow which was successfully sorted by Heir ( a true genius ).
My problem is quite similar as is, windows explorer crashes every few seconds / followed occasionally by Dr Watson with a really high cpu ( as high as 90+% ). Ive noticed a couple of adware.mediaaccess notifications when i have scanned with numerous different spyware n antivirus scanners.
The Pc itself is used for music and is therefore not connected directly through the internet but i have been naughty and downloaded a few vsti programs over the years. :)

I also admit before i have taken the time to write this i stupidly tried the basics of what was said in the response to yamalow ( i.e the OTLIST - LOPSD AND MALWARE-BYTES SCAN ) but unfortunately it didnt make any difference as the windows explorer error message comes up before the malware bytes scan could remove the 3 Adware.MediaAccess registry keys that it found to be infected..

here is my hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:42, on 11/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\DAEMON Tools\daemon.exe
C:\Documents and Settings\Owner\Desktop\OTListIt2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.millennium-music.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [QuickTime Task] "D:\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 2138 bytes
  • 0

Advertisements

#2
kahdah
Posted 11 March 2009 - 05:55 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello andyds

Welcome to G2Go. :)
=====================

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#3
andyds
Posted 11 March 2009 - 06:20 AM

andyds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
hi kahdah,

Thank you so much for your speedy reply. Here is the two dds reports.


DDS (Ver_09-02-01.01) - NTFSx86 MINIMAL
Run by Owner at 12:06:43.95 on 11/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1796 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
D:\DAEMON Tools\daemon.exe
C:\Documents and Settings\Owner\Desktop\OTListIt2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.millennium-music.co.uk/
mRun: [QuickTime Task] "D:\QTTask.exe" -atboottime
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R3 MotuUsb;MotuUsb;c:\windows\system32\drivers\motuusb.sys [2004-10-25 90172]
S2 Matrox Centering Service;Matrox Centering Service;c:\program files\matrox graphics inc\powerdesk\services\Matrox.PowerDesk.Services.exe [2008-6-11 586760]
S2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\matrox graphics inc\powerdesk se\Matrox.Pdesk.ServicesHost.exe [2008-6-11 189448]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2003-11-6 26528]
S3 MAFW;MAFW;c:\windows\system32\drivers\mafw.sys [2008-7-14 186368]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-11 38496]
S3 MotuMidi;MOTU MIDI Device;c:\windows\system32\drivers\motumidi.sys [2004-10-25 51104]
S3 Powercore;PowerCore;c:\windows\system32\drivers\PCore.sys [2008-6-5 76800]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2004-10-25 16896]
S3 UtilNT;UtilNT;c:\windows\system32\drivers\utilnt.sys [2007-5-24 5533]
S3 yukonx86;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter;c:\windows\system32\drivers\yukonx86.sys [2004-10-22 176256]

=============== Created Last 30 ================

2009-03-11 10:42 <DIR> --d----- C:\Lop SD
2009-03-11 10:37 <DIR> --d----- c:\program files\Trend Micro
2009-03-11 09:52 <DIR> --d----- C:\_OTListIt
2009-03-11 08:59 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-03-11 08:59 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-11 08:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-11 08:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 00:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-11 00:41 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-11 00:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-10 12:32 <DIR> --d----- c:\program files\Enigma Software Group
2009-03-10 10:30 <DIR> a-d----- C:\_$$$KAV_ROOT
2009-02-27 09:51 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-25 11:19 <DIR> --d----- c:\docume~1\owner\applic~1\iZotope
2009-02-25 09:40 1,870,336 a------- c:\windows\system32\bconvert.dll

==================== Find3M ====================

2008-07-10 09:08 21 a------- c:\docume~1\owner\applic~1\iasna_DAA2EFCB-59BE-41d2-8BA5-20B0E5C039A7.dll
2008-07-09 14:28 21 a------- c:\docume~1\owner\applic~1\iasna_496F4C99-60CC-4b9e-AC1B-FA060E643C30.dll
2004-11-02 19:41 3,024 ac------ c:\program files\Absynth 1.3 prefs.ini

============= FINISH: 12:06:57.15 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 22/10/2004 14:14:40
System Uptime: 03/11/2009 10:28:37 (-5686 hours ago)

Motherboard: ASUSTeK Computer Inc. | | P4P800SE
Processor: Intel® Pentium® 4 CPU 3.00GHz | CPU 1 | 2998/200mhz
Processor: Intel® Pentium® 4 CPU 3.00GHz | CPU 1 | 2998/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 10 GiB total, 2.524 GiB free.
D: is FIXED (NTFS) - 180 GiB total, 94.951 GiB free.
E: is CDROM ()
F: is CDROM ()
H: is Removable

==== Disabled Device Manager Items =============

Class GUID:
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_80F31043&REV_02\3&267A616A&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_80F31043&REV_02\3&267A616A&0&FD
Service:

==== System Restore Points ===================

RP1: 11/03/2009 08:41:06 - System Checkpoint

==== Installed Programs ======================

Addictive Drums
Adobe Reader 6.0
advertismen
AKAI professional DCVocoder 1.0
AmpliTube2
Antares Autotune VST v5.09
Apple Software Update
Arturia CS-80V v1.5
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
BBE Sonic Maximizer 2.0 Full
Brainworx BX Digital VST v1.09
CDXtract 4 r4
Creative Vienna SoundFont Studio
dBpowerAMP Music Converter
DivX Codec
East West EWQLSO Silver Edition
Effectrix
Firewire 410 1.0.0.13
Firewire Family
GForce - impOSCar
GMediaMusic - Oddity VST2
HijackThis 2.0.2
HydraVision
InterLok Driver Kit
Iomega Product Registration
iZotope Ozone 2.0-OxYGeN
iZotope Trash
Kjaerhus Audio Golden Audio Channel GAC-1 v1.03 VST
Logitech SetPoint
MachFive
Malwarebytes' Anti-Malware
Matrox Graphics Software (remove only)
Matrox PowerDesk-SE
Melodyne plugin
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 Redistributable
Native Instruments Absynth 2
Native Instruments FM8
Native Instruments Kontakt 2
Native Instruments Kore 2
Native Instruments Massive
Native Instruments Service Center
Native Instruments Vokator
Nero Media Player
Nero OEM
NeroVision Express 2
NextUp-ScanSoft Daniel British Voice
NextUp-ScanSoft Jennifer US English Voice
NextUp Talker
NextUp.com-NeoSpeech Paul16 Voice
NI Service Center
OrangeVocoder VST 2.02
PowerCore 2.2
PROSONIQ morph
PSP VintageWarmer 1.1
QuickTime
Rapture 1.0
ReCycle v2.1
reFX Nexus 1.4.0
ReFX PlastiCZ VSTi v1.02
reFX Vanguard VSTi RTAS v1.8.0
RegCure 1.5.0.0
Retrospect 7.5
rgcAudio z3ta Plus v1.40
Roger Nichols Digital InspectorXL VST RTAS v1.2
Sonic Timeworks CompressorX v1.1.0.3
Sonnox Oxford Inflator Native VST v1.5.1
Sonnox Oxford Limiter Native VST v1.1.1
Sonnox Oxford R3 Dynamics Native VST v1.3.1
Sonnox Oxford R3 EQ Native VST v1.6.1
Sonnox Oxford Reverb Native VST v1.0
Sonnox Oxford TransMod Native VST v1.3.1
Sony Sound Forge 7.0
Steinberg Cubase SX 3
Syncrosoft's License Control
T-RackS 3 Deluxe
TC Native Bundle v3.1
TextAloud
TuneUp Utilities 2008
Tweakui Powertoy for Windows XP
Ultrafunk Sonitus:fx R3 plug-in uninstaller
Vienna SoundFont Studio
VOCALOID Editor V1.0.0.1
VOCALOID Expression DB (Lola)
VOCALOID Expression DB (Standard)
VOCALOID SKIN (Zero-G LOLA)
VOCALOID Voice DB (Lola)
VOCALOID VSTi V1.0.0.1
Waldorf.D-Coder.v1.0.VSTi.for.TC.Powercore
Waves Gold Processors 3.6
Waves Mercury Bundle
Waves SSL Collection v1.2
WebFldrs XP
WinRAR archiver
WinZip
WordBuilder
XP Codec Pack

==== Event Viewer Messages From Past Week ========

10/03/2009 15:51:50, error: Service Control Manager [7000] - The Nsynas32 service failed to start due to the following error: The system cannot find the file specified.
10/03/2009 13:13:06, error: Service Control Manager [7001] - The Alerter service depends on the Workstation service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
10/03/2009 12:31:07, error: Powercore [12304] - [C0000185]: Communication Error: Reset msg submit failed
10/03/2009 11:29:56, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/03/2009 11:29:48, error: Service Control Manager [7034] - The MGABGEXE service terminated unexpectedly. It has done this 1 time(s).
10/03/2009 11:29:43, error: Service Control Manager [7034] - The Retrospect Launcher service terminated unexpectedly. It has done this 1 time(s).
10/03/2009 11:29:36, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
10/03/2009 16:06:21, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/03/2009 16:07:09, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/03/2009 16:07:09, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
10/03/2009 16:07:09, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/03/2009 16:07:09, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

==== End Of File ===========================


and the GMER report..

GMER 1.0.15.14878 - http://www.gmer.net
Rootkit scan 2009-03-11 12:15:03
Windows 5.1.2600 Service Pack 2


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -631382449
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1957050666
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1E 0xE1 0x74 0xBC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAA 0x86 0xA9 0xA6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4D 0x8D 0x20 0x27 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1E 0xE1 0x74 0xBC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAA 0x86 0xA9 0xA6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4D 0x8D 0x20 0x27 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xF8 0x31 0x0F 0xA9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----



THANKS
  • 0

#4
kahdah
Posted 11 March 2009 - 06:49 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


  • 0

#5
andyds
Posted 13 March 2009 - 05:05 AM

andyds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
hi kahdah,

Sorry for the delay.. Wow that took along time - 1 day and 21 hours 2 b precise.. This was probably due to my nearly full external hard drive..Anyway here is the information from the kas scan..

Detected
----------

Status object
------- --------
deleted: Trojan program Trojan-Gamethief.win32.onlineGames.uqns File: D:\TextAloud\TextAloud v2.266.crk.exe


This was the only thing detected.

As is, the windows explorer crash still happens after i reboot, out of safe mode.

Thanks in advance

Andy
  • 0

#6
kahdah
Posted 13 March 2009 - 06:22 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#7
andyds
Posted 13 March 2009 - 10:06 AM

andyds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
hi kahdah,

Sorry to be a pain but the pc that it is on does not have any internet connection at all..

is there a way to download it seperately then transfer it across?

thanks
  • 0

#8
kahdah
Posted 13 March 2009 - 11:47 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes you can download it on the Non-infected pc to a flash drive and then run it from it if you can.
  • 0

#9
andyds
Posted 13 March 2009 - 11:51 AM

andyds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
hi, sorry i meant the windows restore microsoft download bit.. it doesnt save to the desktop
  • 0

#10
kahdah
Posted 13 March 2009 - 11:53 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
If prompted see if it will install.
If it doesn't then do not worry, Combofix will continue to run.
  • 0

Advertisements

#11
andyds
Posted 13 March 2009 - 11:56 AM

andyds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
hi,

so far i put the combofix on the infected desktop and ran it.. it said to download the Microsoft Windows Recovery Console but because its not on the internet it couldnt do it.. Should i run anyway without the Microsoft Windows Recovery Console or not
  • 0

#12
kahdah
Posted 13 March 2009 - 04:46 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes go ahead without the Recovery Console.
  • 0

#13
andyds
Posted 13 March 2009 - 04:55 PM

andyds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
hi,

done it.. here is the combo fix log

ComboFix 09-03-12.01 - Owner 2009-03-13 22:51:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1756 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\iasna_496F4C99-60CC-4b9e-AC1B-FA060E643C30.dll
c:\documents and settings\Owner\Application Data\iasna_DAA2EFCB-59BE-41d2-8BA5-20B0E5C039A7.dll
c:\windows\system32\lsprst7.dll
c:\windows\system32\msvcsv60.dll
c:\windows\system32\ssprs.dll
.
---- Previous Run -------
.
c:\program files\outlook
c:\program files\winupdate
c:\windows\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-11 13:03 . 2008-07-08 13:54 148,496 --a------ c:\windows\system32\drivers\09675941.sys
2009-03-11 10:42 . 2009-03-11 10:45 <DIR> d-------- C:\Lop SD
2009-03-11 10:37 . 2009-03-11 10:37 <DIR> d-------- c:\program files\Trend Micro
2009-03-11 09:52 . 2009-03-11 09:52 <DIR> d-------- C:\_OTListIt
2009-03-11 08:59 . 2009-03-11 08:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 08:59 . 2009-03-11 08:59 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-11 08:59 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-11 08:59 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-11 00:48 . 2009-03-11 00:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-11 00:48 . 2009-03-11 00:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-11 00:41 . 2009-03-11 08:38 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-11 00:41 . 2009-03-11 08:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-11 00:24 . 2009-03-11 00:24 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TuneUp Software
2009-03-11 00:23 . 2009-03-11 00:23 <DIR> d-------- c:\documents and settings\Administrator
2009-03-10 12:32 . 2009-03-11 08:39 <DIR> d-------- c:\program files\Enigma Software Group
2009-03-10 10:30 . 2009-03-10 11:47 <DIR> d-a------ C:\_$$$KAV_ROOT
2009-02-27 09:52 . 2009-02-27 09:52 <DIR> d-------- c:\documents and settings\Owner\Application Data\Apple Computer
2009-02-27 09:51 . 2009-03-10 13:15 664 --a------ c:\windows\system32\d3d9caps.dat
2009-02-25 11:19 . 2009-02-25 11:19 <DIR> d-------- c:\documents and settings\Owner\Application Data\iZotope
2009-02-25 09:40 . 2006-10-04 14:13 1,870,336 --a------ c:\windows\system32\bconvert.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 09:34 --------- d-----w c:\program files\Steinberg
2009-02-25 11:19 --------- d-----w c:\documents and settings\Owner\Application Data\PACE Anti-Piracy
2009-02-25 11:19 --------- d-----w c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-02-09 09:14 --------- d-----w c:\documents and settings\All Users\Application Data\iZotope
2009-02-09 09:11 --------- d-----w c:\program files\Common Files\iZotope
2009-02-06 12:54 --------- d-----w c:\program files\Kore 2 Sounds
2009-02-06 12:25 --------- d-----w c:\program files\Common Files\Native Instruments
2009-02-06 09:00 --------- d-----w c:\program files\Common Files\Apple
2009-02-06 08:59 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-06 08:59 --------- d-----w c:\program files\Apple Software Update
2009-02-06 08:59 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-06 08:59 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-02-06 08:58 --------- d-----w c:\program files\IK Multimedia
2004-11-02 19:41 3,024 -c--a-w c:\program files\Absynth 1.3 prefs.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="D:\QTTask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
is-65BMI.lnk - c:\documents and settings\Owner\Desktop\Virus Removal Tool\is-65BMI\startup.exe [2009-03-11 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\etbrun
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-04-21 20:10 335872 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--------- 2006-11-12 10:48 157592 d:\daemon tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAFWTaskbarApp]
--a------ 2007-10-24 13:37 245760 c:\windows\system32\mafwTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox Powerdesk]
--a------ 2002-08-29 17:09 663552 c:\windows\system32\PDesk\pdesk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk SE]
--a------ 2008-06-11 15:33 2630664 c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2005-05-20 14:46 28160 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Retrospect\\Retrospect 7.5\\Retrospect.exe"=

R2 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [2008-06-11 586760]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [2008-06-11 189448]
R3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2003-11-06 26528]
R3 MAFW;MAFW;c:\windows\system32\drivers\mafw.sys [2008-07-14 186368]
R3 MotuMidi;MOTU MIDI Device;c:\windows\system32\drivers\motumidi.sys [2004-10-25 51104]
R3 MotuUsb;MotuUsb;c:\windows\system32\drivers\motuusb.sys [2004-10-25 90172]
R3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2004-10-25 16896]
R3 yukonx86;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter;c:\windows\system32\drivers\yukonx86.sys [2004-10-22 176256]
S1 is-65BMIdrv;is-65BMIdrv;c:\windows\system32\drivers\09675941.sys [2009-03-11 13:03:25 148496]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-03-11 38496]
S3 Powercore;PowerCore;c:\windows\system32\drivers\PCore.sys [2008-06-05 76800]
S3 UtilNT;UtilNT;c:\windows\system32\drivers\utilnt.sys [2007-05-24 5533]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-03-13 c:\windows\Tasks\1-Click Maintenance.job
- d:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-23 15:53]

2009-03-13 c:\windows\Tasks\RegCure Program Check.job
- d:\regcure\RegCure.exe [2008-06-06 11:49]

2008-06-06 c:\windows\Tasks\RegCure.job
- d:\regcure\RegCure.exe [2008-06-06 11:49]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-p2pnetworking - p2pnetworking.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.millennium-music.co.uk/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 22:52:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,0b,8a,33,26,4a,
68,44,07,e2,63,26,f1,3f,c8,ff,68,38,6d,89,2a,25,c8,6a,0e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,1f,2a,02,5f,52,
2c,f3,8f,6a,9c,d6,61,af,45,84,18,33,b4,c1,7e,8f,e5,ce,5e,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,7b,73,b8,ec,e3,
cf,d7,19,ff,7c,85,e0,43,d4,0e,fe,3e,e1,02,7e,66,4e,df,2f,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,a1,95,d7,81,35,
88,8b,0e,86,8c,21,01,be,91,eb,e7,70,ae,2b,c5,b4,dc,9e,5e,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,e2,67,31,46,25,
29,9f,5d,f5,1d,4d,73,a8,13,5c,05,bf,ac,27,ff,ab,38,9b,cb,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,ee,af,a8,bb,dd,
a4,3c,a8,df,20,58,62,78,6b,cf,c8,1c,17,8a,a9,da,e1,84,08,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,e9,af,a9,37,7b,
38,8d,fc,fb,a7,78,e6,12,2f,9a,ea,8d,e9,bd,c4,c8,5f,a8,97,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,3d,5d,c6,d2,a3,
a0,d4,8f,01,3a,48,fc,e8,04,4a,f1,cc,9e,4c,e0,9c,ee,78,4d,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,c2,6a,89,1f,2d,
cd,da,88,f6,0f,4e,58,98,5b,89,c9,26,fa,5c,59,ea,f4,f7,7f,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,79,5e,28,96,63,
0d,fa,5d,3d,ce,ea,26,2d,45,aa,78,36,3d,18,2a,5e,f3,7c,a5,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,88,50,16,a7,1e,
2a,03,81,2a,b7,cc,b5,b9,7f,41,e7,da,ef,23,b5,d4,ee,87,d6,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,84,88,09,ab,bf,
08,08,b0,6c,43,2d,1e,aa,22,2f,9c,55,a1,83,73,a2,72,43,14,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-13 22:53:04
ComboFix-quarantined-files.txt 2009-03-13 22:53:02

Pre-Run: 2,176,774,144 bytes free
Post-Run: 2,381,127,680 bytes free

208
  • 0

#14
andyds
Posted 16 March 2009 - 08:32 AM

andyds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
hi kahdah,

I managed to solve the problem myself, by checking event viewer.msc to find the core problem ( which was a conflict in c:\documents and settings / owner / history / history.ie5 etc ) and then by simply re-installing windows internet explorer 7.

Don't know why it worked or why there was a problem there in the first place but anyway it did..

thanks for looking at my case..

andy
  • 0

#15
kahdah
Posted 16 March 2009 - 11:25 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
So sorry I didn't get that reply.

Please submit the following file to one of these online file scanners.
(All you have to do is copy and paste it in)

c:\windows\system32\drivers\09675941.sys

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP