Still having difficulties since I can't run windows explorer. I ended up using msconfig to remove my virus software from the startup. Unfortunately, there were lots of things checked in the startup tab that I know I disabled months (if not years) ago, so something has been altering the startup files.
I was able to run combofix and hijack this. Here are the logs:
COMBOFIX:
ComboFix 09-09-06.06 - Owner 09/07/2009 13:08.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1008 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\93862496.ini
c:\recycler\NPROTECT
c:\windows\_id_rgvs.reg
c:\windows\Installer\2b115a.msi
c:\windows\Installer\2f14b.msp
c:\windows\Installer\32bf76e.msp
c:\windows\system32\drivers\SKYNETyqjowxvi.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\ps2.bat
c:\windows\system32\SKYNETqltcryex.dat
c:\windows\system32\SKYNETqvscdjol.dat
c:\windows\system32\SKYNETtuirrxiq.dll
c:\windows\system32\SKYNETwnohunkd.dll
c:\windows\wpd99.drv
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SKYNETypuhymyx
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_SKYNETypuhymyx
((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.
2009-09-02 02:25 . 2009-09-02 02:25 -------- d-----w- c:\program files\Trend Micro
2009-08-25 02:47 . 2009-08-25 02:47 -------- d-----w- c:\documents and settings\Owner\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2009-08-24 03:22 . 2009-08-24 03:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Red Kawa
2009-08-24 00:18 . 2009-08-24 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\3DVIA
2009-08-24 00:17 . 2009-08-24 00:17 -------- d-----w- c:\program files\Virtools
2009-08-23 03:43 . 2009-08-23 04:17 -------- d-----w- c:\program files\Electronic Arts
2009-08-22 05:04 . 2009-08-22 05:04 -------- d-----w- C:\temp
2009-08-22 02:48 . 2009-08-22 02:49 -------- d-----w- C:\mbam
2009-08-22 02:41 . 2009-08-22 02:41 687104 ----a-w- c:\windows\is-6VCM9.exe
2009-08-22 02:40 . 2009-08-12 00:05 3942048 ----a-w- C:\mbam.exe
2009-08-22 00:33 . 2009-08-22 00:33 0 ----a-w- c:\windows\system32\cmpwrap.dat
2009-08-12 03:56 . 2008-04-13 16:39 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2009-08-12 03:56 . 2008-04-13 16:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2009-08-11 23:03 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 04:45 . 2002-11-14 06:42 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-09-05 14:28 . 2008-04-19 18:33 -------- d-----w- c:\documents and settings\Owner\Application Data\ZoomBrowser EX
2009-09-05 14:27 . 2008-04-19 18:33 -------- d-----w- c:\documents and settings\Owner\Application Data\CameraWindowDC
2009-08-24 04:11 . 2002-10-29 21:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-22 03:53 . 2005-09-30 21:43 -------- d-----w- c:\program files\The Learning Company
2009-08-22 03:49 . 2007-12-29 01:21 -------- d-----w- c:\program files\Common Files\Apple
2009-08-22 03:32 . 2009-02-06 02:25 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-08-22 03:32 . 2009-02-06 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-22 03:23 . 2008-03-11 03:07 -------- d-----w- c:\program files\Canon
2009-08-22 02:44 . 2009-01-19 00:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 02:39 . 2004-08-01 01:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-12 02:34 . 2009-04-13 02:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Any Video Converter
2009-08-09 18:17 . 2008-01-05 17:47 -------- d-----w- c:\program files\Red Kawa
2009-08-08 14:00 . 2004-08-01 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 04:37 . 2008-09-12 03:18 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-08-05 09:01 . 2002-11-14 06:07 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 04:35 . 2009-08-05 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-08-03 17:36 . 2009-01-19 00:48 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-01-19 00:48 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 03:13 . 2009-07-31 03:13 -------- d-----w- c:\program files\iTunes
2009-07-31 03:13 . 2009-07-31 03:13 -------- d-----w- c:\program files\iPod
2009-07-31 03:10 . 2009-07-31 03:10 -------- d-----w- c:\program files\QuickTime
2009-07-31 03:03 . 2003-04-26 18:15 55544 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-19 17:47 . 2009-07-19 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Pinnacle
2009-07-19 17:46 . 2009-07-19 17:46 -------- d-----w- c:\program files\Pinnacle
2009-07-19 17:46 . 2009-07-19 17:46 -------- d-----w- c:\program files\Common Files\Pinnacle
2009-07-17 19:01 . 2002-11-14 06:41 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-02-06 22:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2002-11-14 06:41 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2002-11-14 06:42 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-11-14 06:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2002-10-29 19:19 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2002-11-14 06:41 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2002-11-14 06:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2008-10-05 02:02 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-02-13 03:12 . 2008-02-13 03:12 2 --shatr- c:\windows\winstart.bat
2003-04-19 02:27 . 2003-04-19 02:27 0 -csha-w- c:\windows\SMINST\HPCD.sys
2009-01-17 20:10 . 2009-01-17 20:10 120 --sh--w- c:\windows\system32\htnnlufs.tmp
.
------- Sigcheck -------
[-] !HASH: COULD NOT OPEN FILE !!!!! [------] c:\windows\explorer.exe
[-] 7712DF0CDDE3A5AC89843E61CD5B3658 [6.00.2900.3156 (xpsp_sp2_qfe.070613-1311)] c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 12896823FB95BFB3DC9B46BCAEDC9923 [6.00.2900.5512 (xpsp.080413-2105)] c:\windows\ServicePackFiles\i386\explorer.exe
c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk.disabled]
backup=c:\windows\pss\Adobe Gamma Loader.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk.disabled]
backup=c:\windows\pss\Kodak software updater.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlockTracker
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Desktop Messenger
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdskctl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ScsiAccess"=2 (0x2)
"msCMTSrvc"=3 (0x3)
"CVPND"=2 (0x2)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"SNMPTRAP"=3 (0x3)
"SNMP"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PlugPlay"=2 (0x2)
"NwSapAgent"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"napagent"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McShield"=3 (0x3)
"LPDSVC"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" boot
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"Logitech Hardware Abstraction Layer"=KHALMNPR.EXE
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"msupdate"=msupdate.exe
"USB2Check"=RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\naifsrec.sys [4/30/2001 4:51 AM 4512]
R2 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\avsynmgr.exe [11/26/2001 4:51 PM 155665]
R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [11/14/2002 2:07 AM 14336]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [1/9/2005 11:19 PM 3712]
R2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\ssipddp.sys [4/3/2004 2:52 PM 54272]
S2 LBeepKE;LBeepKE;c:\windows\system32\Drivers\LBeepKE.sys --> c:\windows\system32\Drivers\LBeepKE.sys [?]
S2 mrtRate;mrtRate; [x]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/31/2009 2:23 PM 18560]
S3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\naifiltr.sys [11/26/2001 4:51 PM 23856]
.
Contents of the 'Scheduled Tasks' folder
2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.commStart Page =
hxxp://www.msn.comIE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: itt.com\etime4
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8vdkep7k.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage -
hxxp://www.roadrunner.com/index.cfmFF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-09-07 13:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1400307210-653112703-2053677248-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1400307210-653112703-2053677248-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e4,69,c4,66,eb,ba,ee,3e,04,4e,b5,ad,97,b3,54,63,81,11,04,78,a8,88,90,
eb,32,31,c0,b4,ea,36,11,7d,11,04,88,8e,9d,75,7f,f2,a9,24,96,f3,7e,45,e6,21,\
"??"=hex:3e,50,b9,cf,0e,7f,91,5f,56,fa,64,5a,48,be,8b,c8
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,aa,91,5e,c5,eb,
b3,48,88,c8,28,51,af,b0,29,a3,98,52,a3,e8,fc,1b,6b,2d,32,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,dc,2a,d2,76,64,
48,0d,ec,71,3b,04,66,8b,46,0d,96,8d,b2,cd,b8,a0,fb,8e,14,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,c6,4b,4e,85,43,
7a,5f,bf,25,da,ec,7e,55,20,c9,26,dc,1b,7b,88,75,fa,f0,ad,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,f2,7a,56,03,8c,
62,7d,94,3e,1e,9e,e0,57,5a,93,61,91,05,85,0b,83,a4,58,a9,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,87,25,11,cb,b4,
fe,fc,a7,cd,44,cd,b9,a6,33,6c,cd,04,b6,f2,6d,7e,c1,6b,3f,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,3a,e6,d8,dd,5d,
90,be,29,b0,18,ed,a7,3f,8d,37,a4,8f,92,a9,c5,7e,5f,4c,4b,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,e1,be,82,77,71,
82,7e,ba,31,77,e1,ba,b1,f8,68,02,01,d9,44,e4,ea,53,95,24,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,f7,02,45,25,f1,
ba,98,67,83,6c,56,8b,a0,85,96,ab,bf,af,68,2f,f8,22,ca,8f,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,61,78,31,f8,25,
cd,44,c2,51,fa,6e,91,28,9e,14,cc,9a,6d,ab,73,f9,25,be,33,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,0d,b6,ab,07,36,
47,ef,0a,b1,cd,45,5a,a8,c4,f8,b9,95,5c,90,4b,a6,d2,36,7d,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,6d,94,17,e5,31,
55,4e,f6,e3,0e,66,d5,eb,bc,2f,6b,6f,5a,d7,db,b4,45,23,5a,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,26,12,9b,0c,93,
58,07,a5,fa,ea,66,7f,d4,3b,6b,70,45,51,75,56,5d,da,98,f9,6c,43,2d,1e,aa,22,\
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-09-07 13:16
ComboFix-quarantined-files.txt 2009-09-07 17:15
ComboFix2.txt 2009-01-20 04:03
Pre-Run: 39,952,023,552 bytes free
Post-Run: 39,906,873,344 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
Current=10 Default=10 Failed=9 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,10,11
415 --- E O F --- 2009-09-02 02:00
HIJACK THIS:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:00 PM, on 9/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 3406 bytes
-- Opticswalt