Well that was a proccess. Below is the log file from ComboFix:
What's the next steps are we clean or do we need additional steps?
ComboFix 09-09-25.01 - Curtis 09/27/2009 12:35.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1059 [GMT -7:00]
Running from: d:\vscan\Combo-Fix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\agyw.lib
c:\documents and settings\All Users\Application Data\fulur.pif
c:\documents and settings\All Users\Application Data\kupuwiw.scr
c:\documents and settings\All Users\Documents\dilody.exe
c:\documents and settings\All Users\Documents\ehequg.ban
c:\documents and settings\All Users\Documents\omiwagel.ban
c:\documents and settings\Curtis\Application Data\ivawylah.scr
c:\documents and settings\Curtis\Application Data\syhuja.scr
c:\documents and settings\Curtis\Application Data\wiaserva.log
c:\documents and settings\Curtis\Application Data\ysetequf.inf
c:\documents and settings\Curtis\Local Settings\Application Data\gokuru.scr
c:\documents and settings\Curtis\Local Settings\Temporary Internet Files\udyx.bin
c:\documents and settings\Curtis\Local Settings\Temporary Internet Files\ynoruhuzuw.db
c:\documents and settings\Curtis\Local Settings\Temporary Internet Files\yziwazamo._dl
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\recycler\NPROTECT
c:\windows\elarulog.bat
c:\windows\Installer\1c0124.msp
c:\windows\Installer\2cb131.msi
c:\windows\Installer\359b34.msi
c:\windows\mega.pif
c:\windows\system\SYSRegC.dll
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\arilux.exe
c:\windows\system32\fubatuzo.exe
c:\windows\system32\iniasd.txt
c:\windows\system32\isifaxym.pif
c:\windows\system32\juruzuhu.dll
c:\windows\system32\logomafe.exe
c:\windows\system32\ratyso.bin
c:\windows\system32\sudinasu.exe
c:\windows\system32\system
c:\windows\system32\system\msxml4.dll
c:\windows\system32\system\msxml4r.dll
c:\windows\system32\vehusuru.exe
c:\windows\system32\winhelper.dll
c:\windows\yfulegodah.dll
c:\windows\zaponce52621.dat
c:\windows\zaponce52689.dat
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.
2009-09-27 19:42 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-27 19:17 . 2009-09-27 19:17 -------- d-----w- c:\documents and settings\Curtis\Local Settings\Application Data\Tific
2009-09-27 19:17 . 2009-09-27 19:17 -------- d-----w- c:\documents and settings\Curtis\Application Data\Tific
2009-09-27 17:45 . 2009-09-27 17:45 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-27 17:45 . 2009-09-27 17:45 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-27 17:45 . 2009-09-27 17:45 -------- d-----w- c:\program files\Symantec
2009-09-27 17:44 . 2009-09-27 17:44 -------- d-----w- c:\windows\system32\drivers\NIS
2009-09-27 17:44 . 2009-09-27 17:44 -------- d-----w- c:\program files\Norton Internet Security
2009-09-27 01:32 . 2009-09-27 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-09-27 00:11 . 2009-09-27 00:11 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-09-27 00:11 . 2009-09-27 00:11 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-09-27 00:11 . 2009-09-27 00:11 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-09-26 19:23 . 2009-09-26 19:23 -------- d-----w- c:\program files\CCleaner
2009-09-20 07:44 . 2009-09-20 07:44 48640 ----a-w- C:\mdnsq.exe
2009-09-10 22:03 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 20:14 . 2008-01-30 03:03 33032 ------w- c:\windows\system32\eCopyDesktopPrinterMon.DLL
2009-09-06 20:13 . 2009-09-06 20:13 -------- d-----w- c:\program files\eCopy
2009-09-06 20:13 . 2009-09-06 20:13 -------- d-----w- C:\eCopy
2009-09-06 20:12 . 2009-09-06 20:12 -------- d-----w- c:\documents and settings\Curtis\Local Settings\Application Data\Downloaded Installations
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 19:43 . 2007-08-26 08:04 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000002-80271102}.dat
2009-09-27 19:43 . 2007-08-26 08:04 24 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000001-00001102-00000002-80271102}.dat
2009-09-27 19:20 . 2005-02-19 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-27 19:20 . 2005-02-19 22:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-27 17:51 . 2003-12-27 05:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-27 17:45 . 2009-09-27 17:45 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-27 17:45 . 2009-09-27 17:45 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-27 17:44 . 2009-09-27 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-27 17:44 . 2009-09-27 17:44 -------- d-----w- c:\program files\NortonInstaller
2009-09-27 17:25 . 2009-09-27 17:25 -------- d-----w- c:\program files\Windows Sidebar
2009-09-27 17:19 . 2007-08-16 05:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-27 17:19 . 2003-12-27 05:29 -------- d-----w- c:\documents and settings\Curtis\Application Data\Symantec
2009-09-27 17:14 . 2009-09-27 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-09-27 07:09 . 2003-12-27 04:57 -------- d-----w- c:\program files\Setup Files
2009-09-27 05:56 . 2009-09-27 05:56 -------- d-----w- c:\program files\Trend Micro
2009-09-27 05:49 . 2009-09-27 05:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-27 05:49 . 2009-09-27 05:49 -------- d-----w- c:\program files\Java
2009-09-27 05:22 . 2009-09-27 05:22 -------- d-----w- c:\documents and settings\Curtis\Application Data\Malwarebytes
2009-09-27 05:22 . 2009-09-27 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-27 01:31 . 2008-09-10 02:18 -------- d-----w- c:\documents and settings\Curtis\Application Data\EMBARQTOOLBAR
2009-09-26 21:43 . 2007-08-19 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-09-26 17:29 . 2003-12-27 08:02 -------- d-----w- c:\program files\Microsoft Games
2009-09-26 17:29 . 2007-11-26 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-09-26 17:28 . 2005-05-23 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-09-26 17:28 . 2004-04-23 02:48 -------- d-----w- c:\documents and settings\Curtis\Application Data\Roxio
2009-09-26 17:28 . 2007-08-19 05:53 -------- d-----w- c:\documents and settings\Curtis\Application Data\iolo
2009-09-26 17:28 . 2004-04-10 06:08 -------- d-----w- c:\documents and settings\Curtis\Application Data\EPSON
2009-09-26 17:28 . 2007-08-19 05:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2009-09-24 22:46 . 2009-06-24 22:45 53248 --sha-w- c:\windows\system32\wezavova.dll
2009-09-24 22:45 . 2009-06-24 22:45 38400 --sha-w- c:\windows\system32\serevudo.dll
2009-09-20 19:50 . 2009-06-20 19:50 50688 --sha-w- c:\windows\system32\vufurajo.dll
2009-09-20 07:50 . 2009-06-20 07:50 38400 --sha-w- c:\windows\system32\napokoku.dll
2009-08-29 16:56 . 2003-12-30 02:53 95864 ----a-w- c:\documents and settings\Curtis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 17:29 . 2007-08-19 05:55 2116008 ----a-w- c:\windows\system32\Incinerator.dll
2009-08-26 22:42 . 2007-08-19 05:55 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2009-08-26 22:42 . 2007-08-19 05:55 12288 ----a-w- c:\windows\system32\smrgdf.exe
2009-08-05 09:11 . 2003-12-27 08:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2003-12-27 03:24 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2003-12-27 08:29 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2003-08-27 22:19 . 2005-11-05 01:16 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2009-02-18 02:20 . 2009-02-18 02:20 8456 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-27 149280]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"PCLEPCI"="c:\progra~1\Pinnacle\PPE\ppe.exe" [2002-06-25 32768]
"Motive SmartBridge"="c:\progra~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 438359]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"eDP2eD"="c:\program files\eCopy\Desktop 9.2\Bin\eDP2eD.exe" [2008-01-30 144648]
"eCopy Scan Inbox Monitor"="c:\program files\eCopy\Desktop 9.2\Bin\InboxMonitor.exe" [2008-01-30 79112]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-26 335872]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-03 24576]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-1-1 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-1-4 113664]
IKON Office Solutions IKON VPN Client.lnk - c:\program files\IKON\IKON VPN Client\ipsecdialer.exe [2004-8-1 1216588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Curtis\Application Data\iolo\
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IKON\\IKON VPN Client\\ipsecdialer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"d:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"d:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10000:TCP"= 10000:TCP:Ikon Dialer
"10000:UDP"= 10000:UDP:Ikon Dialer
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1100000.088\SymDS.sys [9/27/2009 10:45 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1100000.088\SymEFA.sys [9/27/2009 10:45 AM 169008]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20090911.001\BHDrvx86.sys [9/11/2009 3:45 PM 507440]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1100000.088\ccHPx86.sys [9/27/2009 10:45 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1100000.088\Ironx86.sys [9/27/2009 10:45 AM 114736]
R2 CVPNDRV;IKON Office Solutions IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [8/1/2004 12:57 PM 160327]
R3 DVC150B;Dazzle DVC 150B;c:\windows\system32\drivers\dvc150b.sys [8/22/2004 6:42 PM 30976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/27/2009 10:49 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20090911.001\IDSXpx86.sys [9/27/2009 10:50 AM 329080]
S2 DVC150;DVC 150B;c:\windows\system32\drivers\dvc150b.sys [8/22/2004 6:42 PM 30976]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe [9/27/2009 10:45 AM 126392]
S3 HwIOctl;HwIOctl;\??\c:\program files\Setup Files\MS-6728 v2.50\HwIOctl.sys --> c:\program files\Setup Files\MS-6728 v2.50\HwIOctl.sys [?]
S3 laguna;laguna;c:\windows\system32\drivers\cl546xm.sys [12/26/2003 11:44 AM 248064]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\Curtis\LOCALS~1\Temp\mdxgthkn.sys --> c:\docume~1\Curtis\LOCALS~1\Temp\mdxgthkn.sys [?]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\drivers\FIDE.SYS [12/19/2005 9:19 PM 15271]
S3 NUVision;NUVision Video Service;c:\windows\system32\drivers\NUVvid2.sys [12/27/2003 4:06 PM 153824]
.
Contents of the 'Scheduled Tasks' folder
2009-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
2009-09-27 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Curtis.job
- c:\program files\Norton Internet Security\Engine\17.0.0.136\Navw32.exe [2009-09-27 08:22]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.myembarq.com/uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mStart Page =
hxxp://www.google.comuInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) =
hxxp://www.google.com/keyword/%sIE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {86BD7EF7-A701-4460-8FF3-E160F0123B38} = 192.168.10.1
DPF: Microsoft XML Parser for Java -
file:///C:/WINDOWS/Java/classes/xmldso.cabDPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} -
hxxps://secure.iolo.com/app/ocx/UpgradeVerify.ocx.
.
------- File Associations -------
.
inifile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
JSEFile=NOTEPAD.EXE %1
txtfile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-09-27 12:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.0.0.136\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,b5,50,7f,91,7e,
54,ed,b4,c8,28,51,af,b0,29,a3,98,b4,ae,80,5e,94,55,a4,ba,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,d3,9a,6c,ae,d5,
95,53,e8,71,3b,04,66,8b,46,0d,96,e3,de,b4,05,2e,77,2c,af,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,5e,71,93,2e,9d,
bd,9b,60,25,da,ec,7e,55,20,c9,26,2f,5b,6c,90,4b,f9,85,51,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,52,b8,4e,66,76,
91,35,61,3e,1e,9e,e0,57,5a,93,61,dc,33,15,18,84,0b,34,dc,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,19,a2,d3,91,77,
d6,02,35,cd,44,cd,b9,a6,33,6c,cd,d6,d5,f2,65,7f,34,04,9d,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,47,25,76,f5,22,
83,fd,34,b0,18,ed,a7,3f,8d,37,a4,83,e1,b7,38,29,4a,af,02,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,9d,a3,de,56,ef,
49,bf,d6,31,77,e1,ba,b1,f8,68,02,ea,a4,1e,9a,9f,83,47,63,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,98,a3,8b,ff,ee,
ea,9c,a7,83,6c,56,8b,a0,85,96,ab,fa,82,7d,55,f0,00,c3,43,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,4e,b8,c9,0c,14,
a1,e4,53,51,fa,6e,91,28,9e,14,cc,d2,95,64,19,86,5b,e1,84,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,08,cb,06,36,c8,
e2,9c,6b,b1,cd,45,5a,a8,c4,f8,b9,50,e7,2c,c3,d0,1c,62,1d,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,a5,13,61,65,ff,
b5,27,d9,e3,0e,66,d5,eb,bc,2f,6b,d0,f7,d5,5a,bc,74,39,21,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,d8,fa,3b,f2,39,
f9,d2,f0,fa,ea,66,7f,d4,3b,6b,70,05,ed,9f,60,60,2a,5a,38,6c,43,2d,1e,aa,22,\
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\CSGina.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3352)
c:\windows\system32\WININET.dll
c:\progra~1\VIRTUA~1\SMARTB~1\SBHook.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\IKON\IKON VPN Client\cvpnd.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\E_S00RP1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\SAgent4.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-09-27 12:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 19:49
Pre-Run: 34,603,102,208 bytes free
Post-Run: 34,588,532,736 bytes free
367 --- E O F --- 2009-09-26 21:45