Inactive Generic host process for win32 services has encountered a proble

Maybe I should change the registry for D: drive?

 

ComboFix is running a scan now..

 

ComboFix 10-11-26.06 - George 11/28/2010 18:24:32.3.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2794 [GMT -5:00]
Running from: c:\documents and settings\George\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\George\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
ADS - explorer.exe: deleted 26 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\explorer
c:\explorer\explorer.exe
c:\windows\TEMP\explorer.dat
C:\WinLogon
c:\winlogon\winlogon.exe

c:\windows\system32\winlogon.exe . . . is infected!!

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

.
--------------- FCopy ---------------

c:\explorer\explorer.exe --> c:\windows\explorer.exe
c:\winlogon\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-27 06:18 . 2005-06-10 23:53 57856 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe
2010-11-27 06:18 . 2005-06-10 23:53 57856 ----a-w- c:\windows\system32\spoolsv.exe
2010-11-27 05:14 . 2010-11-27 05:15 -------- dc-h--w- c:\windows\ie8
2010-11-27 02:12 . 2010-11-27 02:12 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-11-27 00:26 . 2010-11-27 00:34 -------- d-----w- C:\Logs
2010-11-23 23:33 . 2010-11-25 02:51 -------- d-----w- c:\documents and settings\George\Local Settings\Application Data\ConduitEngine
2010-11-23 23:33 . 2010-11-23 23:33 -------- d-----w- c:\program files\ConduitEngine
2010-11-23 23:33 . 2010-11-23 23:33 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2010-11-23 02:16 . 2010-09-15 09:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-11-23 02:16 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-22 01:28 . 2010-11-22 01:28 -------- d-----w- C:\DCIM
2010-11-16 23:47 . 2010-11-16 23:47 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-11-16 23:04 . 2010-11-16 23:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-11-15 00:39 . 2010-11-15 00:39 -------- d-----w- c:\documents and settings\Administrator
2010-11-09 01:33 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-09 01:33 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-09 01:33 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-09 01:33 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-09 01:33 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-09 01:33 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-09 01:33 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-09 01:33 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-09 01:33 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-09 01:33 . 2010-11-09 01:33 -------- d-----w- c:\program files\Alwil Software
2010-11-09 01:33 . 2010-11-09 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-11-09 01:22 . 2010-11-09 01:22 -------- d-----w- c:\documents and settings\George\Application Data\Malwarebytes
2010-11-09 01:22 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-09 01:22 . 2010-11-09 01:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-09 01:22 . 2010-11-09 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-09 01:22 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-09 01:15 . 2010-11-09 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-06 16:37 . 2010-11-06 16:37 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2010-10-30 22:30 . 2010-11-25 02:57 -------- d-----w- c:\documents and settings\George\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-27 17:02 . 2004-08-04 12:00 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-11-27 17:00 . 2010-11-27 17:00 281116 ----a-w- C:\winlogon.zip
2010-11-27 16:47 . 2010-11-27 16:47 379526 ----a-w- C:\explorer.zip
2010-09-15 07:29 . 2008-12-20 00:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 02:53 . 2010-09-10 02:53 53248 ----a-r- c:\documents and settings\George\Application Data\Microsoft\Installer\{08DEC21F-F7E5-46F9-81D1-3ED30BD3AEC9}\ARPPRODUCTICON.exe
.

------- Sigcheck -------

[-] 2010-11-27 . 3E326757DE98D641278C1AD667D185B2 . 507904 . . [5.1.2600.5508] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\winlogon.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\explorer.exe
[-] 2007-06-13 . 82852070785B5BE6E99D414FF4CFE920 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9565115d-c7d6-46d3-bd63-b67b481a4368} "= "c:\program files\PageRage\tbPag2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\PageRage\tbPag2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-04-20 18:09 194912 ------w- c:\program files\Yontoo Layers Client for Internet Explorer\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9565115d-c7d6-46d3-bd63-b67b481a4368} "= "c:\program files\PageRage\tbPag2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9565115D-C7D6-46D3-BD63-B67B481A4368} "= "c:\program files\PageRage\tbPag2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!) "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Google Update "= "c:\documents and settings\George\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-30 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint "= "c:\program files\DellTPad\Apoint.exe" [2007-10-25 167936]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2007-09-05 137752]
"DELL Webcam Manager "= "c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"OEM02Mon.exe "= "c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"Broadcom Wireless Manager UI "= "c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"googletalk "= "c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"CanonMyPrinter "= "c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 1983816]
"CanonSolutionMenu "= "c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
"IJNetworkScanUtility "= "c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\George\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-1-4 333088]
V CAST Media Monitor.lnk - c:\program files\V CAST Media Manager\MEMonitor.exe [2010-9-9 2991464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
OADP Utility.lnk - c:\sabre\Apps\OADP\OadpUtil.exe [2010-2-8 528452]
Sabre Printing Start.lnk - c:\sabre\Sabstart.exe [2010-2-8 20992]
Sabre Server.lnk - c:\windows\sabserv.exe [2010-2-8 135168]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Downloads\\_extracted\\Portable_SopCast.rar.extracted\\Portable SopCast.exe "=
"c:\\Documents and Settings\\George\\Application Data\\Thinstall\\SopCast 3.0.3\\4000008d00003i\\SopAdver.exe "=
"c:\\SABRE\\Apps\\OADP\\OadpUtil.exe "=
"c:\\WINDOWS\\sabserv.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe "=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe "=
"c:\\Documents and Settings\\George\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe "=

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/8/2010 8:33 PM 165584]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 12:51 AM 380928]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/8/2010 8:33 PM 17744]
S2 CfgSrvc;Config Service Helper;c:\windows\system32\CfgSrvc.exe [2/8/2010 8:30 PM 55296]
S2 HsspConfig;HSSP Configuration Module;c:\windows\system32\CfgSrvc.exe [2/8/2010 8:30 PM 55296]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]
S2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [9/9/2010 9:08 PM 91456]
S2 SabrePrint;Sabre Printing Module;c:\sabre\Apps\OADP\Oadp.exe [2/8/2010 8:31 PM 512000]
S2 SDMan;Sabre Device Manager;c:\windows\sdman.exe [2/8/2010 8:30 PM 106496]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [9/9/2010 9:08 PM 6016]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [12/18/2008 2:27 PM 105984]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [9/9/2010 9:08 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [9/9/2010 9:08 PM 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [9/9/2010 9:08 PM 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [9/9/2010 9:08 PM 9472]
.
Contents of the 'Scheduled Tasks' folder

2010-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-413027322-839522115-1003Core.job
- c:\documents and settings\George\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-30 22:30]

2010-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-413027322-839522115-1003UA.job
- c:\documents and settings\George\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-30 22:30]

2010-11-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-28 18:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1432)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\browselc.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\mmfinfo.dll
c:\windows\system32\mkunicode.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2010-11-28 18:46:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-28 23:46
ComboFix2.txt 2010-11-27 06:27

Pre-Run: 217,903,337,472 bytes free
Post-Run: 217,920,360,448 bytes free

- - End Of File - - CF0AC1194CB16DB6B2E59C1A556499B8

 

And how do I go about doing that? lol...

 

Ok thx! it did come with one but I have no clue where it is...thanks for all your help.

 

Couple of questions and I promise to leave you alone...

1. I have a disk for another laptop which has Windows 7, the infected latptop had XP but I don't have the disk.

2. If I do a system restore would that do anything? is the virus still there?

3. Thank you so much for trying to help me!

 

Great news! I was able to install Windows 7 and its so much better! Thx for your help again!