PDA

View Full Version : Smitfraud C. Koowo and much more


grancher
2008-08-18, 20:29
I've had quite a bit of nasty stuff on this computer for a while now. A Spybot S&D check came up with Smitfraud C. Koowo which referred me to this forum. I have tried fixing stuff with Hijack This, without the help of someone who knew what they were doing. I don't think I hurt anything important, but it didn't really make much difference either. Help would be much appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:20, on 2008-8-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\PROGRAM FILES\RISING\RAV\RavMon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
D:\search.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RavTask] "d:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: 服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: 使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.cctv.com
O15 - Trusted Zone: *.kdy8.com
O15 - Trusted Zone: *.yahoo.cn
O15 - Trusted Zone: *.yahoo.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8DACBD7-AAF4-4EB3-A3B7-DA5AAA23963D}: NameServer = 221.12.1.228 221.12.65.228
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - D:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: zsqf.dll
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - d:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: wwinsystem - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)

--
End of file - 6448 bytes
Shaba
2008-08-20, 12:37
Hi grancher

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
grancher
2008-08-20, 19:36
:oops:
Well... It looks like my attempt to install the Recovery Console didn't work. When I dropped WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe into Combofix.exe I got several pop-up messages:

I closed the first one without looking at it before I even considered what I was doing. The second one said:
nircmd.com on the top and said something about DLL C:\WINDOWS\system32\ypcqhhlp.dll and wanting me to put in my windows CD.
the 3nd 4rd and 5th pop-up messages said ComboFix.exe at the top and repeated the same message.

I probably should have stopped there but I tried running Combofix, the first time I got a message saying some files could not be created and instructing me to close all applications and restart Windows, I think I forgot to disabe all of my anti-virus software, I got the same pop-up messages, the first one said Combofix.exe on the top 2nd said nircmd.com 3rd, 4th and 5th said Combofix.exe. After that Combofix seemed to do what the instructions said it would.
Here are the reports:

ComboFix 08-08-19.02 - Administrator 2008-08-20 23:57:52.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.936.1.2052.18.249 [GMT 8:00]
執行位置: C:\Documents and Settings\Administrator\桌面\ComboFix.exe
* 已建立新的還原點

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\static.youku.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\static.youku.com\v1.0.0270\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\static.youku.com\v1.0.0288\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\static.youku.com\v1.0.0290\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\static.youku.com\v1.0.0304\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\www.inter-focus.cn
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\G2Y6ECSC\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\Documents and Settings\Guest\Favorites\链接
C:\Documents and Settings\马日文\Favorites\链接
C:\WINDOWS\Fonts\fonts.exe
C:\WINDOWS\Fonts\syn00-11-2F-1B-4B-0C\system
C:\WINDOWS\Fonts\syn00-11-2F-1B-4B-0C\system\SYSTEM128.vxd
C:\WINDOWS\RSBDBACKUP.DLL
C:\WINDOWS\system32\bjrvm.cfg
C:\WINDOWS\system32\bootvidgj.nls
C:\WINDOWS\system32\c0866ebe2d.dll
C:\WINDOWS\system32\crugd.cfg
C:\WINDOWS\system32\discard.ini
C:\WINDOWS\system32\drivers\8xqd3.sys
C:\WINDOWS\system32\drivers\r072b.sys
C:\WINDOWS\system32\ektvm.cfg
C:\WINDOWS\system32\fxzxbime.sys
C:\WINDOWS\system32\fzmsbwin.sys
C:\WINDOWS\system32\gpsgajba.sys
C:\WINDOWS\system32\gpzhatde.sys
C:\WINDOWS\system32\havser.ini
C:\WINDOWS\system32\hfjg.cfg
C:\WINDOWS\system32\ijatnaw.cfg
C:\WINDOWS\system32\ijsgajba.sys
C:\WINDOWS\system32\ijzhatde.sys
C:\WINDOWS\system32\kbdswjr.nls
C:\WINDOWS\system32\ladyapaw.sys
C:\WINDOWS\system32\lariytrz.cfg
C:\WINDOWS\system32\mhsha1.dat
C:\WINDOWS\system32\msobjstl.nls
C:\WINDOWS\system32\msosmnsf.dat
C:\WINDOWS\system32\msosping.dat
C:\WINDOWS\system32\oqrthc.cfg
C:\WINDOWS\system32\pzdyapaw.sys
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\spmybapi.sys
C:\WINDOWS\system32\sufost.ini
C:\WINDOWS\system32\Update.dat
C:\WINDOWS\system32\url1.exe
C:\WINDOWS\system32\xclf5o.dll
C:\WINDOWS\system32\xgnfn.cfg
C:\WINDOWS\temp\perflib_perfdata_1cc.dat
D:\Personal\Favorites\链接

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FPIDS32
-------\Legacy_HBKERNEL
-------\Legacy_R072B
-------\Legacy_SEICTRL
-------\Service_8xqd3
-------\Service_HBKernel
-------\Service_mnsf
-------\Service_Nessery
-------\Service_r072b
-------\Service_seictrl


(((((((((((((((((((((((((((( 2008-07-20 - 2008-08-20 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2008-08-14 10:58 . 2008-08-14 10:58 <DIR> d--hs---- C:\FOUND.001
2008-08-14 01:23 . 2008-08-14 01:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Netscape
2008-08-14 01:00 . 2008-08-14 01:00 <DIR> d-------- C:\Program Files\Common Files\Thunder Network
2008-08-14 01:00 . 2008-08-19 18:06 26 --a------ C:\WINDOWS\system32\xlhcc.dat
2008-08-14 01:00 . 2008-08-14 01:01 20 --a------ C:\WINDOWS\system32\pub_store.dat
2008-08-13 08:40 . 2008-08-13 08:40 <DIR> d--hs---- C:\FOUND.000
2008-08-10 02:46 . 2008-08-10 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Thunder Network
2008-08-10 01:35 . 2008-08-10 01:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\safenetdrm
2008-08-10 01:34 . 2008-08-10 01:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CCTV
2008-07-30 15:48 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-30 15:48 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-30 15:48 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-30 15:48 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-30 15:47 . 2008-07-30 15:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-07-28 09:26 . 2008-07-28 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-26 12:20 . 2008-07-26 12:50 24,376 --a------ C:\WINDOWS\system32\QQBox.bmp
2008-07-26 12:19 . 2008-07-26 12:19 108 --a------ C:\emsf.bat
2008-07-24 17:06 . 2008-07-24 17:06 <DIR> d-------- C:\WINDOWS\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 04:00 94,208 ----a-w C:\WINDOWS\system32\MSSTKPRP.DLL
2008-11-12 04:00 7,168 ----a-w C:\WINDOWS\system32\MSPRPCHS.DLL
2008-11-12 04:00 40,960 ----a-w C:\WINDOWS\system32\VBAME.DLL
2008-11-12 04:00 36,864 ----a-w C:\WINDOWS\system32\MFC42CHS.DLL
2008-11-12 04:00 204,800 ----a-w C:\WINDOWS\system32\INKED.DLL
2008-11-12 04:00 189,952 ----a-w C:\WINDOWS\system32\WISPTIS.EXE
2008-11-12 04:00 15,872 ----a-w C:\WINDOWS\system32\SCP32.DLL
2008-08-13 09:41 57,837 ----a-w C:\WINDOWS\Tasks\sky.exe
2008-08-13 09:41 115,200 ----a-w C:\WINDOWS\Fonts\winntls.exe
2008-07-28 06:24 237,168 ------w C:\WINDOWS\system32\bsmain.exe
2008-07-28 06:24 10,736 ------w C:\WINDOWS\system32\drivers\RsNTGdi.sys
2008-07-28 06:22 62,576 ------w C:\WINDOWS\system32\drivers\HookNtos.sys
2008-07-28 06:22 38,256 ------w C:\WINDOWS\system32\drivers\HOOKREG.sys
2008-07-28 06:22 13,808 ------w C:\WINDOWS\system32\drivers\HookCont.sys
2008-07-28 06:21 30,704 ------w C:\WINDOWS\system32\drivers\HookHelp.sys
2008-07-28 06:21 164,848 ------w C:\WINDOWS\system32\drivers\HookSys.sys
2008-07-28 06:21 113,264 ------w C:\WINDOWS\system32\RavExt.dll
2008-07-23 05:17 94,720 ----a-w C:\WINDOWS\Fonts\smcw.exe
2008-07-07 20:30 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:30 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:22 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:22 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 02:14 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-23 09:19 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:19 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:39 240,640 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:39 240,640 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 15:09 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 13:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 07:22 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 07:22 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 17:59 269,824 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2004-08-08 05:15 520 --sh--w C:\WINDOWS\system32\xscqbhlp.sys
2004-08-08 05:15 482,824 --sh--w C:\WINDOWS\system32\ypcqhhlp.dll
2004-08-08 05:28 520 --sh--w C:\WINDOWS\system32\smdsbsrv.sys
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白或合法的登錄值將不會顯示.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"BigDog305"="C:\WINDOWS\VM305_STI.EXE" [2007-01-05 13:37 61440]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 577536 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\「开始」菜单\程序\启动\
服务管理器.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-04-09 00:08:44 69632]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnEixt"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{32CD708B-60A7-4C00-9377-D73EAA495F0F}"= "C:\WINDOWS\system32\RavExt.dll" [2008-07-28 14:21 113264]
"{90AF1289-F140-A140-D012-C1458759FC09}"= "C:\WINDOWS\system32\ypcqhhlp.dll" [2004-08-08 13:15 482824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zsqf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= C:\WINDOWS\system32\l3codeca.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DrvAnti.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwadins.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwebscd.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwebupw.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavXP.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spiderml.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spidernt.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spiderui.exe]
"debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spml_set.exe]
"debugger"=ntsd -d

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「开始」菜单^程序^启动^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bgswitch]
--a------ 2004-02-22 16:01 19520 C:\WINDOWS\system32\bgswitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog305]
--------- 2007-01-05 13:37 61440 C:\WINDOWS\VM305_STI.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSCMIG40W]
--a------ 2003-12-05 15:39 24576 C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:55 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WangWang]
--a------ 2008-04-04 15:07 3772416 D:\Program Files\Alisoft\WangWang\WangWang.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"D:\\Program Files\\Alisoft\\WangWang\\WangWang.exe"=
"D:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"D:\\Program Files\\Tencent\\QQ\\QQUpdateCenter.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"D:\\Program Files\\KuGoo3\\KuGoo.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"E:\\电影\\PPLive\\PPLive.exe"=
"C:\\Program Files\\Tencent\\QQGAME\\QQGameDl.exe"=
"D:\\Program Files\\Tencent\\QQ\\Qzone\\Qzone.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 RsNTGDI;RsNTGDI;C:\WINDOWS\system32\Drivers\RsNTGdi.sys [2008-07-28 14:24]
R1 HookCont;HookCont;C:\WINDOWS\system32\drivers\HookCont.sys [2008-07-28 14:22]
R1 HookNtos;HookNtos;C:\WINDOWS\system32\drivers\HookNtos.sys [2008-07-28 14:22]
R1 HookReg;HookReg;C:\WINDOWS\system32\drivers\HookReg.sys [2008-07-28 14:22]
R1 HookSys;HookSys;C:\WINDOWS\system32\drivers\HookSys.sys [2008-07-28 14:21]
R2 RsCCenter;Rising Process Communication Center;d:\Program Files\Rising\Rav\CCenter.exe [2008-07-28 14:22]
R3 vvftav;vvftav;C:\WINDOWS\system32\drivers\vvftav.sys [2007-02-02 21:38]
R3 ZSMC0305;USB PC Camera VC305;C:\WINDOWS\system32\Drivers\usbVM305.sys [2007-03-08 19:05]
S0 jg00x8iyjr;jg00x8iyj;C:\WINDOWS\system32\DRIVERS\jg00x8iyjr.sys []
S0 vydhnvzh;vydhnvzh;C:\WINDOWS\system32\drivers\vydhnvzh.sys []
S0 wdtsr;wdts;C:\WINDOWS\system32\drivers\wdtsr.sys []
S0 z7xq6c1ddy;z7xq6c1dd;C:\WINDOWS\system32\DRIVERS\z7xq6c1ddy.sys []
S2 RsRavMon;Rising RealTime Monitor;D:\PROGRAM FILES\RISING\RAV\Ravmond.exe [2008-07-28 14:21]
S2 wwinsystem;wwinsystem;C:\WINDOWS\system32\tcpip.exe []
S3 awrjd;awrjd;D:\Personal\Temp\_tmp.bat []
S3 ayzpqa;ayzpqa;C:\WINDOWS\system32\drivers\ayzpqa.sys []
S3 cabyopr;cabyopr;C:\WINDOWS\system32\drivers\cabyopr.sys []
S3 npkycryp;npkycryp;D:\Program Files\Tencent\QQ\npkycryp.sys []
S3 pabzaxy;pabzaxy;C:\WINDOWS\system32\drivers\pabzaxy.sys []
S3 qprbzqx;qprbzqx;C:\WINDOWS\system32\drivers\qprbzqx.sys []
S3 qrabpqx;qrabpqx;C:\WINDOWS\system32\drivers\qrabpqx.sys []
S3 TSKSP;TSKSP;D:\Program Files\Tencent\QQDoctor\TSKSP.sys [2008-06-06 17:10]
S3 xyzqcbo;xyzqcbo;C:\WINDOWS\system32\drivers\xyzqcbo.sys []
S3 zpqaxb;zpqaxb;C:\WINDOWS\system32\drivers\zpqaxb.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e113631-ea94-11da-a379-806d6172696f}]
\Shell\AutoRun\command - I:\AUTORUN.EXE
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe
HKU-Default-Run-ctfmon.exe - C:\WINDOWS\system32\CTFMON.EXE
ShellExecuteHooks-{5ac6d3c3-f564-407e-9c4b-ce4b6cd3f9ac} - C:\WINDOWS\system32\ttQACQAC1032.dll
ShellExecuteHooks-{C629FF4F-ACDB-5C90-A098-FACB3456A26C} - C:\WINDOWS\system32\hdf453d1.dll
ShellExecuteHooks-{8FD45A54-9875-698F-E56E-65102358FDF8} - C:\WINDOWS\system32\apsghjba.dll
MSConfigStartUp-ctfmon - C:\WINDOWS\system32\ctfmon.exe
MSConfigStartUp-TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gg9aw1lj.default\
.
.
------- File Associations (Beta) -------
.
chm.file="hh.exe" %1
txtfile=C:\WINDOWS\notepad.exe %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 00:04:19
Windows 5.1.2600 Service Pack 2 FAT NTAPI

掃描隱藏的程序 ...

掃描隱藏的進程 ...

掃描隱藏的檔案 ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\awrjd]
"ImagePath"="\??\D:\Personal\Temp\_tmp.bat"
.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:12, on 2008-08-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\search.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: 服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: 使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.cctv.com
O15 - Trusted Zone: *.kdy8.com
O15 - Trusted Zone: *.yahoo.cn
O15 - Trusted Zone: *.yahoo.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - D:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - d:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: wwinsystem - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)

--
End of file - 5674 bytes
grancher
2008-08-20, 19:39
Thank you very much for your reply too by the way.
Shaba
2008-08-20, 19:49
Please click this link-->Jotti (http://virusscan.jotti.org/)

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\Tasks\sky.exe
C:\WINDOWS\Fonts\winntls.exe
C:\WINDOWS\Fonts\smcw.exe

Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
grancher
2008-08-21, 05:15
File: sky.exe
Status:
INFECTED/MALWARE
MD5: 2a58458e81228b6bc717afdbccab0258
Packers detected:
FSG
Scanner results
Scan taken on 21 Aug 2008 02:05:34 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Small.BQL
ArcaVir
Found nothing
Avast
Found Win32:AutoRun-NI
AVG Antivirus
Found nothing
BitDefender
Found Generic.Malware.SYBd.BB17D840 (probable variant)
ClamAV
Found Trojan.Small-3632
CPsecure
Found nothing
Dr.Web
Found Win32.HLLW.Autoruner.579
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably a variant of Win32/TrojanDownloader.VB.NPP (probable variant)
Norman Virus Control
Found Suspicious_F.gen
Panda Antivirus
Found nothing
Sophos Antivirus
Found Mal/TibsPk-A
VirusBuster
Found nothing
VBA32
Found Embedded.Trojan-Spy.Win32.Agent.ccb (probable variant)


File: winntls.exe
Status:
INFECTED/MALWARE
MD5: 1054a473f60f3906216a71370a0f2ca4
Packers detected:
-
Scanner results
Scan taken on 21 Aug 2008 02:11:34 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Small.BQL
ArcaVir
Found nothing
Avast
Found Win32:AutoRun-NI
AVG Antivirus
Found Dropper.Generic.OPH
BitDefender
Found Virtool.11364
ClamAV
Found Trojan.Small-3632
CPsecure
Found RiskTool.W32.HideProc.C
Dr.Web
Found Win32.HLLW.Autoruner.579
F-Prot Antivirus
Found W32/HackTool.CTH
F-Secure Anti-Virus
Found Trojan.Win32.Inject.ffb
Fortinet
Found W32/QHost.O!tr (probable variant)
Ikarus
Found not-a-virus:RiskTool.Win32.HideProc.c
Kaspersky Anti-Virus
Found Trojan.Win32.Inject.ffb
NOD32
Found Win32/HideProc.D application
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Qhost-O
VirusBuster
Found nothing
VBA32
Found Trojan-Downloader.Win32.Small.ybu


File: smcw.exe
Status:
INFECTED/MALWARE
MD5: e7231c04cbbe6786088c47ca4f06dee7
Packers detected:
-
Scanner results
Scan taken on 21 Aug 2008 02:13:49 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Small.BQL
ArcaVir
Found nothing
Avast
Found Win32:AutoRun-NI
AVG Antivirus
Found Dropper.Generic.OPH
BitDefender
Found Virtool.11866
ClamAV
Found Trojan.Small-3632
CPsecure
Found RiskTool.W32.HideProc.C
Dr.Web
Found Win32.HLLW.Autoruner.579
F-Prot Antivirus
Found W32/HackTool.CTH
F-Secure Anti-Virus
Found nothing
Fortinet
Found W32/QHost.O!tr (probable variant)
Ikarus
Found not-a-virus:RiskTool.Win32.HideProc.c
Kaspersky Anti-Virus
Found nothing
NOD32
Found Win32/HideProc.D application
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Qhost-O
VirusBuster
Found nothing
VBA32
Found Trojan-Downloader.Win32.Small.ybu
Shaba
2008-08-21, 08:40
Yes all are bad and we need samples:

Download suspicious file packer from here (http://www.safer-networking.org/files/sfp.zip)

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\WINDOWS\Tasks\sky.exe
C:\WINDOWS\Fonts\winntls.exe
C:\WINDOWS\Fonts\smcw.exe

Go to spykiller (http://www.thespykiller.co.uk/index.php?PHPSESSID=d65884362fbc872b70e1a9a9a7e13700&board=1.0)

Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.

After that, reply here and we'll continue :)
grancher
2008-08-21, 18:39
Files posted
Shaba
2008-08-21, 19:46
Thank you :)

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\Tasks\sky.exe
C:\WINDOWS\Fonts\winntls.exe
C:\WINDOWS\Fonts\smcw.exe
C:\WINDOWS\system32\drivers\xyzqcbo.sys
C:\WINDOWS\system32\drivers\zpqaxb.sys
C:\WINDOWS\system32\drivers\pabzaxy.sys
C:\WINDOWS\system32\drivers\qprbzqx.sys
C:\WINDOWS\system32\drivers\qrabpqx.sys
C:\WINDOWS\system32\DRIVERS\jg00x8iyjr.sys
C:\WINDOWS\system32\drivers\vydhnvzh.sys
C:\WINDOWS\system32\drivers\wdtsr.sys
C:\WINDOWS\system32\DRIVERS\z7xq6c1ddy.sys
D:\Personal\Temp\_tmp.bat
C:\WINDOWS\system32\drivers\ayzpqa.sys
C:\WINDOWS\system32\drivers\cabyopr.sys

Driver::
jg00x8iyjr
vydhnvzh
wdtsr
z7xq6c1ddy
wwinsystem
awrjd;
ayzpqa
cabyopr
pabzaxy
qprbzqx
qrabpqx
xyzqcbo
zpqaxb

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
grancher
2008-08-22, 10:43
When I tried to drop CFScript.txt into Combofix I got the same five error messages I got when I tried to drop Windows Restore into Combofix, after the error messages nothing happened, Combofix did not start.

I have also been unable to use ctrl. alt. del. for quite some time. So I'm not sure I would be able to end any processes that might be interfering with anything.

The Error messages.

1st: In the title heading said: Combofix.exe
In the content area it said something about DLL C:\WINDOWS\system32\ypcqhhlp.dll and wanting me to put in my windows CD.

2nd: nircmd.com in the title heading
In the content area it said something about DLL C:\WINDOWS\system32\ypcqhhlp.dll and wanting me to put in my windows CD.

the 3nd 4rd and 5th error messages said ComboFix.exe in the title heading and repeated the same message.
Shaba
2008-08-22, 11:39
Please try again in safe mode then :)
grancher
2008-08-22, 16:25
The same thing happened in safe mode.
Shaba
2008-08-22, 18:56
Then we use this:

Download OTScanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.

In the Files Created Within group click 30 days
In the Files Modified Within group select 30 days
In the File String Search group select Non-Microsoft

Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.
grancher
2008-08-22, 19:50
OTScanIt logfile created on: 2008-08-23 00:48:16
OTScanIt by OldTimer - Version 1.0.16.2 Folder = C:\Documents and Settings\Administrator\桌面\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000804 | Country: 中国 | Language: CHS | Date Format: yyyy-MM-dd

510.73 Mb Total Physical Memory | 311.43 Mb Available Physical Memory | 60.98% Memory free
1.59 Gb Paging File | 1.09 Gb Available in Paging File | 68.10% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 8.03 Gb Total Space | 1.47 Gb Free Space | 18.26% Space Free | Partition Type: FAT32
Drive D: | 24.19 Gb Total Space | 16.82 Gb Free Space | 69.54% Space Free | Partition Type: FAT32
Drive E: | 24.19 Gb Total Space | 22.79 Gb Free Space | 94.20% Space Free | Partition Type: FAT32
Drive F: | 18.08 Gb Total Space | 3.97 Gb Free Space | 21.95% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HTTP-A25E8A1211
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
ccenter.exe -> d:\Program Files\Rising\Rav\CCenter.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.33 | Size = 162416 bytes | Modified Date = 2008-07-28 14:22:52 | Attr = ]
ravmond.exe -> D:\PROGRAM FILES\RISING\RAV\ravmond.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.80 | Size = 395888 bytes | Modified Date = 2008-07-28 14:21:48 | Attr = ]
ravstub.exe -> D:\PROGRAM FILES\RISING\RAV\RavStub.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.10 | Size = 133744 bytes | Modified Date = 2008-07-28 14:21:48 | Attr = ]
pctsauxs.exe -> D:\Program Files\Spyware Doctor\pctsAuxs.exe -> PC Tools [Ver = 6, 0, 0, 3 | Size = 356920 bytes | Modified Date = 2008-06-13 15:29:14 | Attr = ]
pctssvc.exe -> D:\Program Files\Spyware Doctor\pctsSvc.exe -> PC Tools [Ver = 6.0.0.16 | Size = 1073544 bytes | Modified Date = 2008-08-10 00:24:52 | Attr = ]
soundman.exe -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5, 1, 0, 56 | Size = 577536 bytes | Modified Date = 2006-08-03 05:12:36 | Attr = ]
vm305_sti.exe -> %SystemRoot%\VM305_STI.EXE -> Vimicro [Ver = 4, 3, 625, 61 | Size = 61440 bytes | Modified Date = 2007-01-05 13:37:00 | Attr = ]
pctstray.exe -> D:\Program Files\Spyware Doctor\pctsTray.exe -> PC Tools [Ver = 6.0.0.10 | Size = 1166216 bytes | Modified Date = 2008-07-16 09:16:20 | Attr = ]
ravmon.exe -> D:\PROGRAM FILES\RISING\RAV\RavMon.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.01.24 | Size = 424560 bytes | Modified Date = 2008-07-28 14:21:48 | Attr = ]
navigator.exe -> %ProgramFiles%\Netscape\Navigator 9\navigator.exe -> Netscape [Ver = Personal | Size = 8253440 bytes | Modified Date = 2008-02-20 01:16:58 | Attr = ]
otscanit.exe -> %UserProfile%\桌面\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.16.2 | Size = 397312 bytes | Modified Date = 2008-07-12 09:29:54 | Attr = ]

[Win32 Services - Non-Microsoft Only]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\System32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 223744 bytes | Modified Date = 2006-05-23 11:10:36 | Attr = ]
(RsCCenter) Rising Process Communication Center [Win32_Own | Auto | Running] -> d:\Program Files\Rising\Rav\CCenter.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.33 | Size = 162416 bytes | Modified Date = 2008-07-28 14:22:52 | Attr = ]
(RsRavMon) Rising RealTime Monitor [Win32_Own | Auto | Stopped] -> D:\PROGRAM FILES\RISING\RAV\Ravmond.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.80 | Size = 395888 bytes | Modified Date = 2008-07-28 14:21:48 | Attr = ]
(sdAuxService) PC Tools Auxiliary Service [Win32_Own | Auto | Running] -> D:\Program Files\Spyware Doctor\pctsAuxs.exe -> PC Tools [Ver = 6, 0, 0, 3 | Size = 356920 bytes | Modified Date = 2008-06-13 15:29:14 | Attr = ]
(sdCoreService) PC Tools Security Service [Win32_Own | Auto | Running] -> D:\Program Files\Spyware Doctor\pctsSvc.exe -> PC Tools [Ver = 6.0.0.16 | Size = 1073544 bytes | Modified Date = 2008-08-10 00:24:52 | Attr = ]
(wwinsystem) wwinsystem [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\tcpip.exe -> File not found

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe ["C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 2008-01-11 22:16:38 | Attr = ]
BigDog305 -> %SystemRoot%\VM305_STI.EXE [C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)] -> Vimicro [Ver = 4, 3, 625, 61 | Size = 61440 bytes | Modified Date = 2007-01-05 13:37:00 | Attr = ]
ISTray -> D:\Program Files\Spyware Doctor\pctsTray.exe ["D:\Program Files\Spyware Doctor\pctsTray.exe"] -> PC Tools [Ver = 6.0.0.10 | Size = 1166216 bytes | Modified Date = 2008-07-16 09:16:20 | Attr = ]
SoundMan -> %SystemRoot%\SOUNDMAN.EXE [SOUNDMAN.EXE] -> Realtek Semiconductor Corp. [Ver = 5, 1, 0, 56 | Size = 577536 bytes | Modified Date = 2006-08-03 05:12:36 | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL-> Installed = 1 ->
MAPI-> Installed = 1 ->
MSFS-> Installed = 1 ->
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
ctfmon.exe -> %SystemRoot%\system32\ctfmon.exe [C:\WINDOWS\system32\ctfmon.exe] -> File not found
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{32CD708B-60A7-4C00-9377-D73EAA495F0F} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\RavExt.dll [Rising Execute File Exts hook] -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.18 | Size = 113264 bytes | Modified Date = 2008-07-28 14:21:42 | Attr = ]
{5ac6d3c3-f564-407e-9c4b-ce4b6cd3f9ac} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ttQACQAC1032.dll [ttQACQAC1032.dll] -> File not found
{8FD45A54-9875-698F-E56E-65102358FDF8} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\apsghjba.dll [apsghjba.dll] -> File not found
{90AF1289-F140-A140-D012-C1458759FC09} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\ypcqhhlp.dll [ypcqhhlp.dll] -> [Ver = | Size = 482824 bytes | Modified Date = 2004-08-08 13:15:58 | Attr = HS]
{C629FF4F-ACDB-5C90-A098-FACB3456A26C} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\hdf453d1.dll [hdf453d1.dll] -> File not found
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.3156 (xpsp_sp2_qfe.070613-1311) | Size = 977920 bytes | Modified Date = 2007-06-13 21:10:16 | Attr = ]
*MultiFile Done* -> ->
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit ->
C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 23552 bytes | Modified Date = 2006-05-23 11:10:36 | Attr = ]
*MultiFile Done* -> ->
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost ->
logonui.exe -> %SystemRoot%\system32\logonui.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 513024 bytes | Modified Date = 2006-05-23 11:10:36 | Attr = ]
*MultiFile Done* -> ->
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
rundll32 shell32 -> %SystemRoot%\System32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.3241 (xpsp_sp2_qfe.071025-1245) | Size = 8317952 bytes | Modified Date = 2007-10-26 00:43:28 | Attr = ]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 283648 bytes | Modified Date = 2006-05-23 11:10:36 | Attr = ]
*MultiFile Done* -> ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoLowDiskSpaceChecks -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableRegistryTools -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLegacyLogonScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLogoffScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunLogonScriptSync -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunStartupScriptSync -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideStartupScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup ->
SCSI miniport -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49536 bytes | Modified Date = 2006-05-23 11:10:36 | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 ->
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable ->
NEC MBR-7 -> -> File not found
NEC MBR-7.4 -> -> File not found
PIONEER CHANGR DRM-1804X -> -> File not found
PIONEER CD-ROM DRM-6324X -> -> File not found
PIONEER CD-ROM DRM-624X -> -> File not found
TORiSAN CD-ROM CDR_C36 -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomTSSTcorp_DVD-ROM_TS-H352A_______________TS01____\5&234b4860&0&0.0.0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 1 ->
< Drives - Autoruns > -> ->
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ FAT32 ] -> [Ver = | Size = 0 bytes | Modified Date = 2006-05-23 20:06:42 | Attr = RHS]
< HOSTS File > (260077 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Start Page -> about:blank ->
HKEY_CURRENT_USER\: SearchURL\\ -> http://www.google.com/search?q=%s[Reg Error: Value provider does not exist or could not be read.] ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4771 domain(s) found. ->
45 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7085 domain(s) found. ->
cctv.com . -> 可信站点 ->
kdy8.com . -> 可信站点 ->
yahoo.cn . -> 可信站点 ->
yahoo.com . -> 可信站点 ->
51 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{01443AEC-0FD1-40fd-9C87-E93D1494C233} [HKEY_LOCAL_MACHINE] -> D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll [ThunderAtOnce Class] -> Thunder Networking Technologies,LTD [Ver = 1.0.5.29 | Size = 177616 bytes | Modified Date = 2008-06-13 09:43:58 | Attr = ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 2006-10-22 23:08:42 | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 2007-09-25 01:11:34 | Attr = ]
{889D2FEB-5411-4565-8998-1DD2C5261283} [HKEY_LOCAL_MACHINE] -> D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll [Thunder Browser Helper] -> Thunder Networking Technologies,LTD [Ver = 5, 0, 8, 96 | Size = 198096 bytes | Modified Date = 2008-06-13 09:43:58 | Attr = ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java 控制台] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 2007-09-25 01:11:34 | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [Sun Java 控制台] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 2007-09-25 01:11:34 | Attr = ]
{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}:Exec -> D:\Program Files\Thunder Network\Thunder\Thunder.exe [启动迅雷5] -> Thunder Networking Technologies,LTD [Ver = 5, 6, 8, 19 | Size = 45056 bytes | Modified Date = 2008-07-10 21:15:00 | Attr = ]
{95B3F550-91C4-4627-BCC4-521288C52977}:Exec -> E:\电影\PPLive\PPLive.exe [PPLive] -> [Ver = | Size = 190072 bytes | Modified Date = 2007-03-16 13:46:10 | Attr = ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} [HKEY_LOCAL_MACHINE] -> D:\Program Files\Thunder Network\Thunder\Thunder.exe [启动迅雷5] -> Thunder Networking Technologies,LTD [Ver = 5, 6, 8, 19 | Size = 45056 bytes | Modified Date = 2008-07-10 21:15:00 | Attr = ]
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157b} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
使用迅雷下载 -> D:\Program Files\Thunder Network\Thunder\Program\geturl.htm -> [Ver = | Size = 3946 bytes | Modified Date = 2008-06-13 09:55:40 | Attr = ]
使用迅雷下载全部链接 -> D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm -> [Ver = | Size = 1673 bytes | Modified Date = 2008-06-13 09:55:40 | Attr = ]
添加到QQ表情 -> D:\Program Files\Tencent\QQ\AddEmotion.htm -> [Ver = | Size = 893 bytes | Modified Date = 2008-01-04 09:17:28 | Attr = ]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{8CBAFD0C-D76A-4872-9C4F-3C2A0A5A9538} -> () ->
{8F214FBA-83EF-4239-8B83-A6448847A2F4} -> (VIA Compatable Fast Ethernet Adapter) ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
KuGoo3:{6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} [HKEY_LOCAL_MACHINE] -> D:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX[] -> [Ver = | Size = 505856 bytes | Modified Date = 2006-11-16 10:10:02 | Attr = ]
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL[IEProtocolHandler Class] -> Skype Technologies [Ver = 1, 0, 27, 0 | Size = 1828440 bytes | Modified Date = 2007-06-27 04:22:36 | Attr = R ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{215B8138-A3CF-44C5-803F-8226143CFC0A}[HKEY_LOCAL_MACHINE] -> http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab[Trend Micro ActiveX Scan Agent 6.6] ->
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}[HKEY_LOCAL_MACHINE] -> http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[Symantec AntiVirus scanner] ->
{644E432F-49D3-41A1-8DD5-E099162EEEC5}[HKEY_LOCAL_MACHINE] -> http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[Symantec RuFSI Utility Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab[Java Plug-in 1.6.0_03] ->
{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}[HKEY_LOCAL_MACHINE] -> http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll[CCTVUpdateInstall] ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] ->
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/avsniff.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/avsniff.dll\\.Owner -> {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/avsniff.dll\\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/avsniffdlgs.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/avsniffdlgs.dll\\.Owner -> {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/avsniffdlgs.dll\\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CCTVUpdateInstall.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CCTVUpdateInstall.dll\\.Owner -> {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CCTVUpdateInstall.dll\\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ecmldr32.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ecmldr32.dll\\.Owner -> {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ecmldr32.dll\\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Housecall_ActiveX.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Housecall_ActiveX.dll\\.Owner -> {215B8138-A3CF-44C5-803F-8226143CFC0A} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Housecall_ActiveX.dll\\{215B8138-A3CF-44C5-803F-8226143CFC0A} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/navapi.vxd\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/navapi.vxd\\.Owner -> {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/navapi.vxd\\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/navapi32.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/navapi32.dll\\.Owner -> {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/navapi32.dll\\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/rufsi.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/rufsi.dll\\.Owner -> {644E432F-49D3-41A1-8DD5-E099162EEEC5} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/rufsi.dll\\{644E432F-49D3-41A1-8DD5-E099162EEEC5} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/mfc42.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/mfc42.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/mfc42.dll\\{215B8138-A3CF-44C5-803F-8226143CFC0A} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcp60.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcp60.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcp60.dll\\{215B8138-A3CF-44C5-803F-8226143CFC0A} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcrt.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcrt.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcrt.dll\\{215B8138-A3CF-44C5-803F-8226143CFC0A} -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/olepro32.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/olepro32.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/olepro32.dll\\{215B8138-A3CF-44C5-803F-8226143CFC0A} -> ->



[Files/Folders - Created Within 30 days]
FOUND.000 -> %SystemDrive%\FOUND.000 -> [Folder | Created Date = 2008-08-13 08:40:42 | Attr = HS]
FOUND.001 -> %SystemDrive%\FOUND.001 -> [Folder | Created Date = 2008-08-14 10:58:36 | Attr = HS]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 2008-08-20 23:56:22 | Attr = ]
327882R2FWJFW -> %SystemDrive%\327882R2FWJFW -> [Folder | Created Date = 2008-08-22 15:26:36 | Attr = ]
emsf.bat -> %SystemDrive%\emsf.bat -> [Ver = | Size = 108 bytes | Created Date = 2008-07-26 12:19:42 | Attr = ]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Created Date = 2008-08-20 23:56:17 | Attr = ]
iksysflt.sys -> %SystemRoot%\System32\drivers\iksysflt.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1029 | Size = 66952 bytes | Created Date = 2008-07-30 15:48:24 | Attr = ]
iksyssec.sys -> %SystemRoot%\System32\drivers\iksyssec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1033 | Size = 81288 bytes | Created Date = 2008-07-30 15:48:24 | Attr = ]
kcom.sys -> %SystemRoot%\System32\drivers\kcom.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1008 | Size = 29576 bytes | Created Date = 2008-07-30 15:48:24 | Attr = ]
ikfilesec.sys -> %SystemRoot%\System32\drivers\ikfilesec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1042 built by: WinDDK | Size = 42376 bytes | Created Date = 2008-07-30 15:48:24 | Attr = ]
xlhcc.dat -> %SystemRoot%\System32\xlhcc.dat -> [Ver = | Size = 26 bytes | Created Date = 2008-08-14 01:00:59 | Attr = ]
VBACHS32.OLB -> %SystemRoot%\System32\VBACHS32.OLB -> [Ver = | Size = 24336 bytes | Created Date = 2008-11-12 12:00:00 | Attr = ]
VSFLEX3.OCX -> %SystemRoot%\System32\VSFLEX3.OCX -> VideoSoft [Ver = 3.00.036 | Size = 225280 bytes | Created Date = 2008-11-12 12:00:00 | Attr = ]
LogFiles -> %SystemRoot%\System32\LogFiles -> [Folder | Created Date = 2008-07-24 17:06:48 | Attr = ]
QQBox.bmp -> %SystemRoot%\System32\QQBox.bmp -> [Ver = | Size = 24376 bytes | Created Date = 2008-07-26 12:20:11 | Attr = ]
pub_store.dat -> %SystemRoot%\System32\pub_store.dat -> [Ver = | Size = 20 bytes | Created Date = 2008-08-14 01:00:59 | Attr = ]
swxcacls.exe -> %SystemRoot%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 2008-08-20 23:56:20 | Attr = ]
swsc.exe -> %SystemRoot%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 2008-08-20 23:56:20 | Attr = ]
fdsv.exe -> %SystemRoot%\fdsv.exe -> Smallfrogs Studio [Ver = 1, 2, 0, 22 | Size = 89504 bytes | Created Date = 2008-08-20 23:56:20 | Attr = ]
PSEXESVC.EXE -> %SystemRoot%\PSEXESVC.EXE -> Sysinternals [Ver = 1.70 | Size = 53248 bytes | Created Date = 2008-08-21 00:01:34 | Attr = ]
sed.exe -> %SystemRoot%\sed.exe -> [Ver = | Size = 98816 bytes | Created Date = 2008-08-20 23:56:20 | Attr = ]
VFind.exe -> %SystemRoot%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 2008-08-20 23:56:20 | Attr = ]
zip.exe -> %SystemRoot%\zip.exe -> [Ver = | Size = 68096 bytes | Created Date = 2008-08-20 23:56:20 | Attr = ]
swreg.exe -> %SystemRoot%\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Created Date = 2008-08-20 23:56:20 | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 2008-08-20 23:57:27 | Attr = ]
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
Nircmd.exe -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.10 | Size = 28672 bytes | Created Date = 2008-08-20 23:56:20 | Attr = ]
RSBDBACKUP.DLL -> %SystemRoot%\RSBDBACKUP.DLL -> [Ver = | Size = 162 bytes | Created Date = 2008-08-21 00:13:47 | Attr = ]
sky.exe -> %SystemRoot%\tasks\sky.exe -> [Ver = | Size = 57837 bytes | Created Date = 2008-08-13 17:41:10 | Attr = ]

[Files/Folders - Modified Within 30 days]
FOUND.000 -> %SystemDrive%\FOUND.000 -> [Folder | Modified Date = 2008-08-13 08:40:42 | Attr = HS]
FOUND.001 -> %SystemDrive%\FOUND.001 -> [Folder | Modified Date = 2008-08-14 10:58:36 | Attr = HS]
sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-21 00:04:52 | Attr = H ]
sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-21 00:04:52 | Attr = H ]
sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-21 09:37:58 | Attr = H ]
sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-21 09:37:58 | Attr = H ]
sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-21 22:59:40 | Attr = H ]
sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-21 22:59:40 | Attr = H ]
sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-22 13:32:30 | Attr = H ]
sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-22 13:32:30 | Attr = H ]
sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-22 21:00:26 | Attr = H ]
sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-22 21:00:26 | Attr = H ]
sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-22 21:22:26 | Attr = H ]
sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-22 21:22:26 | Attr = H ]
sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-15 13:37:52 | Attr = H ]
sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-15 13:37:52 | Attr = H ]
sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-16 12:47:12 | Attr = H ]
sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-16 12:47:12 | Attr = H ]
sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-16 22:46:28 | Attr = H ]
sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-16 22:46:28 | Attr = H ]
sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-17 15:11:52 | Attr = H ]
sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-17 15:11:52 | Attr = H ]
sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-18 09:45:34 | Attr = H ]
sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-18 09:45:34 | Attr = H ]
sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-18 10:10:24 | Attr = H ]
sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-18 10:10:24 | Attr = H ]
sqmnoopt12.sqm -> %SystemDrive%\sqmnoopt12.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-18 16:10:30 | Attr = H ]
sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-18 16:10:30 | Attr = H ]
sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-18 18:22:02 | Attr = H ]
sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-18 18:22:02 | Attr = H ]
sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-18 22:34:26 | Attr = H ]
sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-18 22:34:26 | Attr = H ]
sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-19 10:12:08 | Attr = H ]
sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-19 10:12:08 | Attr = H ]
sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-19 14:21:56 | Attr = H ]
sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-19 14:21:56 | Attr = H ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 2008-08-20 23:56:24 | Attr = ]
sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-20 11:15:30 | Attr = H ]
sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-20 11:15:30 | Attr = H ]
sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-20 22:35:28 | Attr = H ]
sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-20 22:35:28 | Attr = H ]
sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2008-08-20 23:54:40 | Attr = H ]
sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm -> [Ver = | Size = 268 bytes | Modified Date = 2008-08-20 23:54:40 | Attr = H ]
327882R2FWJFW -> %SystemDrive%\327882R2FWJFW -> [Folder | Modified Date = 2008-08-18 15:24:12 | Attr = ]
emsf.bat -> %SystemDrive%\emsf.bat -> [Ver = | Size = 108 bytes | Modified Date = 2008-07-26 12:19:44 | Attr = ]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Modified Date = 2008-08-20 23:56:18 | Attr = ]
RsNTGdi.sys -> %SystemRoot%\System32\drivers\RsNTGdi.sys -> Beijing Rising Information Technology Co., Ltd. [Ver = 20, 0, 0, 3 | Size = 10736 bytes | Modified Date = 2008-07-28 14:24:18 | Attr = ]
HookHelp.sys -> %SystemRoot%\System32\drivers\HookHelp.sys -> Beijing Rising Information Technology Co., Ltd. [Ver = 22, 0, 0, 15 | Size = 30704 bytes | Modified Date = 2008-07-28 14:21:48 | Attr = ]
HookSys.sys -> %SystemRoot%\System32\drivers\HookSys.sys -> Beijing Rising Information Technology Co., Ltd. [Ver = 22, 0, 0, 54 | Size = 164848 bytes | Modified Date = 2008-07-28 14:21:48 | Attr = ]
HookCont.sys -> %SystemRoot%\System32\drivers\HookCont.sys -> Beijing Rising Information Technology Co., Ltd. [Ver = 22, 0, 0, 7 | Size = 13808 bytes | Modified Date = 2008-07-28 14:22:30 | Attr = ]
HOOKREG.sys -> %SystemRoot%\System32\drivers\HOOKREG.sys -> Beijing Rising Information Technology Co., Ltd. [Ver = 22, 0, 0, 28 | Size = 38256 bytes | Modified Date = 2008-07-28 14:22:08 | Attr = ]
HookNtos.sys -> %SystemRoot%\System32\drivers\HookNtos.sys -> Beijing Rising Information Technology Co., Ltd. [Ver = 22, 0, 0, 50 | Size = 62576 bytes | Modified Date = 2008-07-28 14:22:08 | Attr = ]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 2008-08-22 21:22:30 | Attr = ]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [Ver = | Size = 54692 bytes | Modified Date = 2008-07-30 15:50:32 | Attr = ]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [Ver = | Size = 348776 bytes | Modified Date = 2008-07-30 15:50:32 | Attr = ]
prfc0804.dat -> %SystemRoot%\System32\prfc0804.dat -> [Ver = | Size = 55410 bytes | Modified Date = 2008-07-30 15:50:32 | Attr = ]
prfh0804.dat -> %SystemRoot%\System32\prfh0804.dat -> [Ver = | Size = 155848 bytes | Modified Date = 2008-07-30 15:50:32 | Attr = ]
tmmr.rem -> %SystemRoot%\System32\tmmr.rem -> [Ver = | Size = 6160 bytes | Modified Date = 2008-08-18 15:21:50 | Attr = ]
xlhcc.dat -> %SystemRoot%\System32\xlhcc.dat -> [Ver = | Size = 26 bytes | Modified Date = 2008-08-19 18:06:22 | Attr = ]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [Ver = | Size = 138848 bytes | Modified Date = 2008-08-14 22:58:14 | Attr = ]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [Ver = | Size = 624494 bytes | Modified Date = 2008-07-30 15:50:32 | Attr = ]
RavExt.dll -> %SystemRoot%\System32\RavExt.dll -> Beijing Rising Information Technology Co., Ltd. [Ver = 20.0.0.18 | Size = 113264 bytes | Modified Date = 2008-07-28 14:21:42 | Attr = ]
VBACHS32.OLB -> %SystemRoot%\System32\VBACHS32.OLB -> [Ver = | Size = 24336 bytes | Modified Date = 2008-11-12 12:00:00 | Attr = ]
VSFLEX3.OCX -> %SystemRoot%\System32\VSFLEX3.OCX -> VideoSoft [Ver = 3.00.036 | Size = 225280 bytes | Modified Date = 2008-11-12 12:00:00 | Attr = ]
cid_store.dat -> %SystemRoot%\System32\cid_store.dat -> [Ver = | Size = 4579 bytes | Modified Date = 2008-08-18 17:31:00 | Attr = ]
LogFiles -> %SystemRoot%\System32\LogFiles -> [Folder | Modified Date = 2008-07-24 17:06:50 | Attr = ]
QQBox.bmp -> %SystemRoot%\System32\QQBox.bmp -> [Ver = | Size = 24376 bytes | Modified Date = 2008-07-26 12:50:16 | Attr = ]
pub_store.dat -> %SystemRoot%\System32\pub_store.dat -> [Ver = | Size = 20 bytes | Modified Date = 2008-08-14 01:01:00 | Attr = ]
bsmain.exe -> %SystemRoot%\System32\bsmain.exe -> Beijing Rising Information Technology Co., Ltd. [Ver = 20, 0, 0, 4 | Size = 237168 bytes | Modified Date = 2008-07-28 14:24:18 | Attr = ]
BsMain.ini -> %SystemRoot%\System32\BsMain.ini -> [Ver = | Size = 160 bytes | Modified Date = 2008-08-20 16:31:44 | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 2008-08-21 00:04:16 | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 823 bytes | Modified Date = 2008-08-22 23:05:22 | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 2008-08-22 21:20:46 | Attr = S]
Rav.ini -> %SystemRoot%\Rav.ini -> [Ver = | Size = 62 bytes | Modified Date = 2008-08-22 13:33:10 | Attr = ]
Rav.inf -> %SystemRoot%\Rav.inf -> [Ver = | Size = 451 bytes | Modified Date = 2008-08-20 16:31:46 | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1374 bytes | Modified Date = 2008-08-18 16:00:28 | Attr = ]
PSEXESVC.EXE -> %SystemRoot%\PSEXESVC.EXE -> Sysinternals [Ver = 1.70 | Size = 53248 bytes | Modified Date = 2008-08-21 00:01:36 | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 2008-08-20 23:57:28 | Attr = ]
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
RSBDBACKUP.DLL -> %SystemRoot%\RSBDBACKUP.DLL -> [Ver = | Size = 162 bytes | Modified Date = 2008-08-22 13:34:10 | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 2008-08-22 21:20:56 | Attr = H ]
sky.exe -> %SystemRoot%\tasks\sky.exe -> [Ver = | Size = 57837 bytes | Modified Date = 2008-08-13 17:41:12 | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help -> [Folder | Modified Date = 2006-05-23 20:07:12 | Attr = ]
hhcolreg.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\hhcolreg.dat -> [Ver = | Size = 40594 bytes | Modified Date = 2008-07-18 10:33:22 | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader -> [Folder | Modified Date = 2006-10-11 19:58:24 | Attr = ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [Ver = | Size = 5518 bytes | Modified Date = 2008-07-14 20:52:26 | Attr = ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [Ver = | Size = 5518 bytes | Modified Date = 2008-07-14 20:52:26 | Attr = ]
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA -> [Folder | Modified Date = 2007-01-23 20:55:34 | Attr = ]
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat -> [Ver = | Size = 8206 bytes | Modified Date = 2007-01-23 20:57:34 | Attr = ]
D:\Personal\Temp\ -> D:\Personal\Temp -> [Folder | Modified Date = 2004-11-07 22:14:20 | Attr = ]
Perflib_Perfdata_f20.dat -> D:\Personal\Temp\Perflib_Perfdata_f20.dat -> [Ver = | Size = 16384 bytes | Modified Date = 2008-08-21 00:46:28 | Attr = ]
Perflib_Perfdata_a50.dat -> D:\Personal\Temp\Perflib_Perfdata_a50.dat -> [Ver = | Size = 16384 bytes | Modified Date = 2008-08-21 22:55:42 | Attr = ]
Perflib_Perfdata_a2c.dat -> D:\Personal\Temp\Perflib_Perfdata_a2c.dat -> [Ver = | Size = 16384 bytes | Modified Date = 2008-08-22 13:32:10 | Attr = ]
Perflib_Perfdata_aac.dat -> D:\Personal\Temp\Perflib_Perfdata_aac.dat -> [Ver = | Size = 16384 bytes | Modified Date = 2008-08-22 21:22:26 | Attr = ]
30 D:\Personal\Temp\*.tmp files -> D:\Personal\Temp\*.tmp ->
D:\Personal\Temp\ -> D:\Personal\Temp -> [Folder | Modified Date = 2004-11-07 22:14:20 | Attr = ]
ppludt.ini -> D:\Personal\Temp\ppludt.ini -> [Ver = | Size = 716 bytes | Modified Date = 2008-08-22 21:58:14 | Attr = ]
30 D:\Personal\Temp\*.tmp files -> D:\Personal\Temp\*.tmp ->
C:\WINDOWS\Temp\ -> C:\WINDOWS\Temp -> [Folder | Modified Date = 2006-05-23 19:45:32 | Attr = ]
Perflib_Perfdata_d4.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_d4.dat -> [Ver = | Size = 16384 bytes | Modified Date = 2008-08-21 00:03:20 | Attr = ]
Perflib_Perfdata_678.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_678.dat -> [Ver = | Size = 16384 bytes | Modified Date = 2008-08-21 09:36:30 | Attr = ]
Perflib_Perfdata_608.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_608.dat -> [Ver = | Size = 16384 bytes | Modified Date = 2008-08-21 22:52:54 | Attr = ]
Perflib_Perfdata_61c.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_61c.dat -> [Ver = | Size = 16384 bytes | Modified Date = 2008-08-22 13:29:16 | Attr = ]
Perflib_Perfdata_600.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_600.dat -> [Ver = | Size = 16384 bytes | Modified Date = 2008-08-22 21:21:00 | Attr = ]
6 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp ->

< End of report >
Shaba
2008-08-22, 19:56
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\WINDOWS\Tasks\sky.exe
C:\WINDOWS\Fonts\winntls.exe
C:\WINDOWS\Fonts\smcw.exe
C:\WINDOWS\system32\drivers\xyzqcbo.sys
C:\WINDOWS\system32\drivers\zpqaxb.sys
C:\WINDOWS\system32\drivers\pabzaxy.sys
C:\WINDOWS\system32\drivers\qprbzqx.sys
C:\WINDOWS\system32\drivers\qrabpqx.sys
C:\WINDOWS\system32\DRIVERS\jg00x8iyjr.sys
C:\WINDOWS\system32\drivers\vydhnvzh.sys
C:\WINDOWS\system32\drivers\wdtsr.sys
C:\WINDOWS\system32\DRIVERS\z7xq6c1ddy.sys
D:\Personal\Temp\_tmp.bat
C:\WINDOWS\system32\drivers\ayzpqa.sys
C:\WINDOWS\system32\drivers\cabyopr.sys



Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
grancher
2008-08-23, 18:52
C:\WINDOWS\Tasks\sky.exe moved successfully.
C:\WINDOWS\Fonts\winntls.exe moved successfully.
C:\WINDOWS\Fonts\smcw.exe moved successfully.
File/Folder C:\WINDOWS\system32\drivers\xyzqcbo.sys not found.
File/Folder C:\WINDOWS\system32\drivers\zpqaxb.sys not found.
File/Folder C:\WINDOWS\system32\drivers\pabzaxy.sys not found.
File/Folder C:\WINDOWS\system32\drivers\qprbzqx.sys not found.
File/Folder C:\WINDOWS\system32\drivers\qrabpqx.sys not found.
File/Folder C:\WINDOWS\system32\DRIVERS\jg00x8iyjr.sys not found.
File/Folder C:\WINDOWS\system32\drivers\vydhnvzh.sys not found.
File/Folder C:\WINDOWS\system32\drivers\wdtsr.sys not found.
File/Folder C:\WINDOWS\system32\DRIVERS\z7xq6c1ddy.sys not found.
File/Folder D:\Personal\Temp\_tmp.bat not found.
File/Folder C:\WINDOWS\system32\drivers\ayzpqa.sys not found.
File/Folder C:\WINDOWS\system32\drivers\cabyopr.sys not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08232008_235031
Shaba
2008-08-23, 19:02
That looks fine.

Let me know if you can run ComboFix normally (without CFScript)
grancher
2008-08-24, 11:46
It seems I can't use Combofix at all now, I just get the same five errors and than nothing happens.
Shaba
2008-08-24, 12:14
Thanks for info.

Create a Startup List
Open HiJackThis
Click Open the Misc tools section
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post
grancher
2008-08-24, 12:59
I think search.exe under Running processes is HighJackThis I renamed it because it wouldn't run under the original name.

StartupList report, 2008-08-24, 17:56:51
StartupList version: 1.52.2
Started from : D:\search.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRAM FILES\RISING\RAV\RavMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM305_STI.EXE
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
D:\search.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\「开始」菜单\程序\启动]
服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
ISTray = "D:\Program Files\Spyware Doctor\pctsTray.exe"
RavTask = "d:\Program Files\Rising\Rav\RavTask.exe" -system

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\notepad.exe %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

Thunder AtOnce - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll - {01443AEC-0FD1-40fd-9C87-E93D1494C233}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
ThunderBHO - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll - {889D2FEB-5411-4565-8998-1DD2C5261283}

--------------------------------------------------

Enumerating Download Program Files:

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab

[CCTVUpdateInstall]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CCTVUpdateInstall.dll
CODEBASE = http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,169 bytes
Report generated in 0.156 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Shaba
2008-08-24, 13:01
Yes.

Please rename search.exe back to HijackThis.exe as startuplist won't be complete otherwise and try again.

Remember to do also this:

"Check off the 2 boxes next to the Box that says "Generate StartupList log""
grancher
2008-08-24, 18:04
StartupList report, 2008-08-24, 23:04:23
StartupList version: 1.52.2
Started from : D:\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRAM FILES\RISING\RAV\RavMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM305_STI.EXE
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
D:\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\「开始」菜单\程序\启动]
服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
ISTray = "D:\Program Files\Spyware Doctor\pctsTray.exe"
RavTask = "d:\Program Files\Rising\Rav\RavTask.exe" -system

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\notepad.exe %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

Thunder AtOnce - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll - {01443AEC-0FD1-40fd-9C87-E93D1494C233}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
ThunderBHO - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll - {889D2FEB-5411-4565-8998-1DD2C5261283}

--------------------------------------------------

Enumerating Download Program Files:

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab

[CCTVUpdateInstall]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CCTVUpdateInstall.dll
CODEBASE = http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,177 bytes
Report generated in 0.360 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Shaba
2008-08-24, 18:09
Still not right.

Have you checked these:

List also minor sections (full)

List also empty sections (complete) ?
grancher
2008-08-24, 18:51
StartupList report, 2008-08-24, 23:49:03
StartupList version: 1.52.2
Started from : D:\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRAM FILES\RISING\RAV\RavMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM305_STI.EXE
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\WINDOWS\system32\notepad.exe
D:\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\「开始」菜单\程序\启动]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\「开始」菜单\程序\启动]
服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
ISTray = "D:\Program Files\Spyware Doctor\pctsTray.exe"
RavTask = "d:\Program Files\Rising\Rav\RavTask.exe" -system

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\ComFile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry key not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry key not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry key not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: NO!)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

Thunder AtOnce - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll - {01443AEC-0FD1-40fd-9C87-E93D1494C233}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
ThunderBHO - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll - {889D2FEB-5411-4565-8998-1DD2C5261283}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab

[CCTVUpdateInstall]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CCTVUpdateInstall.dll
CODEBASE = http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: System32\DRIVERS\aliide.sys (system)
AMD K8 Processor Driver: System32\DRIVERS\amdk8.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
标准 IDE/ESDI 硬盘控制器: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
音频存根驱动程序: system32\DRIVERS\audstub.sys (manual start)
awrjd: \??\D:\Personal\Temp\_tmp.bat (manual start)
ayzpqa: \??\C:\WINDOWS\system32\drivers\ayzpqa.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
cabyopr: \??\C:\WINDOWS\system32\drivers\cabyopr.sys (manual start)
catchme: \??\C:\ComboFix\catchme.sys (manual start)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
CmdIde: System32\DRIVERS\cmdide.sys (system)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
磁盘驱动器: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: system32\DRIVERS\fetnd5.sys (manual start)
软盘驱动程序: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
FsVga: system32\DRIVERS\fsvga.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: system32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HookCont: \SystemRoot\system32\drivers\HookCont.sys (system)
HookNtos: \SystemRoot\system32\drivers\HookNtos.sys (system)
HookReg: \SystemRoot\system32\drivers\HookReg.sys (system)
HookSys: \SystemRoot\system32\drivers\HookSys.sys (system)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 键盘和 PS/2 鼠标端口驱动程序: System32\DRIVERS\i8042prt.sys (system)
ialm: system32\DRIVERS\ialmnt5.sys (manual start)
File Security Driver: system32\drivers\ikfilesec.sys (system)
System Filter Driver: system32\drivers\iksysflt.sys (system)
System Security Driver: system32\drivers\iksyssec.sys (system)
CD 烧制筛选驱动器: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: %systemroot%\system32\imapi.exe (manual start)
IntelIde: system32\DRIVERS\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
jg00x8iyjr: System32\DRIVERS\jg00x8iyjr.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\drivers\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
MSSQLSERVER: C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe (autostart)
MSSQLServerADHelper: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (manual start)
MSSQLServerOLAPService: C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe (autostart)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS 用户模式 I/O 协议: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
npkcrypt: \??\D:\Program Files\Tencent\QQ\npkcrypt.sys (autostart)
npkycryp: \??\D:\Program Files\Tencent\QQ\npkycryp.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
pabzaxy: \??\C:\WINDOWS\system32\drivers\pabzaxy.sys (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: System32\Drivers\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
qprbzqx: \??\C:\WINDOWS\system32\drivers\qprbzqx.sys (manual start)
qrabpqx: \??\C:\WINDOWS\system32\drivers\qrabpqx.sys (manual start)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
远程访问 PPPOE 驱动程序: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Rising Process Communication Center: "d:\Program Files\Rising\Rav\CCenter.exe" (autostart)
RsNTGDI: system32\Drivers\RsNTGdi.sys (system)
Rising RealTime Monitor: "D:\PROGRAM FILES\RISING\RAV\Ravmond.exe" (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: system32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PC Tools Auxiliary Service: D:\Program Files\Spyware Doctor\pctsAuxs.exe (autostart)
PC Tools Security Service: D:\Program Files\Spyware Doctor\pctsSvc.exe (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Serial Mouse Driver: system32\drivers\sermouse.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
SQLSERVERAGENT: C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe (manual start)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
静态系列数字照相机驱动程序: system32\DRIVERS\serscan.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{CDA66A55-52D5-4044-99F2-9974B4606FC7} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
tmcomm: \??\C:\WINDOWS\system32\drivers\tmcomm.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TSKSP: \??\D:\Program Files\Tencent\QQDoctor\TSKSP.sys (manual start)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: \SystemRoot\system32\drivers\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
USB 扫描仪驱动程序: system32\DRIVERS\usbscan.sys (manual start)
USB 大容量存储设备: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\drivers\usbuhci.sys (manual start)
Messenger 共享文件夹 USN 杂志阅读器服务: "C:\Program Files\MSN Messenger\usnsvc.exe" (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: system32\DRIVERS\viaagp.sys (system)
ViaIde: system32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
vvftav: system32\drivers\vvftav.sys (manual start)
vydhnvzh: system32\drivers\vydhnvzh.sys (system)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
wdtsr: system32\drivers\wdtsr.sys (system)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
wwinsystem: C:\WINDOWS\system32\tcpip.exe (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
xyzqcbo: \??\C:\WINDOWS\system32\drivers\xyzqcbo.sys (manual start)
z7xq6c1ddy: System32\DRIVERS\z7xq6c1ddy.sys (system)
zpqaxb: \??\C:\WINDOWS\system32\drivers\zpqaxb.sys (manual start)
USB PC Camera VC305: System32\Drivers\usbVM305.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34,880 bytes
Report generated in 0.531 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Shaba
2008-08-24, 19:46
Please download regsearch.zip (http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip) and save it to your desktop.
Right click on regsearch.zip and select Extract All....
Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
Click on the Browse button. Click on Desktop. Then click OK.
Once done, check (tick) the Show extracted files box and click Finish.
Double click on regsearch.exe to run it.
Copy and paste awrjd under Enter search strings (case independent)

Put every one of these to own lines under Enter search strings (case independent) as well :
ayzpqa
cabyopr
pabzaxy
qprbzqx
qrabpqx
vvftav
vydhnvzh
wwinsystem
xyzqcbo
z7xq6c1ddy
zpqaxb

Click OK... (boxed up in red in the screenshot below).

http://xs224.xs.to/xs224/08073/regsearch184.png

Click OK.
When done, RegSearch.txt will open. Please post the contents of this file in your next reply. This file can also be found on your desktop or wherever regsearch is extracted to.
grancher
2008-08-26, 07:00
I got an error message with Registry Search 2.0 by Bobbi Flekman? 2005-2007 regsearch.exe in the title bar, and the same message I have gotten with the other programs as mensioned above. But regsearch worked.

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman ?2005
; Version: 2.0.5.0

; Results at 2008-08-26 11:51:43 for strings:
; 'awrjd '
; 'ayzpqa'
; 'cabyopr'
; 'pabzaxy'
; 'qprbzqx'
; 'qrabpqx'
; 'vvftav'
; 'vydhnvzh'
; 'wwinsystem'
; 'xyzqcbo'
; 'z7xq6c1ddy'
; 'zpqaxb'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VYDHNVZH]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VYDHNVZH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VYDHNVZH\0000]
"Service"="vydhnvzh"
"DeviceDesc"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VYDHNVZH\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WWINSYSTEM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WWINSYSTEM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WWINSYSTEM\0000]
"Service"="wwinsystem"
"DeviceDesc"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Z7XQ6C1DDY]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]
"Service"="z7xq6c1ddy"
"DeviceDesc"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Z7XQ6C1DDY\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\USB\Vid_0ac8&Pid_305b\5&1abfeac3&0&1]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\USB\Vid_0ac8&Pid_305b\5&31ba8de1&0&2]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\USB\Vid_0ac8&Pid_305b\5&31ba8de1&0&2\Control]
"ActiveService"="vvftav"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ayzpqa]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ayzpqa]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\ayzpqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,79,00,7a,00,\
70,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="ayzpqa"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ayzpqa\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cabyopr]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cabyopr]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\cabyopr.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,63,00,61,00,62,00,\
79,00,6f,00,70,00,72,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="cabyopr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cabyopr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pabzaxy]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pabzaxy]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\pabzaxy.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,61,00,62,00,\
7a,00,61,00,78,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="pabzaxy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pabzaxy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qprbzqx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qprbzqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qprbzqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,70,00,72,00,\
62,00,7a,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qprbzqx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qprbzqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qrabpqx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qrabpqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qrabpqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,72,00,61,00,\
62,00,70,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qrabpqx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qrabpqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vvftav]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vvftav]
; Contents of value:
; system32\drivers\vvftav.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,76,00,66,00,74,00,61,00,76,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vvftav\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vvftav\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vydhnvzh]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vydhnvzh]
; Contents of value:
; system32\drivers\vydhnvzh.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,79,00,64,00,68,00,6e,00,76,\
00,7a,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vydhnvzh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vydhnvzh\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vydhnvzh\Enum]
"0"="Root\\LEGACY_VYDHNVZH\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wwinsystem]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wwinsystem]
"DisplayName"="wwinsystem"
"Description"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wwinsystem\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wwinsystem\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wwinsystem\Enum]
"0"="Root\\LEGACY_WWINSYSTEM\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xyzqcbo]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xyzqcbo]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\xyzqcbo.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,79,00,7a,00,\
71,00,63,00,62,00,6f,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="xyzqcbo"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xyzqcbo\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\z7xq6c1ddy]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\z7xq6c1ddy]
; Contents of value:
; System32\DRIVERS\z7xq6c1ddy.sys
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,7a,00,37,00,78,00,71,00,36,00,63,\
00,31,00,64,00,64,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\z7xq6c1ddy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\z7xq6c1ddy\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\z7xq6c1ddy\Enum]
"0"="Root\\LEGACY_Z7XQ6C1DDY\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\zpqaxb]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\zpqaxb]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\zpqaxb.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,7a,00,70,00,71,00,\
61,00,78,00,62,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="zpqaxb"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\zpqaxb\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VYDHNVZH]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VYDHNVZH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VYDHNVZH\0000]
"Service"="vydhnvzh"
"DeviceDesc"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WWINSYSTEM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WWINSYSTEM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WWINSYSTEM\0000]
"Service"="wwinsystem"
"DeviceDesc"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_Z7XQ6C1DDY]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]
"Service"="z7xq6c1ddy"
"DeviceDesc"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\USB\Vid_0ac8&Pid_305b\5&1abfeac3&0&1]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\USB\Vid_0ac8&Pid_305b\5&31ba8de1&0&2]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ayzpqa]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ayzpqa]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\ayzpqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,79,00,7a,00,\
70,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="ayzpqa"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ayzpqa\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cabyopr]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cabyopr]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\cabyopr.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,63,00,61,00,62,00,\
79,00,6f,00,70,00,72,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="cabyopr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cabyopr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pabzaxy]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pabzaxy]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\pabzaxy.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,61,00,62,00,\
7a,00,61,00,78,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="pabzaxy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pabzaxy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qprbzqx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qprbzqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qprbzqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,70,00,72,00,\
62,00,7a,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qprbzqx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qprbzqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qrabpqx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qrabpqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qrabpqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,72,00,61,00,\
62,00,70,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qrabpqx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qrabpqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vvftav]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vvftav]
; Contents of value:
; system32\drivers\vvftav.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,76,00,66,00,74,00,61,00,76,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vvftav\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vydhnvzh]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vydhnvzh]
; Contents of value:
; system32\drivers\vydhnvzh.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,79,00,64,00,68,00,6e,00,76,\
00,7a,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vydhnvzh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wwinsystem]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wwinsystem]
"DisplayName"="wwinsystem"
"Description"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wwinsystem\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xyzqcbo]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xyzqcbo]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\xyzqcbo.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,79,00,7a,00,\
71,00,63,00,62,00,6f,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="xyzqcbo"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xyzqcbo\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\z7xq6c1ddy]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\z7xq6c1ddy]
; Contents of value:
; System32\DRIVERS\z7xq6c1ddy.sys
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,7a,00,37,00,78,00,71,00,36,00,63,\
00,31,00,64,00,64,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\z7xq6c1ddy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\zpqaxb]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\zpqaxb]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\zpqaxb.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,7a,00,70,00,71,00,\
61,00,78,00,62,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="zpqaxb"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\zpqaxb\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_VYDHNVZH]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_VYDHNVZH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_VYDHNVZH\0000]
"Service"="vydhnvzh"
"DeviceDesc"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WWINSYSTEM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WWINSYSTEM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WWINSYSTEM\0000]
"Service"="wwinsystem"
"DeviceDesc"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_Z7XQ6C1DDY]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]
"Service"="z7xq6c1ddy"
"DeviceDesc"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\USB\Vid_0ac8&Pid_305b\5&1abfeac3&0&1]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\USB\Vid_0ac8&Pid_305b\5&31ba8de1&0&2]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ayzpqa]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ayzpqa]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\ayzpqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,79,00,7a,00,\
70,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="ayzpqa"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ayzpqa\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cabyopr]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cabyopr]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\cabyopr.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,63,00,61,00,62,00,\
79,00,6f,00,70,00,72,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="cabyopr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cabyopr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\pabzaxy]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\pabzaxy]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\pabzaxy.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,61,00,62,00,\
7a,00,61,00,78,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="pabzaxy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\pabzaxy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qprbzqx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qprbzqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qprbzqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,70,00,72,00,\
62,00,7a,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qprbzqx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qprbzqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qrabpqx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qrabpqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qrabpqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,72,00,61,00,\
62,00,70,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qrabpqx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qrabpqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vvftav]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vvftav]
; Contents of value:
; system32\drivers\vvftav.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,76,00,66,00,74,00,61,00,76,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vvftav\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vydhnvzh]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vydhnvzh]
; Contents of value:
; system32\drivers\vydhnvzh.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,79,00,64,00,68,00,6e,00,76,\
00,7a,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vydhnvzh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wwinsystem]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wwinsystem]
"DisplayName"="wwinsystem"
"Description"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wwinsystem\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\xyzqcbo]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\xyzqcbo]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\xyzqcbo.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,79,00,7a,00,\
71,00,63,00,62,00,6f,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="xyzqcbo"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\xyzqcbo\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\z7xq6c1ddy]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\z7xq6c1ddy]
; Contents of value:
; System32\DRIVERS\z7xq6c1ddy.sys
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,7a,00,37,00,78,00,71,00,36,00,63,\
00,31,00,64,00,64,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\z7xq6c1ddy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\zpqaxb]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\zpqaxb]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\zpqaxb.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,7a,00,70,00,71,00,\
61,00,78,00,62,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="zpqaxb"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\zpqaxb\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VYDHNVZH]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VYDHNVZH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VYDHNVZH\0000]
"Service"="vydhnvzh"
"DeviceDesc"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VYDHNVZH\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WWINSYSTEM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WWINSYSTEM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WWINSYSTEM\0000]
"Service"="wwinsystem"
"DeviceDesc"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Z7XQ6C1DDY]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]
"Service"="z7xq6c1ddy"
"DeviceDesc"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Z7XQ6C1DDY\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_0ac8&Pid_305b\5&1abfeac3&0&1]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_0ac8&Pid_305b\5&31ba8de1&0&2]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_0ac8&Pid_305b\5&31ba8de1&0&2\Control]
"ActiveService"="vvftav"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ayzpqa]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ayzpqa]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\ayzpqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,79,00,7a,00,\
70,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="ayzpqa"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ayzpqa\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cabyopr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cabyopr]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\cabyopr.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,63,00,61,00,62,00,\
79,00,6f,00,70,00,72,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="cabyopr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cabyopr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pabzaxy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pabzaxy]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\pabzaxy.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,61,00,62,00,\
7a,00,61,00,78,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="pabzaxy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pabzaxy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qprbzqx]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qprbzqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qprbzqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,70,00,72,00,\
62,00,7a,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qprbzqx"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qprbzqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qrabpqx]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qrabpqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qrabpqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,72,00,61,00,\
62,00,70,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qrabpqx"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qrabpqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vvftav]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vvftav]
; Contents of value:
; system32\drivers\vvftav.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,76,00,66,00,74,00,61,00,76,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vvftav\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vvftav\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vydhnvzh]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vydhnvzh]
; Contents of value:
; system32\drivers\vydhnvzh.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,79,00,64,00,68,00,6e,00,76,\
00,7a,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vydhnvzh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vydhnvzh\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vydhnvzh\Enum]
"0"="Root\\LEGACY_VYDHNVZH\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwinsystem]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwinsystem]
"DisplayName"="wwinsystem"
"Description"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwinsystem\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwinsystem\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwinsystem\Enum]
"0"="Root\\LEGACY_WWINSYSTEM\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xyzqcbo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xyzqcbo]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\xyzqcbo.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,79,00,7a,00,\
71,00,63,00,62,00,6f,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="xyzqcbo"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xyzqcbo\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy]
; Contents of value:
; System32\DRIVERS\z7xq6c1ddy.sys
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,7a,00,37,00,78,00,71,00,36,00,63,\
00,31,00,64,00,64,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy\Enum]
"0"="Root\\LEGACY_Z7XQ6C1DDY\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zpqaxb]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zpqaxb]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\zpqaxb.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,7a,00,70,00,71,00,\
61,00,78,00,62,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="zpqaxb"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zpqaxb\Security]

; End Of The Log...
Shaba
2008-08-26, 12:12
Download RegDACL (http://www.heysoft.de/nt/reg/ep-regd.htm) and extract it to C: root (C:\).

Launch Notepad, and copy/paste the box below into a new text file. Save it as FixReg.bat and save it in the same folder as where you extracted RegDACL (save it as all files, *.*).


RegDACL HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_VYDHNVZH /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_WWINSYSTEM /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_Z7XQ6C1DDY /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\ayzpqa /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\cabyopr /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\pabzaxy /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\qprbzqx /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\qrabpqx /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\vydhnvzh /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\wwinsystem /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\xyzqcbo /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\z7xq6c1ddy /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\zpqaxb /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_VYDHNVZH /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_WWINSYSTEM /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_Z7XQ6C1DDY /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\ayzpqa /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\cabyopr /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\pabzaxy /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\qprbzqx /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\qrabpqx /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\vydhnvzh /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\wwinsystem /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\xyzqcbo /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\z7xq6c1ddy /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\zpqaxb /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_VYDHNVZH /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_WWINSYSTEM /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_Z7XQ6C1DDY /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\ayzpqa /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\cabyopr /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\pabzaxy /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\qprbzqx /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\qrabpqx /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\vydhnvzh /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\wwinsystem /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\xyzqcbo /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\z7xq6c1ddy /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\zpqaxb /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VYDHNVZH /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WWINSYSTEM /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Z7XQ6C1DDY /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\ayzpqa /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\cabyopr /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\pabzaxy /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\qprbzqx /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\qrabpqx /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\vydhnvzh /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\wwinsystem /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\xyzqcbo /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\zpqaxb /GGE:F



Locate FixReg.bat in that folder and double-click on it.

Go to Start > Run
Type regedit and click OK.

On the leftside, click to highlight My Computer at the top.
Go up to "File > Export"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put backup
Choose to save it to C:\ or in somewhere else safe location so that you will remember where you put it (don't put it on the Desktop!)
Click Save and then go to File > Exit.

Open Notepad and copy the contents of the following box to a new file.


Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VYDHNVZH]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WWINSYSTEM]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Z7XQ6C1DDY]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ayzpqa]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cabyopr]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pabzaxy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qprbzqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qrabpqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vydhnvzh]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wwinsystem]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xyzqcbo]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\z7xq6c1ddy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\zpqaxb]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VYDHNVZH]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WWINSYSTEM]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_Z7XQ6C1DDY]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ayzpqa]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cabyopr]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pabzaxy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qprbzqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qrabpqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vydhnvzh]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wwinsystem]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xyzqcbo]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\z7xq6c1ddy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\zpqaxb]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_VYDHNVZH]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WWINSYSTEM]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_Z7XQ6C1DDY]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ayzpqa]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cabyopr]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\pabzaxy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qprbzqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qrabpqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vydhnvzh]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wwinsystem]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\xyzqcbo]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\z7xq6c1ddy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\zpqaxb]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VYDHNVZH]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WWINSYSTEM]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Z7XQ6C1DDY]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ayzpqa]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cabyopr]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pabzaxy]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qprbzqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qrabpqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vydhnvzh]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwinsystem]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xyzqcbo]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zpqaxb]



Save it as fix.reg (save type: "All files" (*.*)) to your desktop.

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Go to Desktop, double-click fix.reg and merge the infomation with the registry.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

Reboot.

Do another search but exclude vvftav as it seems to be legit.

Post back results, please.
grancher
2008-08-26, 19:07
That certainly got shorter

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman ?2005
; Version: 2.0.5.0

; Results at 2008-08-26 23:53:05 for strings:
; 'awrjd '
; 'ayzpqa'
; 'cabyopr'
; 'pabzaxy'
; 'qprbzqx'
; 'qrabpqx'
; 'vydhnvzh'
; 'wwinsystem'
; 'xyzqcbo'
; 'z7xq6c1ddy'
; 'zpqaxb'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...
Shaba
2008-08-26, 19:12
Yes it certainly is :)

Please download Malwarebytes' Anti-Malware (http://www.malwaresupport.com/mbam/program/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply along with a fresh HijackThis log.
grancher
2008-08-27, 19:10
I'm having trouble doing a full scan with Malwarebytes' Anti-Malware, I get an error message that says:

"An error occured please report the following error code to the Malwarebytes' anti-Malware support team
Error cod: 731 (0,6)"

while scanning
D:\Program Files\Thunder Network\Thunder\Components\ExplorerHelper\REGXPCOM.EXE
The scan then proceeds as though nothing happened until it unexpectedly stops on what seems to be an insignificant file and says there for several minutes until I close the program. During that time the built in time ticker doesn't move. I'll try it a few more time and just not touch it after the error message.
Shaba
2008-08-27, 19:19
OK, keep me informed :)
grancher
2008-08-27, 19:33
It worked fine this time, though the error message was still there, here are the logs:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:30, on 2008-08-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM305_STI.EXE
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wscntfy.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
d:\Program Files\Rising\Rav\RAVMON.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RavTask] "d:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: 服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: 使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.cctv.com
O15 - Trusted Zone: *.kdy8.com
O15 - Trusted Zone: *.yahoo.cn
O15 - Trusted Zone: *.yahoo.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8DACBD7-AAF4-4EB3-A3B7-DA5AAA23963D}: NameServer = 221.12.1.228 221.12.65.228
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - D:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - d:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5941 bytes



Malwarebytes' Anti-Malware 1.25
Database version: 1089
Windows 5.1.2600 Service Pack 2

00:29:22 2008-08-28
mbam-log-08-28-2008 (00-29-22).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 132737
Time elapsed: 17 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{90af1289-f140-a140-d012-c1458759fc09} (Trojan.vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebscd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spml_set.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{90af1289-f140-a140-d012-c1458759fc09} (Trojan.vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ypcqhhlp.dll (Trojan.vundo) -> Quarantined and deleted successfully.
D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll (Trojan.BHO) -> Quarantined and deleted successfully.
Shaba
2008-08-27, 19:52
If you have set these, you can restore them from quarantine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebscd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spml_set.exe (Security.Hijack) -> Quarantined and deleted successfully.

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
grancher
2008-08-29, 18:38
I had to turn off my virus protection for several hours to get Kaspersky to run properly.

KASPERSKY ONLINE SCANNER 7 REPORTKASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build
2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 29, 2008 05:14:13
Records in database: 1160100


Scan settings
Scan using the following databaseextended
Scan archivesyes
Scan mail databasesyes

Scan areaMy Computer
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned96871
Threat name3
Infected objects4
Suspicious objects0
Duration of the scan02:04:01

File nameThreat nameThreats count
C:\Documents and
Settings\Administrator\.housecall6.6\Quarantine\FB299784.DLL.bac_a03096Infected:
Trojan-Downloader.Win32.Agent.adps1

C:\System Volume
Information\_restore{A7ADAFEF-084A-4432-8AB5-D52AE3BA85B3}\RP8\A0007611.sysInfected:
Trojan-Downloader.Win32.Hmir.iyg1

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\8xqd3.sys.virInfected:
Trojan-Downloader.Win32.Hmir.iyg1

C:\_OTMoveIt\MovedFiles\08232008_235031\WINDOWS\Fonts\winntls.exeInfected:
Trojan.Win32.Inject.ffb1

The selected area was scanned.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:32, on 2008-08-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM305_STI.EXE
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Rising\Rav\RavTask.exe
D:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
d:\Program Files\Rising\Rav\Rav.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: PPVADownloader - {A986E409-30CC-4185-89BB-AB212C104524} - C:\Program Files\PPLiveVA\DownloaderManager.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [RavTask] "d:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: 服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: 使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.cctv.com
O15 - Trusted Zone: *.kaspersky.com
O15 - Trusted Zone: *.kdy8.com
O15 - Trusted Zone: *.yahoo.cn
O15 - Trusted Zone: *.yahoo.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8DACBD7-AAF4-4EB3-A3B7-DA5AAA23963D}: NameServer = 221.12.1.228 221.12.65.228
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - D:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - d:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6193 bytes
Shaba
2008-08-29, 19:03
Empty these folders

C:\Documents and
Settings\Administrator\.housecall6.6\Quarantine

C:\QooBox\Quarantine

C:\_OTMoveIt\MovedFiles\

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
grancher
2008-08-31, 15:59
Done. Some things have gotten better.

But I still can't open Firefox or use ctrl. alt. del. and PC Tools Spyware Doctor is still reporting about 30 trojans and some other things.
Shaba
2008-08-31, 16:04
Have you tried re-installing firefox?

As for task manager, download this (http://www.kellys-korner-xp.com/regs_edits/taskmgrenable.reg). Double-click it, click Yes and OK.

Reboot and tell me if it works now.

As for Spyware Doctor, I will need to see scan report. They can be false positives or real deal.
grancher
2008-08-31, 18:27
Reinstalling Firefox didn't seem to make a difference. I have only gotten Firefox to work once on this computer, maybe last month I downloaded the newest version and it worked the first time I ran it, but after a restart it would not open.

I still cannot get to the Task Manager.

I'm not really sure how to show you a Spyware Doctor scan report. I could take a series of screen shots, or I could type them all into a text file, but I would rather not do that as there are a lot of entries, most of them for Combofix.

There is also a long delay between when I click on the Shutdown Computer link in the Start menu, and when the window with the restart, shutdown or logout options comes up.
grancher
2008-08-31, 18:30
I also get little pop-up adds on the sides of windows in Netscape, they are not in separate windows but there is an option to close them, something like what you might get on a web page with obnoxious moving ads that follow you as you scroll up and down.
Shaba
2008-08-31, 19:30
"Reinstalling Firefox didn't seem to make a difference. I have only gotten Firefox to work once on this computer, maybe last month I downloaded the newest version and it worked the first time I ran it, but after a restart it would not open."

OK so that might not be a malware issue at all. Mozilla forum might be better place for that issue.

"I still cannot get to the Task Manager."

Does Ctrl+Shift+Esc work? Does it say anything when you type Ctrl+Alt+del?

"I'm not really sure how to show you a Spyware Doctor scan report. I could take a series of screen shots, or I could type them all into a text file, but I would rather not do that as there are a lot of entries, most of them for Combofix."

Then those are likely gone after Combofix installation:

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Let me know what Spyware Doctor finds after that.

"I also get little pop-up adds on the sides of windows in Netscape, they are not in separate windows but there is an option to close them, something like what you might get on a web page with obnoxious moving ads that follow you as you scroll up and down. "

Might be due to browser settings or lack of hosts file.

You might want to try this:

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

"There is also a long delay between when I click on the Shutdown Computer link in the Start menu, and when the window with the restart, shutdown or logout options comes up."

Pretty impossible to stay why. Maybe some windows forum could help.
grancher
2008-09-01, 21:13
I don't get anything at all when I hit ctrl. alt. del., and th Ctrl. shift Esc. changes my input method.

I tried uninstalling ComboFix. I got the little Combofix loading bar, but after I my mouse button became an hourglass for a second, but nothing started and there were no error messages.

I installed the MPVS Hosts file as it said on the website.
Shaba
2008-09-01, 21:31
Is C:\QooBox folder gone?

And do those popups still occur?
grancher
2008-09-02, 05:48
The C:/Qoobox folder is still there, and all the contents, except the contents of the Quarantine folder which I emptied, seem to be intact.

The pop-ups have stopped.
Shaba
2008-09-02, 16:15
OK, so partial success :)

Delete C:\Qoobox folder as well as ComboFix.exe.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

And tell me if Spyware Doctor still finds something.
grancher
2008-09-03, 07:13
I deleted Combofix and QooBox, and turned System Restore on and off.

The Pop-ups have returned, again they are the little in-window ones, only in Netscape, it's probably a problem I can solve by upgrading to Firefox.

Here is what I got from Spyware Doctor I had to copy by hand because Spyware Doctor won't let me copy from the report screen directly, so there may be typos:



Trojan-PWS.OnlineGames
C:\WINDOW\SYSTEM32\smdsbsrv.sys
C:\WINDOW\SYSTEM32\xscqbhlp.sys

Application.NirCmd
HKEY_LOCAL_MACHINE\SOFTWARE\swarewar, combofix_wow
HKEY_LOCAL_MACHINE\SOFTWARE\swarewar, Runs
HKEY_LOCAL_MACHINE\SOFTWARE\swarewar, sanpshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000,ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ClassGUID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000,Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Group
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, NextInstance

HKEY_LOCAL_MACHINE\SOFTWARE\swearwar
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme

Trojan-PWS.OnlineGames.AHRG
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, DisplaName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF\Security, Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF

Trojan-PWS.OnlineGames.ASGB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, ImagaPath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Object Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Description
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, List
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL\Security, Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL

Trojan.Generic
HKEY_USERS\S-1-5-21-3231341158-1705325488-3968787312-500\Software\Wget
Shaba
2008-09-03, 12:22
Some them are real threats but these are not:

Application.NirCmd
HKEY_LOCAL_MACHINE\SOFTWARE\swarewar, combofix_wow
HKEY_LOCAL_MACHINE\SOFTWARE\swarewar, Runs
HKEY_LOCAL_MACHINE\SOFTWARE\swarewar, sanpshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000,ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ClassGUID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000,Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Group
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, NextInstance

HKEY_LOCAL_MACHINE\SOFTWARE\swearwar
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme

They are part of catchme and legit. So they can be ignored.

As for the rest:

Delete these:

C:\WINDOW\SYSTEM32\smdsbsrv.sys
C:\WINDOW\SYSTEM32\xscqbhlp.sys

Go to Start > Run
Type regedit and click OK.

On the leftside, click to highlight My Computer at the top.
Go up to "File > Export"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put backup
Choose to save it to C:\ or in somewhere else safe location so that you will remember where you put it (don't put it on the Desktop!)
Click Save and then go to File > Exit.

Open Notepad and copy the contents of the following box to a new file.


Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL]

[-HKEY_USERS\S-1-5-21-3231341158-1705325488-3968787312-500\Software\Wget]

Save it as fix.reg (save type: "All files" (*.*)) to your desktop.

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Reboot.

Re-run spyware doctor and tell me what it finds now.

Go to Desktop, double-click fix.reg and merge the infomation with the registry.
grancher
2008-09-03, 21:33
Before merging fix.reg with the directory Spyware Doctor reported this

Trojan-PWS.OnlineGames.AHRG
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, DisplaName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF\Security, Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF

Trojan-PWS.OnlineGames.ASGB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, ImagaPath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Object Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Description
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, List
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL\Security, Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL

Trojan.Generic
HKEY_USERS\S-1-5-21-3231341158-1705325488-3968787312-500\Software\Wget



After merging fix.reg Spyware doctor reported nothing
Shaba
2008-09-03, 21:35
Great :)

Any other issues left other than task manager one?
grancher
2008-09-04, 06:18
I guess that's about it, the computer seems to be shutting down at a normal speed again.
Shaba
2008-09-04, 12:57
Let's check this then:

Copy text below to Notepad and save it as check.bat (save it as all files, *.*)

@ECHO OFF
REG EXPORT HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\taskmgr.txt
notepad C:\taskmgr.txt

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/bat.JPG

Doubleclick check.bat; black dos windows will flash, that's normal.

Text file will open in Notepad.

Please post contents of that file here.
grancher
2008-09-04, 18:49
It was empty, but it did ask me if I wanted to create the file taskmgr.txt, I clicked yes.
Shaba
2008-09-04, 19:48
Does taskmgr.exe exist in c:\windows\system32 folder?
grancher
2008-09-04, 20:15
no, there is a taskman.exe though.
Shaba
2008-09-04, 20:20
So that is the reason.

Task manager can't work because it doesn't exist.

Follow these (http://www.bleepingcomputer.com/forums/topic43051.html) instructions and let me know if it works after that.
grancher
2008-09-07, 16:32
I don't have a Windows CD and when I followed the instructions on the page for people without Windows CDs, the computer still asked me for one.
Shaba
2008-09-07, 16:40
Any specific reason why you don't have windows CD?
grancher
2008-09-09, 21:01
This is my girlfriends computer and she has a way of misplacing things, I really don't know if she ever had one or not, I've been told they stopped giving you one when you buy a new computer. I did find her restore CD though, that was enough to get SFC.EXE /SCANNOW to work, but there is still no taskmgr.exe. I found the file on the restore CD can I just copy it into system32?
Shaba
2008-09-09, 21:25
Yes, you can try that.
grancher
2008-09-10, 08:41
Hey! That worked! I didn't expect it to.:)
Shaba
2008-09-10, 12:12
Good :)

Still some issues left?
grancher
2008-09-12, 17:53
Aside from the Firefox problem and popups in Netscape most of the visible problems seem to have disappeared. It has started taking a long time to give me the shutdown menu again something it stopped doing after the second registry fix. Can I just run those registry fixes again if the same problems reappear?
Shaba
2008-09-12, 19:04
Well I don't see any connection between slowness and those fixes.

Any other issues? :)
grancher
2008-09-13, 18:40
That seems to be about it. :)
Thank you very much.
Shaba
2008-09-13, 18:47
Great :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Please download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 7 (http://java.sun.com/javase/downloads/index.jsp).

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1645)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:
grancher
2008-09-13, 21:11
Done. Thanks again
Shaba
2008-09-16, 16:38
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.