Smitfraud C. Koowo and much more

[Shaba]

Yes.

Please rename search.exe back to HijackThis.exe as startuplist won't be complete otherwise and try again.

Remember to do also this:

"Check off the 2 boxes next to the Box that says "Generate StartupList log""

 

[grancher]

StartupList report, 2008-08-24, 23:04:23
StartupList version: 1.52.2
Started from : D:\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRAM FILES\RISING\RAV\RavMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM305_STI.EXE
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
D:\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\「开始」菜单\程序\启动]
服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
ISTray = "D:\Program Files\Spyware Doctor\pctsTray.exe"
RavTask = "d:\Program Files\Rising\Rav\RavTask.exe" -system

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\notepad.exe %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

Thunder AtOnce - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll - {01443AEC-0FD1-40fd-9C87-E93D1494C233}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
ThunderBHO - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll - {889D2FEB-5411-4565-8998-1DD2C5261283}

--------------------------------------------------

Enumerating Download Program Files:

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab

[CCTVUpdateInstall]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CCTVUpdateInstall.dll
CODEBASE = http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,177 bytes
Report generated in 0.360 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Shaba]

Still not right.

Have you checked these:

List also minor sections (full)

List also empty sections (complete) ?

 

[grancher]

StartupList report, 2008-08-24, 23:49:03
StartupList version: 1.52.2
Started from : D:\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRAM FILES\RISING\RAV\RavMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM305_STI.EXE
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\WINDOWS\system32\notepad.exe
D:\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\「开始」菜单\程序\启动]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\「开始」菜单\程序\启动]
服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
ISTray = "D:\Program Files\Spyware Doctor\pctsTray.exe"
RavTask = "d:\Program Files\Rising\Rav\RavTask.exe" -system

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\ComFile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry key not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry key not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry key not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: NO!)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

Thunder AtOnce - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll - {01443AEC-0FD1-40fd-9C87-E93D1494C233}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
ThunderBHO - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll - {889D2FEB-5411-4565-8998-1DD2C5261283}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab

[CCTVUpdateInstall]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CCTVUpdateInstall.dll
CODEBASE = http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: System32\DRIVERS\aliide.sys (system)
AMD K8 Processor Driver: System32\DRIVERS\amdk8.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
标准 IDE/ESDI 硬盘控制器: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
音频存根驱动程序: system32\DRIVERS\audstub.sys (manual start)
awrjd: \??\D:\Personal\Temp\_tmp.bat (manual start)
ayzpqa: \??\C:\WINDOWS\system32\drivers\ayzpqa.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
cabyopr: \??\C:\WINDOWS\system32\drivers\cabyopr.sys (manual start)
catchme: \??\C:\ComboFix\catchme.sys (manual start)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
CmdIde: System32\DRIVERS\cmdide.sys (system)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
磁盘驱动器: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: system32\DRIVERS\fetnd5.sys (manual start)
软盘驱动程序: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
FsVga: system32\DRIVERS\fsvga.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: system32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HookCont: \SystemRoot\system32\drivers\HookCont.sys (system)
HookNtos: \SystemRoot\system32\drivers\HookNtos.sys (system)
HookReg: \SystemRoot\system32\drivers\HookReg.sys (system)
HookSys: \SystemRoot\system32\drivers\HookSys.sys (system)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 键盘和 PS/2 鼠标端口驱动程序: System32\DRIVERS\i8042prt.sys (system)
ialm: system32\DRIVERS\ialmnt5.sys (manual start)
File Security Driver: system32\drivers\ikfilesec.sys (system)
System Filter Driver: system32\drivers\iksysflt.sys (system)
System Security Driver: system32\drivers\iksyssec.sys (system)
CD 烧制筛选驱动器: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: %systemroot%\system32\imapi.exe (manual start)
IntelIde: system32\DRIVERS\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
jg00x8iyjr: System32\DRIVERS\jg00x8iyjr.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\drivers\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
MSSQLSERVER: C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe (autostart)
MSSQLServerADHelper: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (manual start)
MSSQLServerOLAPService: C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe (autostart)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS 用户模式 I/O 协议: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
npkcrypt: \??\D:\Program Files\Tencent\QQ\npkcrypt.sys (autostart)
npkycryp: \??\D:\Program Files\Tencent\QQ\npkycryp.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
pabzaxy: \??\C:\WINDOWS\system32\drivers\pabzaxy.sys (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: System32\Drivers\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
qprbzqx: \??\C:\WINDOWS\system32\drivers\qprbzqx.sys (manual start)
qrabpqx: \??\C:\WINDOWS\system32\drivers\qrabpqx.sys (manual start)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
远程访问 PPPOE 驱动程序: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Rising Process Communication Center: "d:\Program Files\Rising\Rav\CCenter.exe" (autostart)
RsNTGDI: system32\Drivers\RsNTGdi.sys (system)
Rising RealTime Monitor: "D:\PROGRAM FILES\RISING\RAV\Ravmond.exe" (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: system32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PC Tools Auxiliary Service: D:\Program Files\Spyware Doctor\pctsAuxs.exe (autostart)
PC Tools Security Service: D:\Program Files\Spyware Doctor\pctsSvc.exe (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Serial Mouse Driver: system32\drivers\sermouse.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
SQLSERVERAGENT: C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe (manual start)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
静态系列数字照相机驱动程序: system32\DRIVERS\serscan.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{CDA66A55-52D5-4044-99F2-9974B4606FC7} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
tmcomm: \??\C:\WINDOWS\system32\drivers\tmcomm.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TSKSP: \??\D:\Program Files\Tencent\QQDoctor\TSKSP.sys (manual start)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: \SystemRoot\system32\drivers\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
USB 扫描仪驱动程序: system32\DRIVERS\usbscan.sys (manual start)
USB 大容量存储设备: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\drivers\usbuhci.sys (manual start)
Messenger 共享文件夹 USN 杂志阅读器服务: "C:\Program Files\MSN Messenger\usnsvc.exe" (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: system32\DRIVERS\viaagp.sys (system)
ViaIde: system32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
vvftav: system32\drivers\vvftav.sys (manual start)
vydhnvzh: system32\drivers\vydhnvzh.sys (system)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
wdtsr: system32\drivers\wdtsr.sys (system)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
wwinsystem: C:\WINDOWS\system32\tcpip.exe (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
xyzqcbo: \??\C:\WINDOWS\system32\drivers\xyzqcbo.sys (manual start)
z7xq6c1ddy: System32\DRIVERS\z7xq6c1ddy.sys (system)
zpqaxb: \??\C:\WINDOWS\system32\drivers\zpqaxb.sys (manual start)
USB PC Camera VC305: System32\Drivers\usbVM305.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34,880 bytes
Report generated in 0.531 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Shaba]

1. Please download regsearch.zip and save it to your desktop.
2. Right click on regsearch.zip and select Extract All....
3. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
4. Click on the Browse button. Click on Desktop. Then click OK.
5. Once done, check (tick) the Show extracted files box and click Finish.
6. Double click on regsearch.exe to run it.
7. Copy and paste awrjd under Enter search strings (case independent)
   
   Put every one of these to own lines under Enter search strings (case independent) as well :
   ayzpqa
   cabyopr
   pabzaxy
   qprbzqx
   qrabpqx
   vvftav
   vydhnvzh
   wwinsystem
   xyzqcbo
   z7xq6c1ddy
   zpqaxb
   
8. Click OK... (boxed up in red in the screenshot below).
   
   
   
   
   
9. Click OK.
10. When done, RegSearch.txt will open. Please post the contents of this file in your next reply. This file can also be found on your desktop or wherever regsearch is extracted to.

 

[grancher]

I got an error message with Registry Search 2.0 by Bobbi Flekman? 2005-2007 regsearch.exe in the title bar, and the same message I have gotten with the other programs as mensioned above. But regsearch worked.

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman ?2005
; Version: 2.0.5.0

; Results at 2008-08-26 11:51:43 for strings:
; 'awrjd '
; 'ayzpqa'
; 'cabyopr'
; 'pabzaxy'
; 'qprbzqx'
; 'qrabpqx'
; 'vvftav'
; 'vydhnvzh'
; 'wwinsystem'
; 'xyzqcbo'
; 'z7xq6c1ddy'
; 'zpqaxb'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VYDHNVZH]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VYDHNVZH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VYDHNVZH\0000]
"Service"="vydhnvzh"
"DeviceDesc"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VYDHNVZH\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WWINSYSTEM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WWINSYSTEM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WWINSYSTEM\0000]
"Service"="wwinsystem"
"DeviceDesc"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Z7XQ6C1DDY]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]
"Service"="z7xq6c1ddy"
"DeviceDesc"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Z7XQ6C1DDY\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\USB\Vid_0ac8&Pid_305b\5&1abfeac3&0&1]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\USB\Vid_0ac8&Pid_305b\5&31ba8de1&0&2]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\USB\Vid_0ac8&Pid_305b\5&31ba8de1&0&2\Control]
"ActiveService"="vvftav"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ayzpqa]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ayzpqa]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\ayzpqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,79,00,7a,00,\
70,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="ayzpqa"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ayzpqa\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cabyopr]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cabyopr]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\cabyopr.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,63,00,61,00,62,00,\
79,00,6f,00,70,00,72,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="cabyopr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cabyopr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pabzaxy]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pabzaxy]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\pabzaxy.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,61,00,62,00,\
7a,00,61,00,78,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="pabzaxy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pabzaxy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qprbzqx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qprbzqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qprbzqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,70,00,72,00,\
62,00,7a,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qprbzqx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qprbzqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qrabpqx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qrabpqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qrabpqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,72,00,61,00,\
62,00,70,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qrabpqx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qrabpqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vvftav]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vvftav]
; Contents of value:
; system32\drivers\vvftav.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,76,00,66,00,74,00,61,00,76,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vvftav\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vvftav\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vydhnvzh]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vydhnvzh]
; Contents of value:
; system32\drivers\vydhnvzh.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,79,00,64,00,68,00,6e,00,76,\
00,7a,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vydhnvzh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vydhnvzh\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vydhnvzh\Enum]
"0"="Root\\LEGACY_VYDHNVZH\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wwinsystem]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wwinsystem]
"DisplayName"="wwinsystem"
"Description"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wwinsystem\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wwinsystem\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wwinsystem\Enum]
"0"="Root\\LEGACY_WWINSYSTEM\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xyzqcbo]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xyzqcbo]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\xyzqcbo.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,79,00,7a,00,\
71,00,63,00,62,00,6f,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="xyzqcbo"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xyzqcbo\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\z7xq6c1ddy]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\z7xq6c1ddy]
; Contents of value:
; System32\DRIVERS\z7xq6c1ddy.sys
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,7a,00,37,00,78,00,71,00,36,00,63,\
00,31,00,64,00,64,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\z7xq6c1ddy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\z7xq6c1ddy\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\z7xq6c1ddy\Enum]
"0"="Root\\LEGACY_Z7XQ6C1DDY\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\zpqaxb]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\zpqaxb]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\zpqaxb.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,7a,00,70,00,71,00,\
61,00,78,00,62,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="zpqaxb"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\zpqaxb\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VYDHNVZH]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VYDHNVZH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VYDHNVZH\0000]
"Service"="vydhnvzh"
"DeviceDesc"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WWINSYSTEM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WWINSYSTEM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WWINSYSTEM\0000]
"Service"="wwinsystem"
"DeviceDesc"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_Z7XQ6C1DDY]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]
"Service"="z7xq6c1ddy"
"DeviceDesc"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\USB\Vid_0ac8&Pid_305b\5&1abfeac3&0&1]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\USB\Vid_0ac8&Pid_305b\5&31ba8de1&0&2]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ayzpqa]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ayzpqa]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\ayzpqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,79,00,7a,00,\
70,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="ayzpqa"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ayzpqa\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cabyopr]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cabyopr]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\cabyopr.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,63,00,61,00,62,00,\
79,00,6f,00,70,00,72,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="cabyopr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cabyopr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pabzaxy]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pabzaxy]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\pabzaxy.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,61,00,62,00,\
7a,00,61,00,78,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="pabzaxy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pabzaxy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qprbzqx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qprbzqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qprbzqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,70,00,72,00,\
62,00,7a,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qprbzqx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qprbzqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qrabpqx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qrabpqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qrabpqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,72,00,61,00,\
62,00,70,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qrabpqx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qrabpqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vvftav]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vvftav]
; Contents of value:
; system32\drivers\vvftav.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,76,00,66,00,74,00,61,00,76,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vvftav\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vydhnvzh]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vydhnvzh]
; Contents of value:
; system32\drivers\vydhnvzh.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,79,00,64,00,68,00,6e,00,76,\
00,7a,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vydhnvzh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wwinsystem]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wwinsystem]
"DisplayName"="wwinsystem"
"Description"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wwinsystem\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xyzqcbo]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xyzqcbo]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\xyzqcbo.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,79,00,7a,00,\
71,00,63,00,62,00,6f,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="xyzqcbo"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xyzqcbo\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\z7xq6c1ddy]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\z7xq6c1ddy]
; Contents of value:
; System32\DRIVERS\z7xq6c1ddy.sys
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,7a,00,37,00,78,00,71,00,36,00,63,\
00,31,00,64,00,64,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\z7xq6c1ddy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\zpqaxb]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\zpqaxb]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\zpqaxb.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,7a,00,70,00,71,00,\
61,00,78,00,62,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="zpqaxb"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\zpqaxb\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_VYDHNVZH]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_VYDHNVZH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_VYDHNVZH\0000]
"Service"="vydhnvzh"
"DeviceDesc"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WWINSYSTEM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WWINSYSTEM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WWINSYSTEM\0000]
"Service"="wwinsystem"
"DeviceDesc"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_Z7XQ6C1DDY]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]
"Service"="z7xq6c1ddy"
"DeviceDesc"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\USB\Vid_0ac8&Pid_305b\5&1abfeac3&0&1]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\USB\Vid_0ac8&Pid_305b\5&31ba8de1&0&2]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ayzpqa]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ayzpqa]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\ayzpqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,79,00,7a,00,\
70,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="ayzpqa"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ayzpqa\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cabyopr]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cabyopr]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\cabyopr.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,63,00,61,00,62,00,\
79,00,6f,00,70,00,72,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="cabyopr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cabyopr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\pabzaxy]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\pabzaxy]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\pabzaxy.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,61,00,62,00,\
7a,00,61,00,78,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="pabzaxy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\pabzaxy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qprbzqx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qprbzqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qprbzqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,70,00,72,00,\
62,00,7a,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qprbzqx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qprbzqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qrabpqx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qrabpqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qrabpqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,72,00,61,00,\
62,00,70,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qrabpqx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qrabpqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vvftav]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vvftav]
; Contents of value:
; system32\drivers\vvftav.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,76,00,66,00,74,00,61,00,76,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vvftav\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vydhnvzh]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vydhnvzh]
; Contents of value:
; system32\drivers\vydhnvzh.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,79,00,64,00,68,00,6e,00,76,\
00,7a,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vydhnvzh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wwinsystem]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wwinsystem]
"DisplayName"="wwinsystem"
"Description"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wwinsystem\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\xyzqcbo]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\xyzqcbo]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\xyzqcbo.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,79,00,7a,00,\
71,00,63,00,62,00,6f,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="xyzqcbo"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\xyzqcbo\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\z7xq6c1ddy]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\z7xq6c1ddy]
; Contents of value:
; System32\DRIVERS\z7xq6c1ddy.sys
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,7a,00,37,00,78,00,71,00,36,00,63,\
00,31,00,64,00,64,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\z7xq6c1ddy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\zpqaxb]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\zpqaxb]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\zpqaxb.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,7a,00,70,00,71,00,\
61,00,78,00,62,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="zpqaxb"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\zpqaxb\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VYDHNVZH]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VYDHNVZH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VYDHNVZH\0000]
"Service"="vydhnvzh"
"DeviceDesc"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VYDHNVZH\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WWINSYSTEM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WWINSYSTEM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WWINSYSTEM\0000]
"Service"="wwinsystem"
"DeviceDesc"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Z7XQ6C1DDY]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Z7XQ6C1DDY\0000]
"Service"="z7xq6c1ddy"
"DeviceDesc"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Z7XQ6C1DDY\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_0ac8&Pid_305b\5&1abfeac3&0&1]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_0ac8&Pid_305b\5&31ba8de1&0&2]
; Contents of value:
; vvftav
;
"UpperFilters"=hex(7):76,00,76,00,66,00,74,00,61,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_0ac8&Pid_305b\5&31ba8de1&0&2\Control]
"ActiveService"="vvftav"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ayzpqa]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ayzpqa]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\ayzpqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,79,00,7a,00,\
70,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="ayzpqa"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ayzpqa\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cabyopr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cabyopr]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\cabyopr.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,63,00,61,00,62,00,\
79,00,6f,00,70,00,72,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="cabyopr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cabyopr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pabzaxy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pabzaxy]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\pabzaxy.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,61,00,62,00,\
7a,00,61,00,78,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="pabzaxy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pabzaxy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qprbzqx]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qprbzqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qprbzqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,70,00,72,00,\
62,00,7a,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qprbzqx"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qprbzqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qrabpqx]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qrabpqx]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\qrabpqx.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,71,00,72,00,61,00,\
62,00,70,00,71,00,78,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="qrabpqx"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qrabpqx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vvftav]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vvftav]
; Contents of value:
; system32\drivers\vvftav.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,76,00,66,00,74,00,61,00,76,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vvftav\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vvftav\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vydhnvzh]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vydhnvzh]
; Contents of value:
; system32\drivers\vydhnvzh.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,76,00,79,00,64,00,68,00,6e,00,76,\
00,7a,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="vydhnvzh"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vydhnvzh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vydhnvzh\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vydhnvzh\Enum]
"0"="Root\\LEGACY_VYDHNVZH\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwinsystem]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwinsystem]
"DisplayName"="wwinsystem"
"Description"="wwinsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwinsystem\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwinsystem\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwinsystem\Enum]
"0"="Root\\LEGACY_WWINSYSTEM\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xyzqcbo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xyzqcbo]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\xyzqcbo.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,79,00,7a,00,\
71,00,63,00,62,00,6f,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="xyzqcbo"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xyzqcbo\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy]
; Contents of value:
; System32\DRIVERS\z7xq6c1ddy.sys
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,7a,00,37,00,78,00,71,00,36,00,63,\
00,31,00,64,00,64,00,79,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="z7xq6c1ddy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy\Enum]
"0"="Root\\LEGACY_Z7XQ6C1DDY\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zpqaxb]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zpqaxb]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\zpqaxb.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,7a,00,70,00,71,00,\
61,00,78,00,62,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="zpqaxb"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zpqaxb\Security]

; End Of The Log...

 

[Shaba]

Download RegDACL and extract it to C: root (C:\).

Launch Notepad, and copy/paste the box below into a new text file. Save it as FixReg.bat and save it in the same folder as where you extracted RegDACL (save it as all files, *.*).

RegDACL HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_VYDHNVZH /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_WWINSYSTEM /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_Z7XQ6C1DDY /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\ayzpqa /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\cabyopr /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\pabzaxy /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\qprbzqx /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\qrabpqx /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\vydhnvzh /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\wwinsystem /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\xyzqcbo /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\z7xq6c1ddy /GGE:F

RegDACL HKLM\SYSTEM\ControlSet002\Services\zpqaxb /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_VYDHNVZH /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_WWINSYSTEM /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_Z7XQ6C1DDY /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\ayzpqa /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\cabyopr /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\pabzaxy /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\qprbzqx /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\qrabpqx /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\vydhnvzh /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\wwinsystem /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\xyzqcbo /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\z7xq6c1ddy /GGE:F

RegDACL HKLM\SYSTEM\ControlSet003\Services\zpqaxb /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_VYDHNVZH /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_WWINSYSTEM /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_Z7XQ6C1DDY /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\ayzpqa /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\cabyopr /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\pabzaxy /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\qprbzqx /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\qrabpqx /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\vydhnvzh /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\wwinsystem /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\xyzqcbo /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\z7xq6c1ddy /GGE:F

RegDACL HKLM\SYSTEM\ControlSet004\Services\zpqaxb /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VYDHNVZH /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WWINSYSTEM /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Z7XQ6C1DDY /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\ayzpqa /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\cabyopr /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\pabzaxy /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\qprbzqx /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\qrabpqx /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\vydhnvzh /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\wwinsystem /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\xyzqcbo /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy /GGE:F

RegDACL HKLM\SYSTEM\CurrentControlSet\Services\zpqaxb /GGE:F

Locate FixReg.bat in that folder and double-click on it.

Go to Start > Run
Type regedit and click OK.

• On the leftside, click to highlight My Computer at the top.
• Go up to "File > Export"
  • Make sure in that window there is a tick next to "All" under Export Branch.
  • Leave the "Save As Type" as "Registration Files".
  • Under "Filename" put backup
• Choose to save it to C:\ or in somewhere else safe location so that you will remember where you put it (don't put it on the Desktop!)
• Click Save and then go to File > Exit.

Open Notepad and copy the contents of the following box to a new file.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VYDHNVZH]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WWINSYSTEM]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_Z7XQ6C1DDY]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ayzpqa]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cabyopr]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pabzaxy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qprbzqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qrabpqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vydhnvzh]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wwinsystem]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xyzqcbo]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\z7xq6c1ddy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\zpqaxb]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VYDHNVZH]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WWINSYSTEM]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_Z7XQ6C1DDY]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ayzpqa]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cabyopr]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pabzaxy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qprbzqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qrabpqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vydhnvzh]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wwinsystem]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xyzqcbo]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\z7xq6c1ddy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\zpqaxb]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_VYDHNVZH]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WWINSYSTEM]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_Z7XQ6C1DDY]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ayzpqa]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\cabyopr]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\pabzaxy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qprbzqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\qrabpqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\vydhnvzh]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wwinsystem]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\xyzqcbo]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\z7xq6c1ddy]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\zpqaxb]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VYDHNVZH]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WWINSYSTEM]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Z7XQ6C1DDY]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ayzpqa]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cabyopr]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pabzaxy]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qprbzqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qrabpqx]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vydhnvzh]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwinsystem]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xyzqcbo]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\z7xq6c1ddy]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zpqaxb]

Save it as fix.reg (save type: "All files" (*.*)) to your desktop.

It should look like this ->

Go to Desktop, double-click fix.reg and merge the infomation with the registry.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Reboot.

Do another search but exclude vvftav as it seems to be legit.

Post back results, please.

 

[grancher]

That certainly got shorter

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman ?2005
; Version: 2.0.5.0

; Results at 2008-08-26 23:53:05 for strings:
; 'awrjd '
; 'ayzpqa'
; 'cabyopr'
; 'pabzaxy'
; 'qprbzqx'
; 'qrabpqx'
; 'vydhnvzh'
; 'wwinsystem'
; 'xyzqcbo'
; 'z7xq6c1ddy'
; 'zpqaxb'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

 

[Shaba]

Yes it certainly is

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Please post contents of that file in your next reply along with a fresh HijackThis log.

 

[grancher]

I'm having trouble doing a full scan with Malwarebytes' Anti-Malware, I get an error message that says:

"An error occured please report the following error code to the Malwarebytes' anti-Malware support team
Error cod: 731 (0,6)"

while scanning
D:\Program Files\Thunder Network\Thunder\Components\ExplorerHelper\REGXPCOM.EXE
The scan then proceeds as though nothing happened until it unexpectedly stops on what seems to be an insignificant file and says there for several minutes until I close the program. During that time the built in time ticker doesn't move. I'll try it a few more time and just not touch it after the error message.

 

[Shaba]

OK, keep me informed

 

[grancher]

It worked fine this time, though the error message was still there, here are the logs:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:30, on 2008-08-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM305_STI.EXE
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wscntfy.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
d:\Program Files\Rising\Rav\RAVMON.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RavTask] "d:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: 服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: 使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.cctv.com
O15 - Trusted Zone: *.kdy8.com
O15 - Trusted Zone: *.yahoo.cn
O15 - Trusted Zone: *.yahoo.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8DACBD7-AAF4-4EB3-A3B7-DA5AAA23963D}: NameServer = 221.12.1.228 221.12.65.228
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - D:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - d:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5941 bytes



Malwarebytes' Anti-Malware 1.25
Database version: 1089
Windows 5.1.2600 Service Pack 2

00:29:22 2008-08-28
mbam-log-08-28-2008 (00-29-22).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 132737
Time elapsed: 17 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{90af1289-f140-a140-d012-c1458759fc09} (Trojan.vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebscd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spml_set.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{90af1289-f140-a140-d012-c1458759fc09} (Trojan.vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ypcqhhlp.dll (Trojan.vundo) -> Quarantined and deleted successfully.
D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll (Trojan.BHO) -> Quarantined and deleted successfully.

 

[Shaba]

If you have set these, you can restore them from quarantine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebscd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spml_set.exe (Security.Hijack) -> Quarantined and deleted successfully.

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with a fresh HijackThis log.

 

[grancher]

I had to turn off my virus protection for several hours to get Kaspersky to run properly.

KASPERSKY ONLINE SCANNER 7 REPORTKASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build
2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 29, 2008 05:14:13
Records in database: 1160100


Scan settings
Scan using the following databaseextended
Scan archivesyes
Scan mail databasesyes

Scan areaMy Computer
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned96871
Threat name3
Infected objects4
Suspicious objects0
Duration of the scan02:04:01

File nameThreat nameThreats count
C:\Documents and
Settings\Administrator\.housecall6.6\Quarantine\FB299784.DLL.bac_a03096Infected:
Trojan-Downloader.Win32.Agent.adps1

C:\System Volume
Information\_restore{A7ADAFEF-084A-4432-8AB5-D52AE3BA85B3}\RP8\A0007611.sysInfected:
Trojan-Downloader.Win32.Hmir.iyg1

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\8xqd3.sys.virInfected:
Trojan-Downloader.Win32.Hmir.iyg1

C:\_OTMoveIt\MovedFiles\08232008_235031\WINDOWS\Fonts\winntls.exeInfected:
Trojan.Win32.Inject.ffb1

The selected area was scanned.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:32, on 2008-08-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM305_STI.EXE
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Rising\Rav\RavTask.exe
D:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
d:\Program Files\Rising\Rav\Rav.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: PPVADownloader - {A986E409-30CC-4185-89BB-AB212C104524} - C:\Program Files\PPLiveVA\DownloaderManager.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [RavTask] "d:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: 服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: 使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - D:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - E:\电影\PPLive\PPLive.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.cctv.com
O15 - Trusted Zone: *.kaspersky.com
O15 - Trusted Zone: *.kdy8.com
O15 - Trusted Zone: *.yahoo.cn
O15 - Trusted Zone: *.yahoo.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8DACBD7-AAF4-4EB3-A3B7-DA5AAA23963D}: NameServer = 221.12.1.228 221.12.65.228
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - D:\PROGRA~1\KuGoo3\InExtend\KUGOO3~1.OCX
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - d:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6193 bytes

 

[Shaba]

Empty these folders

C:\Documents and
Settings\Administrator\.housecall6.6\Quarantine

C:\QooBox\Quarantine

C:\_OTMoveIt\MovedFiles\

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

 

[grancher]

Done. Some things have gotten better.

But I still can't open Firefox or use ctrl. alt. del. and PC Tools Spyware Doctor is still reporting about 30 trojans and some other things.

 

[Shaba]

Have you tried re-installing firefox?

As for task manager, download this. Double-click it, click Yes and OK.

Reboot and tell me if it works now.

As for Spyware Doctor, I will need to see scan report. They can be false positives or real deal.

 

[grancher]

Reinstalling Firefox didn't seem to make a difference. I have only gotten Firefox to work once on this computer, maybe last month I downloaded the newest version and it worked the first time I ran it, but after a restart it would not open.

I still cannot get to the Task Manager.

I'm not really sure how to show you a Spyware Doctor scan report. I could take a series of screen shots, or I could type them all into a text file, but I would rather not do that as there are a lot of entries, most of them for Combofix.

There is also a long delay between when I click on the Shutdown Computer link in the Start menu, and when the window with the restart, shutdown or logout options comes up.

 

[grancher]

I also get little pop-up adds on the sides of windows in Netscape, they are not in separate windows but there is an option to close them, something like what you might get on a web page with obnoxious moving ads that follow you as you scroll up and down.

 

[Shaba]

"Reinstalling Firefox didn't seem to make a difference. I have only gotten Firefox to work once on this computer, maybe last month I downloaded the newest version and it worked the first time I ran it, but after a restart it would not open."

OK so that might not be a malware issue at all. Mozilla forum might be better place for that issue.

"I still cannot get to the Task Manager."

Does Ctrl+Shift+Esc work? Does it say anything when you type Ctrl+Alt+del?

"I'm not really sure how to show you a Spyware Doctor scan report. I could take a series of screen shots, or I could type them all into a text file, but I would rather not do that as there are a lot of entries, most of them for Combofix."

Then those are likely gone after Combofix installation:

Now lets uninstall ComboFix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

Let me know what Spyware Doctor finds after that.

"I also get little pop-up adds on the sides of windows in Netscape, they are not in separate windows but there is an option to close them, something like what you might get on a web page with obnoxious moving ads that follow you as you scroll up and down. "

Might be due to browser settings or lack of hosts file.

You might want to try this:

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

"There is also a long delay between when I click on the Shutdown Computer link in the Start menu, and when the window with the restart, shutdown or logout options comes up."

Pretty impossible to stay why. Maybe some windows forum could help.