Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rootkit.Dayoff.process

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Rootkit.Dayoff.process

Unread postby lagger » July 31st, 2007, 12:09 am

Spybot sd keeps popping up with this one .. reg assassin and spybot and avg run to no avail .. how do I get rid of this trojan ?
lagger
Regular Member
 
Posts: 43
Joined: April 23rd, 2007, 4:05 pm
Advertisement
Register to Remove

Unread postby Scotty » July 31st, 2007, 6:21 am

Hi! Welcome to the MWR forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


Please be patient as my posts to you have to be checked before I reply, so they make take longer.

Click here to download HJTsetup.exe

  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby lagger » July 31st, 2007, 6:58 am

Thanks for responding

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:47 AM, on 7/31/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AsioReg] REGSVR32 /S CTASIO.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: ELSBLaunch.lnk = C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/download ... TSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscan ... canner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2774464484
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... -0-3-0.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://us.creative.com/support/download ... /CTPID.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6051 bytes


HJT uninstall list:

Acronis True Image Home
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0
AGEIA PhysX v2.4.4
Ahead Nero - Burning Rom
AnalogX Proxy
a-squared Free 2.0
ASUSUpdate
ATI Display Driver
Audacity 1.2.6
AudioConverter
AVG 7.5
AVI Joiner
Azureus
BlindWrite suite
Blues Guitar Explorer
CC File Transfer 2.5
CCleaner (remove only)
CD-DA X-Tractor v0.24
Codec Pack - All In 1 6.0.2.4
Creative Driver
CuteFTP 7 Professional
Direct WAV MP3 Splitter 2.4
Discover Deskshop®
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Driver Cleaner 2
Driver Magician 3.16
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD2AVI Ripper v1.0.0.11
DVDFab Decrypter 2.9.7.5
DVDFab Express 2.9.7.9
DVDFab Platinum 2.9.2.2
EarthLink spamBlocker Add-On
EPSON Printer Software
EVEREST Home Edition v2.20
Far Cry
Forté Agent
GetDataBack for NTFS
GiPo@MoveOnBoot 1.9.5
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Huffyuv AVI lossless video codec (Remove Only)
ImgBurn (Remove Only)
Intel(R) PRO Network Adapters and Drivers
IsoBuster 1.0
Java 2 Runtime Environment, SE v1.4.2_01
Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
KProbe 1.1.23
Line 6 Drivers 3.2.7.0 (Remove Only)
Line 6 Drivers 3.2.9.2 (Remove Only)
Line 6 Edit (remove only)
Line 6 Monkey 1.15 (Remove Only)
Line 6 Monkey 1.16 (Remove Only)
LiveUpdate 2.0 (Symantec Corporation)
Magic DVD Ripper V3.5
MakeTorrent v2.1
Media Resizer PRO
Microsoft Data Access Components KB870669
Microsoft Excel Viewer 97
Microsoft Office XP Professional
Microsoft Reader
mIRC
Mozilla Firefox (2.0)
MP3 To Wave Converter PLUS
O&O Defrag Professional Edition
Outlook Express Q823353
Paint Shop Pro 7
PaperPort 9.0
PODxt Drivers 2.5.1.0 (Remove Only)
PODxt Drivers 2.6.8.0 (Remove Only)
PowerISO
RegSupreme 1.1
Security Update for Windows XP (KB912919)
Send To Extensions PowerToy
Shockwave
ShrinkTo5 GUI
Snip It! button for http://www.en.snip.pl
SoundMAX
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Total Video Converter 3.10
TurboTax Deluxe Deduction Maximizer 2006
Tweak UI
Update for Windows XP (KB898461)
VideoLAN VLC media player 0.8.2
Visioneer 8100 Scanner
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB905915
Windows XP Service Pack 1a
WinRAR archiver
WinZip
lagger
Regular Member
 
Posts: 43
Joined: April 23rd, 2007, 4:05 pm

Unread postby Scotty » July 31st, 2007, 10:29 am

Hello lagger

Firstly, could you open Spybot S&D and, if you havent already, click on the Mode tab at the top then on Advanced mode.
In the left pane, select Tools then View Reports. Select View Previous Report and choose the most recent. Copy and paste that report in your next reply.

Secondly,
Download F-Secure Blacklight (fsbl.exe) to the desktop from here.

Open it and click Accept Agreement.
Click Scan.
After the scan is complete, click Next, then Exit.
It will create a log on the desktop named fsbl-xxxxxxx.log (the xxxxxxx will be the date and time of the scan)
Save the log to your desktop. Paste the log in your next reply.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby lagger » July 31st, 2007, 11:14 am

-- Report generated: 2007-07-30 22:09 ---

Rootkit.Dayoff.Process: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windev-66eb-3421

HitBox: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


MediaPlex: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


HitBox: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


BlueStreak: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


HitBox: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


Statcounter: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


Excite: Tracking cookie (Internet Explorer: Michael) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


LinkSynergy: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


Excite: Tracking cookie (Internet Explorer: Michael) (Cookie, nothing done)


Common Dialogs: History (25 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Adobe Acrobat Reader 5: Last selected preference panel (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Adobe\Acrobat Reader\5.0\PrefsDialog\aLastPrefsPanel

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Browser directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir!=

Ahead Nero Burning Rom: Working directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir!=

Animation Shop 3: Recent browse folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Animation Shop 3\Browser\BrowseDir!=

Animation Shop 3: Recent image folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Animation Shop 3\FileOpenDialog\OpenImageDir!=

Animation Shop 3: Recent save as folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Animation Shop 3\SaveAsDialog\SaveAsDir!=

BlindWrite Suite (BlindRead): Last used image folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\VSO\BlindRead\forms\Image Path!=

BlindWrite Suite (BlindWrite): Last loaded CD image (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\VSO\BlindWrite\PG3_TocFiles!=

Internet Explorer: Typed URL list (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Internet Explorer\Download Directory!=

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: AutoComplete data (18 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Internet Explorer\IntelliForms\SPW

Isobuster: Last save folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Smart Projects\IsoBuster\LastSavedPath

MS Management Console: Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Microsoft Management Console\Recent File List

MS Media Player: Recent file list (8 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Player\RecentFileList

MS Media Player: Recent open directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir!=

MS Media Player: Application data file (global) () (File, nothing done)
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

MS Media Player: Search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\AutoComplete\MediaSearch

MS Media Player: Last opened playlist (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: Last selected track index (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\LastPlaylistIndex

MS Media Player: Last selected node (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\MediaLibraryUI\MLLastSelectedNode!=

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS Direct3D: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name!=

MS Direct3D: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Direct3D\MostRecentApplication\Name!=

MS DirectDraw: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS DirectInput: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentApplication\Name!=

MS DirectInput: Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentApplication\Id!=

MS DirectInput: Last mapped application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentMapperApplication\ID!=

MS DirectInput: Last mapped application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentMapperApplication\Name!=

MS Office 10.0 (Word): Recently used documents list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Office\10.0\Word\Data\Settings

MS Office 10.0 (Word): Templates history (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Office\10.0\Word\Recent Templates

MS Office 11.0 (Office Startup Assistant): Last search location (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Office\11.0\Osa\FindFile\Place

MS Frontpage: Default image add folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\FrontPage\Editor\Default Add Image Directory!=

MS Frontpage: Last opened web (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Settings\LastWebOpen!=

MS Search Assistant: Typed search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Search Assistant\ACMru

MS Windows Backup 5.0: Last created backup set (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Ntbackup\Hardware\Logical Disk File!=

Paint Shop Pro 7: Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\JASC\Paint Shop Pro 7\Recent File List

Paint Shop Pro 7: Browse directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\JASC\Paint Shop Pro 7\Browser\BrowseDir!=

Paint Shop Pro 7: Image directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\JASC\Paint Shop Pro 7\General\ImageDirectory!=

Paint Shop Pro 7: Recent GIF directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Paint Shop Pro 7\ExportGIF\Directory!=

Paint Shop Pro 7: Recent JPG directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Paint Shop Pro 7\ExportJPG\Directory!=

Paint Shop Pro 7: Recent PNG directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Paint Shop Pro 7\ExportPNG\Directory!=

Windows: Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources!=

Windows.OpenWith: Open with list - .001 extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.001\OpenWithList

Windows.OpenWith: Open with list - .ACE extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ACE\OpenWithList

Windows.OpenWith: Open with list - .ASF extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASF\OpenWithList

Windows.OpenWith: Open with list - .ASX extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList

Windows.OpenWith: Open with list - .AU extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AU\OpenWithList

Windows.OpenWith: Open with list - .AVI extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList

Windows.OpenWith: Open with list - .BAK extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BAK\OpenWithList

Windows.OpenWith: Open with list - .BIN extension (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList

Windows.OpenWith: Open with list - .BMP extension (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: Open with list - .BUP extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BUP\OpenWithList

Windows.OpenWith: Open with list - .CAB extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList

Windows.OpenWith: Open with list - .CDA extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\OpenWithList

Windows.OpenWith: Open with list - .CHK extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHK\OpenWithList

Windows.OpenWith: Open with list - .CHM extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHM\OpenWithList

Windows Explorer: Recent wallpaper list (501 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU

Windows Explorer: Run history (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: Stream history (201 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: User Assistant history IE (26 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (347 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Last visited history (10 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

WinRAR: Recent file list (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\WinRAR\ArcHistory

WinRAR: Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\WinRAR\General\LastFolder!=

WinRAR: Extraction directory history (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\WinRAR\DialogEditHistory\ExtrPath

WinZip: Recent extracted file list (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\extract

WinZip: Recent created file list (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\filemenu

WinZip: Number of times run (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\rrs\Opened!=

WinZip: Default directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\DefDir!=

WinZip: Default directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\zDefDir!=

WinZip: Add files directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\AddDir!=

WinZip: Destination directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\ExtractTo!=

WinZip: Add files directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\gzAddDir!=

WinZip: Destination directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\gzExtractTo!=

Cookie: Cookie (217) (Cookie, nothing done)


Cache: Cache (6206) (Cache, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-12-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-25 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-07-25 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-07-25 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-07-25 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-07-25 Includes\Malware.sbi (*)
2007-07-25 Includes\MalwareC.sbi (*)
2007-07-11 Includes\PUPS.sbi (*)
2007-07-25 Includes\PUPSC.sbi (*)
2003-11-12 Includes\QA Tests.sbi (*)
2007-07-25 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-25 Includes\SecurityC.sbi (*)
2007-07-11 Includes\Spybots.sbi (*)
2007-07-25 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2007-07-25 Includes\Trojans.sbi (*)
2007-07-25 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll



07/31/07 11:11:19 [Info]: BlackLight Engine 1.0.64 initialized
07/31/07 11:11:19 [Info]: OS: 5.1 build 2600 (Service Pack 1)
07/31/07 11:11:20 [Note]: 7019 4
07/31/07 11:11:20 [Note]: 7005 0
07/31/07 11:11:24 [Note]: 7006 0
07/31/07 11:11:24 [Note]: 7011 2036
07/31/07 11:11:24 [Note]: 7026 0
07/31/07 11:11:24 [Note]: 7026 0
07/31/07 11:11:27 [Note]: FSRAW library version 1.7.1022
07/31/07 11:13:25 [Note]: 2000 1012
07/31/07 11:13:27 [Note]: 2000 1012
07/31/07 11:14:26 [Note]: 7007 0
lagger
Regular Member
 
Posts: 43
Joined: April 23rd, 2007, 4:05 pm

Unread postby Scotty » July 31st, 2007, 1:33 pm

Hi lagger

    Please go HERE to run PandaActiveScan...

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to your desktop.


Could you also run Spybot again and post the new report along with the Panda report in your next reply?
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby lagger » July 31st, 2007, 10:53 pm

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Michael\Cookies\michael@2o7[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Michael\Cookies\michael@ads.addynamix[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Michael\Cookies\michael@advertising[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Michael\Cookies\michael@burstnet[1].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Michael\Cookies\michael@cdfreaks[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Michael\Cookies\michael@club.cdfreaks[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Michael\Cookies\michael@go[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Michael\Cookies\michael@trafficmp[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Michael\Cookies\michael@xiti[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Michael\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Michael\Desktop\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Michael\Desktop\SmitfraudFix\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Michael\Desktop\SmitfraudFix\smit\smitRem\Process.exe
Potentially unwanted tool:Application/AnalogX-Proxy.A Not disinfected C:\Program Files\AnalogX\Proxy\proxy.exe
Adware:Adware/Starware Not disinfected C:\Program Files\Google\Google Talk\googletalk-1.0.0.96\googletalk-setup-upgrade.exe[²ÜÇ\System.dll]
Potentially unwanted tool:Application/Processor Not disinfected C:\sdfix\SDFix\apps\Process.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\xmltok.dll
Possible Virus. Not disinfected E:\downloads\DCProSetup_11.zip[setup.exe][DCleaner.exe]
Potentially unwanted tool:Application/Processor Not disinfected E:\downloads\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected E:\downloads\VirtumundoBeGone.exe
Dialer:Dialer.Gen Not disinfected F:\paperport9 setup files\ScanSoft PaperPort Pro Office 9.0\Other\PagisConverter\ENGLISH\data1.cab[convproc.exe]
Potentially unwanted tool:Application/Processor Not disinfected F:\vundo\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected F:\vundo\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected F:\vundo\SmitfraudFix\restart.exe


-- Report generated: 2007-07-31 12:29 ---

Rootkit.Dayoff.Process: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windev-66eb-3421

BlueStreak: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


Excite: Tracking cookie (Internet Explorer: Michael) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


Excite: Tracking cookie (Internet Explorer: Michael) (Cookie, nothing done)


Common Dialogs: History (35 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Adobe Acrobat Reader 5: Last selected preference panel (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Adobe\Acrobat Reader\5.0\PrefsDialog\aLastPrefsPanel

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Browser directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir!=

Ahead Nero Burning Rom: Working directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir!=

Animation Shop 3: Recent browse folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Animation Shop 3\Browser\BrowseDir!=

Animation Shop 3: Recent image folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Animation Shop 3\FileOpenDialog\OpenImageDir!=

Animation Shop 3: Recent save as folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Animation Shop 3\SaveAsDialog\SaveAsDir!=

BlindWrite Suite (BlindRead): Last used image folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\VSO\BlindRead\forms\Image Path!=

BlindWrite Suite (BlindWrite): Last loaded CD image (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\VSO\BlindWrite\PG3_TocFiles!=

Internet Explorer: Typed URL list (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Internet Explorer\Download Directory!=

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: AutoComplete data (18 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Internet Explorer\IntelliForms\SPW

Isobuster: Last save folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Smart Projects\IsoBuster\LastSavedPath

MS Management Console: Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Microsoft Management Console\Recent File List

MS Media Player: Recent file list (8 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Player\RecentFileList

MS Media Player: Recent open directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir!=

MS Media Player: Application data file (global) () (File, nothing done)
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

MS Media Player: Search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\AutoComplete\MediaSearch

MS Media Player: Last opened playlist (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: Last selected track index (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\LastPlaylistIndex

MS Media Player: Last selected node (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\MediaLibraryUI\MLLastSelectedNode!=

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS Direct3D: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name!=

MS Direct3D: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Direct3D\MostRecentApplication\Name!=

MS DirectDraw: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS DirectInput: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentApplication\Name!=

MS DirectInput: Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentApplication\Id!=

MS DirectInput: Last mapped application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentMapperApplication\ID!=

MS DirectInput: Last mapped application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentMapperApplication\Name!=

MS Office 10.0 (Word): Recently used documents list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Office\10.0\Word\Data\Settings

MS Office 10.0 (Word): Templates history (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Office\10.0\Word\Recent Templates

MS Office 11.0 (Office Startup Assistant): Last search location (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Office\11.0\Osa\FindFile\Place

MS Frontpage: Default image add folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\FrontPage\Editor\Default Add Image Directory!=

MS Frontpage: Last opened web (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Settings\LastWebOpen!=

MS Regedit: Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey!=

MS Search Assistant: Typed search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Search Assistant\ACMru

MS Windows Backup 5.0: Last created backup set (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Ntbackup\Hardware\Logical Disk File!=

Paint Shop Pro 7: Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\JASC\Paint Shop Pro 7\Recent File List

Paint Shop Pro 7: Browse directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\JASC\Paint Shop Pro 7\Browser\BrowseDir!=

Paint Shop Pro 7: Image directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\JASC\Paint Shop Pro 7\General\ImageDirectory!=

Paint Shop Pro 7: Recent GIF directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Paint Shop Pro 7\ExportGIF\Directory!=

Paint Shop Pro 7: Recent JPG directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Paint Shop Pro 7\ExportJPG\Directory!=

Paint Shop Pro 7: Recent PNG directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Paint Shop Pro 7\ExportPNG\Directory!=

Windows: Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources!=

Windows.OpenWith: Open with list - .001 extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.001\OpenWithList

Windows.OpenWith: Open with list - .ACE extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ACE\OpenWithList

Windows.OpenWith: Open with list - .ASF extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASF\OpenWithList

Windows.OpenWith: Open with list - .ASX extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList

Windows.OpenWith: Open with list - .AU extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AU\OpenWithList

Windows.OpenWith: Open with list - .AVI extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList

Windows.OpenWith: Open with list - .BAK extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BAK\OpenWithList

Windows.OpenWith: Open with list - .BIN extension (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList

Windows.OpenWith: Open with list - .BMP extension (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: Open with list - .BUP extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BUP\OpenWithList

Windows.OpenWith: Open with list - .CAB extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList

Windows.OpenWith: Open with list - .CDA extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\OpenWithList

Windows.OpenWith: Open with list - .CHK extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHK\OpenWithList

Windows.OpenWith: Open with list - .CHM extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHM\OpenWithList

Windows Explorer: Recent wallpaper list (501 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU

Windows Explorer: Run history (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: Stream history (201 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: User Assistant history IE (26 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (347 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Last visited history (12 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

WinRAR: Recent file list (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\WinRAR\ArcHistory

WinRAR: Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\WinRAR\General\LastFolder!=

WinRAR: Extraction directory history (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\WinRAR\DialogEditHistory\ExtrPath

WinZip: Recent extracted file list (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\extract

WinZip: Recent created file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\filemenu

WinZip: Number of times run (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\rrs\Opened!=

WinZip: Default directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\DefDir!=

WinZip: Default directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\zDefDir!=

WinZip: Add files directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\AddDir!=

WinZip: Destination directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\ExtractTo!=

WinZip: Add files directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\gzAddDir!=

WinZip: Destination directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\gzExtractTo!=

Cookie: Cookie (207) (Cookie, nothing done)


Cache: Cache (226) (Cache, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-12-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-25 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-07-25 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-07-25 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-07-25 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-07-25 Includes\Malware.sbi (*)
2007-07-25 Includes\MalwareC.sbi (*)
2007-07-11 Includes\PUPS.sbi (*)
2007-07-25 Includes\PUPSC.sbi (*)
2003-11-12 Includes\QA Tests.sbi (*)
2007-07-25 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-25 Includes\SecurityC.sbi (*)
2007-07-11 Includes\Spybots.sbi (*)
2007-07-25 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2007-07-25 Includes\Trojans.sbi (*)
2007-07-25 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
lagger
Regular Member
 
Posts: 43
Joined: April 23rd, 2007, 4:05 pm

Unread postby Scotty » August 1st, 2007, 11:07 am

Hi lagger

Download Bobbi Fleckman's Regsearch.

Create a folder for RegSearch on the C: drive called RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch.

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

windev-66eb-3421

then hit Ok.

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe.

Please copy/paste the contents of that file back here.

Reboot into SAFE MODE
    By pressing the F8 key right when Windows starts, usually right after you hear your computer
    beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
    you will be brought to a menu where you can choose to boot into safe mode.

    If it does not work on the first try, reboot and try again, as you have to be quick when you press it.

    I have found that during boot up, right after the computer displays the equipment , memory, etc
    installed on your computer, if you start lightly tapping the F8 key, the system will usually display the menu.

To enable the viewing of Hidden files follow these steps:
  1. Close all programs so that you are at your desktop.
  2. Double-click on the My Computer icon (or click Start, then select My Computer)
  3. Select the Tools menu and click Folder Options.
  4. After the new window appears select the View tab.
  5. Put a checkmark in the checkbox labeled Display the contents of system folders.
  6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  9. Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.

Use Explorer to navigate to and delete the following files and/or folders (if they are present):

Files:
C:\WINDOWS\system32\xmltok.dll
C:\Program Files\Google\Google Talk\googletalk-1.0.0.96\googletalk-setup-upgrade.exe
E:\downloads\smitRem.exe
E:\downloads\VirtumundoBeGone.exe

Folders:
E:\downloads\DCProSetup_11.zip
C:\Documents and Settings\Michael\Desktop\SmitfraudFix
F:\vundo

Now just exit Explorer and reboot back into Normal Mode.

Download and Run ComboFix

  • Download this file from below:

    Here
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby lagger » August 1st, 2007, 12:39 pm

ComboFix 07-08-01.3 - "Michael" 2007-08-01 11:33:04.2 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True


((((((((((((((((((((((((( Files Created from 2007-07-01 to 2007-08-01 )))))))))))))))))))))))))))))))


2007-08-01 11:12 <DIR> d-------- C:\regsearch
2007-08-01 07:59 <DIR> d-------- C:\Program Files\EarthLink
2007-08-01 07:42 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 21:51 8,576 --a------ C:\WINDOWS\system32\drivers\flbphkyfcnsm.sys
2007-07-31 21:17 8,576 --a------ C:\WINDOWS\system32\drivers\aepjqetbtgut.sys
2007-07-31 16:23 8,576 --a------ C:\WINDOWS\system32\drivers\gqpksuwgbrlb.sys
2007-07-31 16:08 8,576 --a------ C:\WINDOWS\system32\drivers\etdlrlthotmv.sys
2007-07-31 16:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-31 06:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-27 12:04 <DIR> d-------- C:\Program Files\Total Video Converter
2007-07-27 11:50 <DIR> d-------- C:\vdub
2007-07-20 14:02 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-07-20 14:02 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-07-20 01:06 <DIR> d-------- C:\New Folder
2007-07-19 23:55 <DIR> d-------- C:\kashpu
2007-07-05 11:55 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-01 00:12 --------- d-------- C:\Program Files\Line6
2007-08-01 00:11 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\Line 6
2007-08-01 00:10 --------- d-------- C:\Program Files\Agent
2007-07-31 23:45 --------- d-------- C:\Program Files\Google
2007-07-31 23:27 --------- d-------- C:\Program Files\Kuma Games
2007-07-31 22:26 --------- d-------- C:\Program Files\a-squared Free
2007-07-31 06:54 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\Azureus
2007-07-29 09:28 --------- d-------- C:\Program Files\Azureus
2007-07-25 23:41 --------- d-------- C:\Program Files\SpywareBlaster
2007-07-17 10:41 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\dvdcss
2007-06-27 18:55 6862 --a------ C:\WINDOWS\mozver.dat
2007-06-19 01:33 --------- d-------- C:\Program Files\DivX
2007-06-18 23:13 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\DivX
2007-06-11 00:46 --------- d-------- C:\Program Files\Common Files\Colasoft Shared
2007-05-31 02:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 02:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 02:44 740442 --a------ C:\WINDOWS\system32\DivX.dll
2006-07-23 11:20 0 --a------ C:\DOCUME~1\Michael\APPLIC~1\internaldb41.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-09 21:39]
"AsioReg"="REGSVR32 /S CTASIO.DLL" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-14 12:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 16:03]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ELSBLaunch.lnk - C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe [2004-10-05 11:19:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Start_NotifyNewApps"=0 (0x0)
"NoInstrumentation"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoRecentDocsMenu"=01000000
"NoSMMyPictures"=01000000
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^hc_tray.lnk]
path=C:\Documents and Settings\Michael\Start Menu\Programs\Startup\hc_tray.lnk
backup=C:\WINDOWS\pss\hc_tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3.tmp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3.tmp.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4.tmp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4.tmp.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Actual Title Buttons]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdRoarUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\appxs.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blue Frog]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPZH]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscoverDeskshop]
C:\Program Files\Discover Deskshop\Deskshop.exe /dontopenmycards

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo 820 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
C:\Program Files\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPnote]
c:\ipnote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lnkzjuyp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft QMGR]
msnqmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"c:\windows\servicepackfiles\i386\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NXFPLVD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ptipbmf]
rundll32.exe ptipbmf.dll,SetWriteCacheMode

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
Rundll32.exe ptipbm.dll,SetWriteBack

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegKillElbyCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShutDown Plus]
c:\windows\system32\shutdown.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNInstall]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\supervisor.exe]
C:\WINDOWS\supervisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TraySantaCruz]
g:\downloads\santa cruz xp driver\98 beta\tbctray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VetTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshost.exe]
C:\WINDOWS\System32\winshost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=3 (0x3)
"wuauserv"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"TapiSrv"=3 (0x3)
"Ip6FwHlp"=3 (0x3)
"ImapiService"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ClipSrv"=3 (0x3)
"Messenger"=3 (0x3)

R0 fasttx2k;fasttx2k;C:\WINDOWS\System32\DRIVERS\fasttx2k.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\System32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\System32\DRIVERS\timntr.sys
R0 UlSata;UlSata;C:\WINDOWS\System32\DRIVERS\ulsata.sys
R1 SCDEmu;SCDEmu;C:\WINDOWS\System32\drivers\SCDEmu.sys
R2 aslm75;aslm75;\??\C:\WINDOWS\system32\drivers\aslm75.sys
R2 ppsio2;PPDevice;C:\WINDOWS\System32\drivers\ppsio2.sys
R2 Sentinel;Sentinal;C:\WINDOWS\System32\Drivers\SENTINEL.SYS
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\System32\DRIVERS\tifsfilt.sys
R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
R3 E1000;Intel(R) PRO/1000 Adapter Driver;C:\WINDOWS\System32\DRIVERS\e1000325.sys
S1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\System32\DRIVERS\ATITool.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 DirectNT;DirectNT;\??\F:\pat\DIRECTNT.SYS
S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS
S3 L6POD;L6 PODxt Service;C:\WINDOWS\System32\Drivers\L6POD.sys
S3 MidiSyn;MidiSyn;C:\WINDOWS\System32\drivers\MidiSyn.sys
S3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\System32\drivers\msmpu401.sys
S3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\System32\Drivers\Pcouffin.sys
S3 RadProbe;Radeon Probe Driver;C:\WINDOWS\System32\DRIVERS\RadProbe.sys
S3 TVICHW32;TVICHW32;\??\C:\WINDOWS\System32\DRIVERS\TVICHW32.SYS
S3 vaxscsi;vaxscsi;C:\WINDOWS\System32\Drivers\vaxscsi.sys
S4 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-01 11:34:12
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\x90\ek\v]
"DisplayName"="\xffff\xffff\xf70f\x77f5\xf7f\x77f6"
"DeviceDesc"="\xffff\xffff\xf70f\x77f5\xf7f\x77f6"
"ProviderName"=""
"MFG"="urrentControlSet\Services\ati2mtag\Device0"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\x1b90\xb6b\DriverFiles\\x3b74\23\x3ae5\x77f8\t.INF"
"DeviceInstanceIds"=str(7):"`"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\xb0\37k\v]
"DisplayName"="\x4518\23\x1d8\25\x45fc\23\x4809\x77e9\x3278\x77e8\xffff\xffff\x5f10\x77e7\x5faa\x77e7\2"
"DeviceDesc"="\x4518\23\x1d8\25\x45fc\23\x4809\x77e9\x3278\x77e8\xffff\xffff\x5f10\x77e7\x5faa\x77e7\2"
"ProviderName"=""
"MFG"="urrentControlSet\Services\ati2mtag\Device0"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\x1fb0\xb6b\DriverFiles\\x3b74\23\x3ae5\x77f8\31.INF"
"DeviceInstanceIds"=str(7):"`"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG06.00.00.01WORKSTATION"="3E82E8F07B37E13E602052FB42604189D5210B0463DB98F06C280A84CD2EE36E842C180E07AA7A6DF9466FF416ADF72318C960D08618ABB7A5B591D0732C1CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C9DB7CE019D40AA5CC038D530D6EB3452C038D530D6EB3452A9C6AECB7A5D1407EEA344703BB5832B67AB0A6E06E8864554DFF50A1976B9A1C339CBF84CD527CF13865235476928399B78C4B2CB8D3E262BB589295A35B1CFC902C275A2990D85537229FC41F4DA59633539AAD159C06B87EBAFF8D1865C32CB0BD58F4C5D816496551B6ADD5C33E7C6620913832F02D8B731F76EBD4DAB1581541F17FCA611E316A2F145E4E47A262782C84C5DB72999E03CE32270B243AD71E42FFCFBC07F60DE5168F9349BAFB6361E82DB70DE92BAFA4468D34F25FA90F84608D825B84099D45B2E183A4E05A2F9BFB0EAE255CDAC5187F0E3D5D5E039C885A0E566E1FCB12C3F67D37D116257CF7846C6EC8E1D4584455AD892B8338565336583C3D115B06E7FAD05933BE023635A295EDB43F8BD06C2F65CA50869B729673333D46218827A248B28A9664F3D387E2FC812EE8C3421C70E3EC7BF2976BEBA5E1EC4324CF502B5025B81F2B03BA680A83D0452B8296EA1D7ECC22251CBA74A2E0C53A2ABBD89C40363ED05BB9BD8FED51A3B720E82DE228480F23471A6B9B8DCEED25BE2736C6279A95880D93E4C9DE95F5495D689361C33B3CCBE4DD99C2B9958AA44D39057A640B7BB94A9E6D405103101490E6C0D69FBE155CDDE1A4C4B08FE568D94F44CABA5BFA82DFEBD19E0E35A07DCE13BCD66690F28B5D1031CC5BEBCE429ECE2A1107013437FE05094DFF7C6BFE437EC3A73F6E072088614AECD48137A4C5D040076D62C4502070F9436CF871839A558E374191F7621922D7D19A3234E7194E2E68506A5F8EEE14DBC1CE4519176773E3253B4BA8A9ABD96D4DFC5B4A9D6796F26E71DBE40C79345844C24FC40FC2DBCE3FCA4C399590479D6E09332EDFE257BE4CCB0DC8E4CF290B506EE874EEFFADB06E036F0A18017E5765D692A8D2FE43F9CE5C807EC868A316E0F9A1279B74604FE742B9BB478DA4D7E1B95D09072BB561A696169F5C0188BA32CEFE11382AC8204AF3AC178EF67060A64DA7B91175DC0819369D35C0B8F69992B2CDEFEBC7C87A1900D85A8D78A4A0A8570A53F2E35DF46A2463AE13695F3ED5BFE95381E3A2BB71742AC93E4C3B844D002EEDE0EDD7C3358CFB4E0DA86BD0D908E39CA9C9CE4FAC66BA01990C7D3511C2E98C551AB43E5FCD17FC4D370BB3A21F31CD8F40F1371290F7032177E811D41870CDFD6A3C150D80CF88CC114450C69BB39172731F678CAA5CD687B060DE81D9651ABBF7DEA37BC33264F856A95EE4967AB4E7857353F"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E7C843A-EFE3-EB26-568C-9DE49ADE4BC2}]
"oakciifnfgmneofopbcknhcmeedced"=hex:64,61,6b,6d,69,67,61,6e,00,00
"oaobjogcmekdeekjhmjmkdiggkmoce"=hex:6a,61,70,6d,61,68,66,6f,69,70,68,69,63,6a,65,6f,64,6e,64,70,00,..
"namadpjgpleilgbkncoblafkhcjm"=hex:6a,61,70,6d,61,68,66,6f,69,70,68,69,63,6a,65,6f,64,6e,64,70,00,..
"eagbiilaoh"=hex:61,62,6e,62,65,6f,6e,69,67,66,6d,6c,62,68,61,62,6d,64,65,6e,61,..
"cajcok"=hex:64,62,6e,63,6e,66,63,66,6c,62,68,68,69,6b,68,62,68,68,6a,62,66,..

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-01 11:34:34
C:\ComboFix2.txt ... 2007-08-01 07:43

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:27 PM, on 8/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AsioReg] REGSVR32 /S CTASIO.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: ELSBLaunch.lnk = C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/download ... TSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscan ... canner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2774464484
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... -0-3-0.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://us.creative.com/support/download ... /CTPID.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6191 bytes


also a new spybot log after running combo fix and deleting the files specified



--- Report generated: 2007-08-01 12:35 ---

CouponBar: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}

CouponBar: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{A138BE8B-F051-4802-9A3F-A750A6D862D4}

CouponBar: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{87255C51-CD7D-4506-B9AD-97606DAF53F3}

Rootkit.Dayoff.Process: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windev-66eb-3421

BlueStreak: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


Excite: Tracking cookie (Internet Explorer: Michael) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


Excite: Tracking cookie (Internet Explorer: Michael) (Cookie, nothing done)


Common Dialogs: History (42 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Adobe Acrobat Reader 5: Last selected preference panel (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Adobe\Acrobat Reader\5.0\PrefsDialog\aLastPrefsPanel

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Browser directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir!=

Ahead Nero Burning Rom: Working directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir!=

Animation Shop 3: Recent browse folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Animation Shop 3\Browser\BrowseDir!=

Animation Shop 3: Recent image folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Animation Shop 3\FileOpenDialog\OpenImageDir!=

Animation Shop 3: Recent save as folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Animation Shop 3\SaveAsDialog\SaveAsDir!=

BlindWrite Suite (BlindRead): Last used image folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\VSO\BlindRead\forms\Image Path!=

BlindWrite Suite (BlindWrite): Last loaded CD image (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\VSO\BlindWrite\PG3_TocFiles!=

Internet Explorer: Typed URL list (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Internet Explorer\Download Directory!=

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: AutoComplete data (18 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Internet Explorer\IntelliForms\SPW

Isobuster: Last save folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Smart Projects\IsoBuster\LastSavedPath

MS Management Console: Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Microsoft Management Console\Recent File List

MS Media Player: Recent file list (8 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Player\RecentFileList

MS Media Player: Recent open directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir!=

MS Media Player: Application data file (global) () (File, nothing done)
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

MS Media Player: Search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\AutoComplete\MediaSearch

MS Media Player: Last opened playlist (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: Last selected track index (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\LastPlaylistIndex

MS Media Player: Last selected node (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\MediaLibraryUI\MLLastSelectedNode!=

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS Direct3D: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name!=

MS Direct3D: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Direct3D\MostRecentApplication\Name!=

MS DirectDraw: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS DirectInput: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentApplication\Name!=

MS DirectInput: Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentApplication\Id!=

MS DirectInput: Last mapped application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentMapperApplication\ID!=

MS DirectInput: Last mapped application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentMapperApplication\Name!=

MS Office 10.0 (Word): Recently used documents list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Office\10.0\Word\Data\Settings

MS Office 10.0 (Word): Templates history (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Office\10.0\Word\Recent Templates

MS Office 11.0 (Office Startup Assistant): Last search location (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Office\11.0\Osa\FindFile\Place

MS Frontpage: Default image add folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\FrontPage\Editor\Default Add Image Directory!=

MS Frontpage: Last opened web (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Settings\LastWebOpen!=

MS Regedit: Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey!=

MS Search Assistant: Typed search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Search Assistant\ACMru

MS Windows Backup 5.0: Last created backup set (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Ntbackup\Hardware\Logical Disk File!=

Paint Shop Pro 7: Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\JASC\Paint Shop Pro 7\Recent File List

Paint Shop Pro 7: Browse directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\JASC\Paint Shop Pro 7\Browser\BrowseDir!=

Paint Shop Pro 7: Image directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\JASC\Paint Shop Pro 7\General\ImageDirectory!=

Paint Shop Pro 7: Recent GIF directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Paint Shop Pro 7\ExportGIF\Directory!=

Paint Shop Pro 7: Recent JPG directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Paint Shop Pro 7\ExportJPG\Directory!=

Paint Shop Pro 7: Recent PNG directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Paint Shop Pro 7\ExportPNG\Directory!=

Windows: Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources!=

Windows.OpenWith: Open with list - .001 extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.001\OpenWithList

Windows.OpenWith: Open with list - .ACE extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ACE\OpenWithList

Windows.OpenWith: Open with list - .ASF extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASF\OpenWithList

Windows.OpenWith: Open with list - .ASX extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList

Windows.OpenWith: Open with list - .AU extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AU\OpenWithList

Windows.OpenWith: Open with list - .AVI extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList

Windows.OpenWith: Open with list - .BAK extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BAK\OpenWithList

Windows.OpenWith: Open with list - .BIN extension (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList

Windows.OpenWith: Open with list - .BMP extension (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: Open with list - .BUP extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BUP\OpenWithList

Windows.OpenWith: Open with list - .CAB extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList

Windows.OpenWith: Open with list - .CDA extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\OpenWithList

Windows.OpenWith: Open with list - .CHK extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHK\OpenWithList

Windows.OpenWith: Open with list - .CHM extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHM\OpenWithList

Windows Explorer: Recent wallpaper list (501 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU

Windows Explorer: Run history (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: Stream history (201 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: User Assistant history IE (26 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (347 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Last visited history (12 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

WinRAR: Recent file list (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\WinRAR\ArcHistory

WinRAR: Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\WinRAR\General\LastFolder!=

WinRAR: Extraction directory history (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\WinRAR\DialogEditHistory\ExtrPath

WinZip: Recent extracted file list (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\extract

WinZip: Recent created file list (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\filemenu

WinZip: Number of times run (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\rrs\Opened!=

WinZip: Default directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\DefDir!=

WinZip: Default directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\zDefDir!=

WinZip: Add files directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\AddDir!=

WinZip: Destination directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\ExtractTo!=

WinZip: Add files directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\gzAddDir!=

WinZip: Destination directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\gzExtractTo!=

Cookie: Cookie (216) (Cookie, nothing done)


Cache: Cache (2356) (Cache, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-12-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-01 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-01 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-08-01 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-01 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-08-01 Includes\Malware.sbi (*)
2007-08-01 Includes\MalwareC.sbi (*)
2007-07-11 Includes\PUPS.sbi (*)
2007-08-01 Includes\PUPSC.sbi (*)
2003-11-12 Includes\QA Tests.sbi (*)
2007-08-01 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-01 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-01 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2007-08-01 Includes\Trojans.sbi (*)
2007-08-01 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
lagger
Regular Member
 
Posts: 43
Joined: April 23rd, 2007, 4:05 pm

Unread postby lagger » August 1st, 2007, 12:41 pm

forgot the regsearch log .. here it is:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 8/1/2007 11:16:39 AM for strings:
; 'windev-66eb-3421'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-66EB-3421]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-66EB-3421\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-66EB-3421\0000]
"Service"="windev-66eb-3421"
"DeviceDesc"="windev-66eb-3421"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windev-66eb-3421]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windev-66eb-3421]
"DisplayName"="windev-66eb-3421"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windev-66eb-3421\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-66EB-3421]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-66EB-3421\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-66EB-3421\0000]
"Service"="windev-66eb-3421"
"DeviceDesc"="windev-66eb-3421"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-66EB-3421\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\windev-66eb-3421]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\windev-66eb-3421]
"DisplayName"="windev-66eb-3421"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\windev-66eb-3421\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\windev-66eb-3421\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\windev-66eb-3421\Enum]
"0"="Root\\LEGACY_WINDEV-66EB-3421\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-66EB-3421]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-66EB-3421\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-66EB-3421\0000]
"Service"="windev-66eb-3421"
"DeviceDesc"="windev-66eb-3421"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-66EB-3421\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windev-66eb-3421]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windev-66eb-3421]
"DisplayName"="windev-66eb-3421"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windev-66eb-3421\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windev-66eb-3421\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windev-66eb-3421\Enum]
"0"="Root\\LEGACY_WINDEV-66EB-3421\\0000"

; End Of The Log...
lagger
Regular Member
 
Posts: 43
Joined: April 23rd, 2007, 4:05 pm

Unread postby Scotty » August 1st, 2007, 3:51 pm

Hi lagger

Open Notepad and Copy/Paste the text in the codebox below into it:

Code: Select all
File:: 
C:\WINDOWS\system32\drivers\flbphkyfcnsm.sys 
C:\WINDOWS\system32\drivers\aepjqetbtgut.sys 
C:\WINDOWS\system32\drivers\gqpksuwgbrlb.sys 
C:\WINDOWS\system32\drivers\etdlrlthotmv.sys 
C:\WINDOWS\System32\winshost.exe 

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3.tmp] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3.tmp.exe] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4.tmp] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4.tmp.exe] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdRoarUpdate] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\appxs.exe] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPZH] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lnkzjuyp] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft QMGR] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NXFPLVD] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegKillElbyCheck] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshost.exe] 
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\x90\ek\v] 
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\xb0\37k\v] 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System] 
"OODEFRAG06.00.00.01WORKSTATION"=- 
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E7C843A-EFE3-EB26-568C-9DE49ADE4BC2}] 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-66EB-3421] 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windev-66eb-3421] 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-66EB-3421] 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-66EB-3421\0000\Control] 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\windev-66eb-3421] 
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-66EB-3421] 
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windev-66eb-3421]
 



Save this as "CFScript"

Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a new HijackThis log.

Download Bobbi Fleckman's Regsearch.

Create a folder for RegSearch on the C: drive called RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch.

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

windev-66eb-3421

then hit Ok.

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe.

Please copy/paste the contents of that file back here.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby lagger » August 1st, 2007, 4:49 pm

ComboFix 07-08-01.3 - "Michael" 2007-08-01 16:44:28.3 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Michael\Desktop\cfscript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\aepjqetbtgut.sys
C:\WINDOWS\system32\drivers\etdlrlthotmv.sys
C:\WINDOWS\system32\drivers\flbphkyfcnsm.sys
C:\WINDOWS\system32\drivers\gqpksuwgbrlb.sys


((((((((((((((((((((((((( Files Created from 2007-07-01 to 2007-08-01 )))))))))))))))))))))))))))))))


2007-08-01 11:48 2,992,368 --a------ C:\ELSBSetup.exe
2007-08-01 11:48 <DIR> d-------- C:\Program Files\EarthLink
2007-08-01 11:12 <DIR> d-------- C:\regsearch
2007-08-01 07:42 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 16:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-31 06:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-27 12:04 <DIR> d-------- C:\Program Files\Total Video Converter
2007-07-27 11:50 <DIR> d-------- C:\vdub
2007-07-20 14:02 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-07-20 14:02 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-07-20 01:06 <DIR> d-------- C:\New Folder
2007-07-05 11:55 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-01 00:12 --------- d-------- C:\Program Files\Line6
2007-08-01 00:11 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\Line 6
2007-08-01 00:10 --------- d-------- C:\Program Files\Agent
2007-07-31 23:45 --------- d-------- C:\Program Files\Google
2007-07-31 23:27 --------- d-------- C:\Program Files\Kuma Games
2007-07-31 22:26 --------- d-------- C:\Program Files\a-squared Free
2007-07-31 06:54 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\Azureus
2007-07-29 09:28 --------- d-------- C:\Program Files\Azureus
2007-07-25 23:41 --------- d-------- C:\Program Files\SpywareBlaster
2007-07-17 10:41 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\dvdcss
2007-06-27 18:55 6862 --a------ C:\WINDOWS\mozver.dat
2007-06-19 01:33 --------- d-------- C:\Program Files\DivX
2007-06-18 23:13 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\DivX
2007-06-11 00:46 --------- d-------- C:\Program Files\Common Files\Colasoft Shared
2007-05-31 02:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 02:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 02:44 740442 --a------ C:\WINDOWS\system32\DivX.dll
2006-07-23 11:20 0 --a------ C:\DOCUME~1\Michael\APPLIC~1\internaldb41.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-09 21:39]
"AsioReg"="REGSVR32 /S CTASIO.DLL" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-14 12:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 16:03]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ELSBLaunch.lnk - C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe [2004-10-05 11:19:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Start_NotifyNewApps"=0 (0x0)
"NoInstrumentation"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoRecentDocsMenu"=01000000
"NoSMMyPictures"=01000000
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^hc_tray.lnk]
path=C:\Documents and Settings\Michael\Start Menu\Programs\Startup\hc_tray.lnk
backup=C:\WINDOWS\pss\hc_tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Actual Title Buttons]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blue Frog]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscoverDeskshop]
C:\Program Files\Discover Deskshop\Deskshop.exe /dontopenmycards

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo 820 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
C:\Program Files\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPnote]
c:\ipnote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"c:\windows\servicepackfiles\i386\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ptipbmf]
rundll32.exe ptipbmf.dll,SetWriteCacheMode

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
Rundll32.exe ptipbm.dll,SetWriteBack

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShutDown Plus]
c:\windows\system32\shutdown.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNInstall]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\supervisor.exe]
C:\WINDOWS\supervisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TraySantaCruz]
g:\downloads\santa cruz xp driver\98 beta\tbctray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VetTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=3 (0x3)
"wuauserv"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"TapiSrv"=3 (0x3)
"Ip6FwHlp"=3 (0x3)
"ImapiService"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ClipSrv"=3 (0x3)
"Messenger"=3 (0x3)

R0 fasttx2k;fasttx2k;C:\WINDOWS\System32\DRIVERS\fasttx2k.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\System32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\System32\DRIVERS\timntr.sys
R0 UlSata;UlSata;C:\WINDOWS\System32\DRIVERS\ulsata.sys
R1 SCDEmu;SCDEmu;C:\WINDOWS\System32\drivers\SCDEmu.sys
R2 aslm75;aslm75;\??\C:\WINDOWS\system32\drivers\aslm75.sys
R2 ppsio2;PPDevice;C:\WINDOWS\System32\drivers\ppsio2.sys
R2 Sentinel;Sentinal;C:\WINDOWS\System32\Drivers\SENTINEL.SYS
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\System32\DRIVERS\tifsfilt.sys
R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
R3 E1000;Intel(R) PRO/1000 Adapter Driver;C:\WINDOWS\System32\DRIVERS\e1000325.sys
S1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\System32\DRIVERS\ATITool.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 DirectNT;DirectNT;\??\F:\pat\DIRECTNT.SYS
S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS
S3 L6POD;L6 PODxt Service;C:\WINDOWS\System32\Drivers\L6POD.sys
S3 MidiSyn;MidiSyn;C:\WINDOWS\System32\drivers\MidiSyn.sys
S3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\System32\drivers\msmpu401.sys
S3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\System32\Drivers\Pcouffin.sys
S3 RadProbe;Radeon Probe Driver;C:\WINDOWS\System32\DRIVERS\RadProbe.sys
S3 TVICHW32;TVICHW32;\??\C:\WINDOWS\System32\DRIVERS\TVICHW32.SYS
S3 vaxscsi;vaxscsi;C:\WINDOWS\System32\Drivers\vaxscsi.sys
S4 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-01 16:45:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\x90\ek\v]
"DisplayName"="\xffff\xffff\xf70f\x77f5\xf7f\x77f6"
"DeviceDesc"="\xffff\xffff\xf70f\x77f5\xf7f\x77f6"
"ProviderName"=""
"MFG"="urrentControlSet\Services\ati2mtag\Device0"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\x1b90\xb6b\DriverFiles\\x3b74\23\x3ae5\x77f8\t.INF"
"DeviceInstanceIds"=str(7):"`"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\xb0\37k\v]
"DisplayName"="\x4518\23\x1d8\25\x45fc\23\x4809\x77e9\x3278\x77e8\xffff\xffff\x5f10\x77e7\x5faa\x77e7\2"
"DeviceDesc"="\x4518\23\x1d8\25\x45fc\23\x4809\x77e9\x3278\x77e8\xffff\xffff\x5f10\x77e7\x5faa\x77e7\2"
"ProviderName"=""
"MFG"="urrentControlSet\Services\ati2mtag\Device0"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\x1fb0\xb6b\DriverFiles\\x3b74\23\x3ae5\x77f8\31.INF"
"DeviceInstanceIds"=str(7):"`"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG06.00.00.01WORKSTATION"="3E82E8F07B37E13E602052FB42604189D5210B0463DB98F06C280A84CD2EE36E842C180E07AA7A6DF9466FF416ADF72318C960D08618ABB7A5B591D0732C1CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C9DB7CE019D40AA5CC038D530D6EB3452C038D530D6EB3452A9C6AECB7A5D1407EEA344703BB5832B67AB0A6E06E8864554DFF50A1976B9A1C339CBF84CD527CF13865235476928399B78C4B2CB8D3E262BB589295A35B1CFC902C275A2990D85537229FC41F4DA59633539AAD159C06B87EBAFF8D1865C32CB0BD58F4C5D816496551B6ADD5C33E7C6620913832F02D8B731F76EBD4DAB1581541F17FCA611E316A2F145E4E47A262782C84C5DB72999E03CE32270B243AD71E42FFCFBC07F60DE5168F9349BAFB6361E82DB70DE92BAFA4468D34F25FA90F84608D825B84099D45B2E183A4E05A2F9BFB0EAE255CDAC5187F0E3D5D5E039C885A0E566E1FCB12C3F67D37D116257CF7846C6EC8E1D4584455AD892B8338565336583C3D115B06E7FAD05933BE023635A295EDB43F8BD06C2F65CA50869B729673333D46218827A248B28A9664F3D387E2FC812EE8C3421C70E3EC7BF2976BEBA5E1EC4324CF502B5025B81F2B03BA680A83D0452B8296EA1D7ECC22251CBA74A2E0C53A2ABBD89C40363ED05BB9BD8FED51A3B720E82DE228480F23471A6B9B8DCEED25BE2736C6279A95880D93E4C9DE95F5495D689361C33B3CCBE4DD99C2B9958AA44D39057A640B7BB94A9E6D405103101490E6C0D69FBE155CDDE1A4C4B08FE568D94F44CABA5BFA82DFEBD19E0E35A07DCE13BCD66690F28B5D1031CC5BEBCE429ECE2A1107013437FE05094DFF7C6BFE437EC3A73F6E072088614AECD48137A4C5D040076D62C4502070F9436CF871839A558E374191F7621922D7D19A3234E7194E2E68506A5F8EEE14DBC1CE4519176773E3253B4BA8A9ABD96D4DFC5B4A9D6796F26E71DBE40C79345844C24FC40FC2DBCE3FCA4C399590479D6E09332EDFE257BE4CCB0DC8E4CF290B506EE874EEFFADB06E036F0A18017E5765D692A8D2FE43F9CE5C807EC868A316E0F9A1279B74604FE742B9BB478DA4D7E1B95D09072BB561A696169F5C0188BA32CEFE11382AC8204AF3AC178EF67060A64DA7B91175DC0819369D35C0B8F69992B2CDEFEBC7C87A1900D85A8D78A4A0A8570A53F2E35DF46A2463AE13695F3ED5BFE95381E3A2BB71742AC93E4C3B844D002EEDE0EDD7C3358CFB4E0DA86BD0D908E39CA9C9CE4FAC66BA01990C7D3511C2E98C551AB43E5FCD17FC4D370BB3A21F31CD8F40F1371290F7032177E811D41870CDFD6A3C150D80CF88CC114450C69BB39172731F678CAA5CD687B060DE81D9651ABBF7DEA37BC33264F856A95EE4967AB4E7857353F"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E7C843A-EFE3-EB26-568C-9DE49ADE4BC2}]
"oakciifnfgmneofopbcknhcmeedced"=hex:64,61,6b,6d,69,67,61,6e,00,00
"oaobjogcmekdeekjhmjmkdiggkmoce"=hex:6a,61,70,6d,61,68,66,6f,69,70,68,69,63,6a,65,6f,64,6e,64,70,00,..
"namadpjgpleilgbkncoblafkhcjm"=hex:6a,61,70,6d,61,68,66,6f,69,70,68,69,63,6a,65,6f,64,6e,64,70,00,..
"eagbiilaoh"=hex:61,62,6e,62,65,6f,6e,69,67,66,6d,6c,62,68,61,62,6d,64,65,6e,61,..
"cajcok"=hex:64,62,6e,63,6e,66,63,66,6c,62,68,68,69,6b,68,62,68,68,6a,62,66,..

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\windev-66eb-3421]


Completion time: 2007-08-01 16:46:01
C:\ComboFix-quarantined-files.txt ... 2007-08-01 16:45
C:\ComboFix2.txt ... 2007-08-01 11:34
C:\ComboFix3.txt ... 2007-08-01 07:43

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:23 PM, on 8/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AsioReg] REGSVR32 /S CTASIO.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: ELSBLaunch.lnk = C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/download ... TSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscan ... canner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2774464484
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bu ... eRdxIE.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... -0-3-0.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://us.creative.com/support/download ... /CTPID.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6198 bytes


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 8/1/2007 4:48:47 PM for strings:
; 'windev-66eb-3421'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-66EB-3421]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-66EB-3421\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-66EB-3421\0000]
"Service"="windev-66eb-3421"
"DeviceDesc"="windev-66eb-3421"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-66EB-3421]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-66EB-3421\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-66EB-3421\0000]
"Service"="windev-66eb-3421"
"DeviceDesc"="windev-66eb-3421"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-66EB-3421\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-66EB-3421]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-66EB-3421\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-66EB-3421\0000]
"Service"="windev-66eb-3421"
"DeviceDesc"="windev-66eb-3421"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-66EB-3421\0000\Control]

; End Of The Log...
lagger
Regular Member
 
Posts: 43
Joined: April 23rd, 2007, 4:05 pm

Unread postby Scotty » August 2nd, 2007, 9:08 am

Hello lagger

Open Notepad and Copy/Paste the text in the codebox below into it:

Code: Select all
Driver:: 
windev-66eb-3421 

Registry:: 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-66EB-3421] 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windev-66eb-3421] 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-66EB-3421] 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-66EB-3421\0000\Control] 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\windev-66eb-3421] 
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-66EB-3421] 
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windev-66eb-3421]
 

 


Save this as "CFScript"

Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a new HijackThis log.

Download Bobbi Fleckman's Regsearch.

Create a folder for RegSearch on the C: drive called RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch.

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

windev-66eb-3421

then hit Ok.

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe.

Please copy/paste the contents of that file back here.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby lagger » August 2nd, 2007, 10:46 am

ComboFix 07-08-01.3 - "Michael" 2007-08-02 10:22:58.5 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Michael\Desktop\cfscript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINDEV-66EB-3421


((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))


2007-08-01 17:55 <DIR> d-------- C:\Program Files\EarthLink
2007-08-01 11:48 2,992,368 --a------ C:\ELSBSetup.exe
2007-08-01 11:12 <DIR> d-------- C:\regsearch
2007-08-01 07:42 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 16:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-31 06:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-27 12:04 <DIR> d-------- C:\Program Files\Total Video Converter
2007-07-27 11:50 <DIR> d-------- C:\vdub
2007-07-20 14:02 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-07-20 14:02 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-07-20 01:06 <DIR> d-------- C:\New Folder
2007-07-05 11:55 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-01 00:12 --------- d-------- C:\Program Files\Line6
2007-08-01 00:11 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\Line 6
2007-08-01 00:10 --------- d-------- C:\Program Files\Agent
2007-07-31 23:45 --------- d-------- C:\Program Files\Google
2007-07-31 23:27 --------- d-------- C:\Program Files\Kuma Games
2007-07-31 22:26 --------- d-------- C:\Program Files\a-squared Free
2007-07-31 06:54 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\Azureus
2007-07-29 09:28 --------- d-------- C:\Program Files\Azureus
2007-07-25 23:41 --------- d-------- C:\Program Files\SpywareBlaster
2007-07-17 10:41 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\dvdcss
2007-06-27 18:55 6862 --a------ C:\WINDOWS\mozver.dat
2007-06-19 01:33 --------- d-------- C:\Program Files\DivX
2007-06-18 23:13 --------- d-------- C:\DOCUME~1\Michael\APPLIC~1\DivX
2007-06-11 00:46 --------- d-------- C:\Program Files\Common Files\Colasoft Shared
2007-05-31 02:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 02:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 02:44 740442 --a------ C:\WINDOWS\system32\DivX.dll
2006-07-23 11:20 0 --a------ C:\DOCUME~1\Michael\APPLIC~1\internaldb41.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-09 21:39]
"AsioReg"="REGSVR32 /S CTASIO.DLL" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-14 12:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 16:03]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ELSBLaunch.lnk - C:\Program Files\EarthLink\spamBlocker\ELSBLaunch.exe [2004-10-05 11:19:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Start_NotifyNewApps"=0 (0x0)
"NoInstrumentation"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoRecentDocsMenu"=01000000
"NoSMMyPictures"=01000000
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^hc_tray.lnk]
path=C:\Documents and Settings\Michael\Start Menu\Programs\Startup\hc_tray.lnk
backup=C:\WINDOWS\pss\hc_tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Actual Title Buttons]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blue Frog]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookiePatrol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscoverDeskshop]
C:\Program Files\Discover Deskshop\Deskshop.exe /dontopenmycards

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo 820 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
C:\Program Files\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPnote]
c:\ipnote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"c:\windows\servicepackfiles\i386\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ptipbmf]
rundll32.exe ptipbmf.dll,SetWriteCacheMode

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
Rundll32.exe ptipbm.dll,SetWriteBack

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShutDown Plus]
c:\windows\system32\shutdown.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNInstall]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\supervisor.exe]
C:\WINDOWS\supervisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TraySantaCruz]
g:\downloads\santa cruz xp driver\98 beta\tbctray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VetTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=3 (0x3)
"wuauserv"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"TapiSrv"=3 (0x3)
"Ip6FwHlp"=3 (0x3)
"ImapiService"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ClipSrv"=3 (0x3)
"Messenger"=3 (0x3)

R0 fasttx2k;fasttx2k;C:\WINDOWS\System32\DRIVERS\fasttx2k.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\System32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\System32\DRIVERS\timntr.sys
R0 UlSata;UlSata;C:\WINDOWS\System32\DRIVERS\ulsata.sys
R1 SCDEmu;SCDEmu;C:\WINDOWS\System32\drivers\SCDEmu.sys
R2 aslm75;aslm75;\??\C:\WINDOWS\system32\drivers\aslm75.sys
R2 ppsio2;PPDevice;C:\WINDOWS\System32\drivers\ppsio2.sys
R2 Sentinel;Sentinal;C:\WINDOWS\System32\Drivers\SENTINEL.SYS
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\System32\DRIVERS\tifsfilt.sys
R3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
R3 E1000;Intel(R) PRO/1000 Adapter Driver;C:\WINDOWS\System32\DRIVERS\e1000325.sys
S1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\System32\DRIVERS\ATITool.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 DirectNT;DirectNT;\??\F:\pat\DIRECTNT.SYS
S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS
S3 L6POD;L6 PODxt Service;C:\WINDOWS\System32\Drivers\L6POD.sys
S3 MidiSyn;MidiSyn;C:\WINDOWS\System32\drivers\MidiSyn.sys
S3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\System32\drivers\msmpu401.sys
S3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\System32\Drivers\Pcouffin.sys
S3 RadProbe;Radeon Probe Driver;C:\WINDOWS\System32\DRIVERS\RadProbe.sys
S3 TVICHW32;TVICHW32;\??\C:\WINDOWS\System32\DRIVERS\TVICHW32.SYS
S3 vaxscsi;vaxscsi;C:\WINDOWS\System32\Drivers\vaxscsi.sys
S4 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 10:25:50
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\x90\ek\v]
"DisplayName"="\xffff\xffff\xf70f\x77f5\xf7f\x77f6"
"DeviceDesc"="\xffff\xffff\xf70f\x77f5\xf7f\x77f6"
"ProviderName"=""
"MFG"="urrentControlSet\Services\ati2mtag\Device0"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\x1b90\xb6b\DriverFiles\\x3b74\23\x3ae5\x77f8\t.INF"
"DeviceInstanceIds"=str(7):"`"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\xb0\37k\v]
"DisplayName"="\x4518\23\x1d8\25\x45fc\23\x4809\x77e9\x3278\x77e8\xffff\xffff\x5f10\x77e7\x5faa\x77e7\2"
"DeviceDesc"="\x4518\23\x1d8\25\x45fc\23\x4809\x77e9\x3278\x77e8\xffff\xffff\x5f10\x77e7\x5faa\x77e7\2"
"ProviderName"=""
"MFG"="urrentControlSet\Services\ati2mtag\Device0"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\x1fb0\xb6b\DriverFiles\\x3b74\23\x3ae5\x77f8\31.INF"
"DeviceInstanceIds"=str(7):"`"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG06.00.00.01WORKSTATION"="3E82E8F07B37E13E602052FB42604189D5210B0463DB98F06C280A84CD2EE36E842C180E07AA7A6DF9466FF416ADF72318C960D08618ABB7A5B591D0732C1CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C9DB7CE019D40AA5CC038D530D6EB3452C038D530D6EB3452A9C6AECB7A5D1407EEA344703BB5832B67AB0A6E06E8864554DFF50A1976B9A1C339CBF84CD527CF13865235476928399B78C4B2CB8D3E262BB589295A35B1CFC902C275A2990D85537229FC41F4DA59633539AAD159C06B87EBAFF8D1865C32CB0BD58F4C5D816496551B6ADD5C33E7C6620913832F02D8B731F76EBD4DAB1581541F17FCA611E316A2F145E4E47A262782C84C5DB72999E03CE32270B243AD71E42FFCFBC07F60DE5168F9349BAFB6361E82DB70DE92BAFA4468D34F25FA90F84608D825B84099D45B2E183A4E05A2F9BFB0EAE255CDAC5187F0E3D5D5E039C885A0E566E1FCB12C3F67D37D116257CF7846C6EC8E1D4584455AD892B8338565336583C3D115B06E7FAD05933BE023635A295EDB43F8BD06C2F65CA50869B729673333D46218827A248B28A9664F3D387E2FC812EE8C3421C70E3EC7BF2976BEBA5E1EC4324CF502B5025B81F2B03BA680A83D0452B8296EA1D7ECC22251CBA74A2E0C53A2ABBD89C40363ED05BB9BD8FED51A3B720E82DE228480F23471A6B9B8DCEED25BE2736C6279A95880D93E4C9DE95F5495D689361C33B3CCBE4DD99C2B9958AA44D39057A640B7BB94A9E6D405103101490E6C0D69FBE155CDDE1A4C4B08FE568D94F44CABA5BFA82DFEBD19E0E35A07DCE13BCD66690F28B5D1031CC5BEBCE429ECE2A1107013437FE05094DFF7C6BFE437EC3A73F6E072088614AECD48137A4C5D040076D62C4502070F9436CF871839A558E374191F7621922D7D19A3234E7194E2E68506A5F8EEE14DBC1CE4519176773E3253B4BA8A9ABD96D4DFC5B4A9D6796F26E71DBE40C79345844C24FC40FC2DBCE3FCA4C399590479D6E09332EDFE257BE4CCB0DC8E4CF290B506EE874EEFFADB06E036F0A18017E5765D692A8D2FE43F9CE5C807EC868A316E0F9A1279B74604FE742B9BB478DA4D7E1B95D09072BB561A696169F5C0188BA32CEFE11382AC8204AF3AC178EF67060A64DA7B91175DC0819369D35C0B8F69992B2CDEFEBC7C87A1900D85A8D78A4A0A8570A53F2E35DF46A2463AE13695F3ED5BFE95381E3A2BB71742AC93E4C3B844D002EEDE0EDD7C3358CFB4E0DA86BD0D908E39CA9C9CE4FAC66BA01990C7D3511C2E98C551AB43E5FCD17FC4D370BB3A21F31CD8F40F1371290F7032177E811D41870CDFD6A3C150D80CF88CC114450C69BB39172731F678CAA5CD687B060DE81D9651ABBF7DEA37BC33264F856A95EE4967AB4E7857353F"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E7C843A-EFE3-EB26-568C-9DE49ADE4BC2}]
"oakciifnfgmneofopbcknhcmeedced"=hex:64,61,6b,6d,69,67,61,6e,00,00
"oaobjogcmekdeekjhmjmkdiggkmoce"=hex:6a,61,70,6d,61,68,66,6f,69,70,68,69,63,6a,65,6f,64,6e,64,70,00,..
"namadpjgpleilgbkncoblafkhcjm"=hex:6a,61,70,6d,61,68,66,6f,69,70,68,69,63,6a,65,6f,64,6e,64,70,00,..
"eagbiilaoh"=hex:61,62,6e,62,65,6f,6e,69,67,66,6d,6c,62,68,61,62,6d,64,65,6e,61,..
"cajcok"=hex:64,62,6e,63,6e,66,63,66,6c,62,68,68,69,6b,68,62,68,68,6a,62,66,..

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-02 10:26:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-02 10:26
C:\ComboFix2.txt ... 2007-08-01 17:52
C:\ComboFix3.txt ... 2007-08-01 16:46

--- E O F ---


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 8/2/2007 10:29:42 AM for strings:
; 'windev-66eb-3421'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


spybot log after this:
--- Report generated: 2007-08-02 10:45 ---

Excite: Tracking cookie (Internet Explorer: Michael) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: Michael) (Cookie, fixed)


Excite: Tracking cookie (Internet Explorer: Michael) (Cookie, nothing done)


Common Dialogs: History (44 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Adobe Acrobat Reader 5: Last selected preference panel (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Adobe\Acrobat Reader\5.0\PrefsDialog\aLastPrefsPanel

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Compilation directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation!=

Ahead Nero Burning Rom: Browser directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir!=

Ahead Nero Burning Rom: Working directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir!=

Animation Shop 3: Recent browse folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Animation Shop 3\Browser\BrowseDir!=

Animation Shop 3: Recent image folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Animation Shop 3\FileOpenDialog\OpenImageDir!=

Animation Shop 3: Recent save as folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Animation Shop 3\SaveAsDialog\SaveAsDir!=

BlindWrite Suite (BlindRead): Last used image folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\VSO\BlindRead\forms\Image Path!=

BlindWrite Suite (BlindWrite): Last loaded CD image (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\VSO\BlindWrite\PG3_TocFiles!=

Internet Explorer: Typed URL list (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Internet Explorer\Download Directory!=

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: AutoComplete data (18 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Internet Explorer\IntelliForms\SPW

Isobuster: Last save folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Smart Projects\IsoBuster\LastSavedPath

MS Management Console: Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Microsoft Management Console\Recent File List

MS Media Player: Recent file list (8 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Player\RecentFileList

MS Media Player: Recent open directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir!=

MS Media Player: Application data file (global) () (File, nothing done)
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

MS Media Player: Search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\AutoComplete\MediaSearch

MS Media Player: Last opened playlist (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: Last selected track index (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\LastPlaylistIndex

MS Media Player: Last selected node (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\MediaLibraryUI\MLLastSelectedNode!=

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS Direct3D: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name!=

MS Direct3D: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Direct3D\MostRecentApplication\Name!=

MS DirectDraw: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS DirectInput: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentApplication\Name!=

MS DirectInput: Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentApplication\Id!=

MS DirectInput: Last mapped application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentMapperApplication\ID!=

MS DirectInput: Last mapped application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\DirectInput\MostRecentMapperApplication\Name!=

MS Office 10.0 (Word): Recently used documents list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Office\10.0\Word\Data\Settings

MS Office 10.0 (Word): Templates history (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Office\10.0\Word\Recent Templates

MS Office 11.0 (Office Startup Assistant): Last search location (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Office\11.0\Osa\FindFile\Place

MS Frontpage: Default image add folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\FrontPage\Editor\Default Add Image Directory!=

MS Frontpage: Last opened web (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Settings\LastWebOpen!=

MS Regedit: Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey!=

MS Search Assistant: Typed search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Search Assistant\ACMru

MS Windows Backup 5.0: Last created backup set (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Ntbackup\Hardware\Logical Disk File!=

Paint Shop Pro 7: Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\JASC\Paint Shop Pro 7\Recent File List

Paint Shop Pro 7: Browse directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\JASC\Paint Shop Pro 7\Browser\BrowseDir!=

Paint Shop Pro 7: Image directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\JASC\Paint Shop Pro 7\General\ImageDirectory!=

Paint Shop Pro 7: Recent GIF directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Paint Shop Pro 7\ExportGIF\Directory!=

Paint Shop Pro 7: Recent JPG directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Paint Shop Pro 7\ExportJPG\Directory!=

Paint Shop Pro 7: Recent PNG directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Jasc\Paint Shop Pro 7\ExportPNG\Directory!=

Windows: Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources!=

Windows.OpenWith: Open with list - .001 extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.001\OpenWithList

Windows.OpenWith: Open with list - .ACE extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ACE\OpenWithList

Windows.OpenWith: Open with list - .ASF extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASF\OpenWithList

Windows.OpenWith: Open with list - .ASX extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList

Windows.OpenWith: Open with list - .AU extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AU\OpenWithList

Windows.OpenWith: Open with list - .AVI extension (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList

Windows.OpenWith: Open with list - .BAK extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BAK\OpenWithList

Windows.OpenWith: Open with list - .BIN extension (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList

Windows.OpenWith: Open with list - .BMP extension (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: Open with list - .BUP extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BUP\OpenWithList

Windows.OpenWith: Open with list - .CAB extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList

Windows.OpenWith: Open with list - .CDA extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\OpenWithList

Windows.OpenWith: Open with list - .CHK extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHK\OpenWithList

Windows.OpenWith: Open with list - .CHM extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHM\OpenWithList

Windows Explorer: Recent wallpaper list (501 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU

Windows Explorer: Run history (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: Stream history (201 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: User Assistant history IE (26 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (347 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Last visited history (13 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

WinRAR: Recent file list (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\WinRAR\ArcHistory

WinRAR: Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\WinRAR\General\LastFolder!=

WinRAR: Extraction directory history (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\WinRAR\DialogEditHistory\ExtrPath

WinZip: Recent extracted file list (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\extract

WinZip: Recent created file list (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\filemenu

WinZip: Number of times run (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\rrs\Opened!=

WinZip: Default directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\DefDir!=

WinZip: Default directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\zDefDir!=

WinZip: Add files directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\AddDir!=

WinZip: Destination directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\ExtractTo!=

WinZip: Add files directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\gzAddDir!=

WinZip: Destination directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-362288127-839522115-1003\Software\Nico Mak Computing\WinZip\directories\gzExtractTo!=

Cookie: Cookie (221) (Cookie, nothing done)


Cache: Cache (3296) (Cache, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-12-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-01 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-01 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-08-01 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-01 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-08-01 Includes\Malware.sbi (*)
2007-08-01 Includes\MalwareC.sbi (*)
2007-07-11 Includes\PUPS.sbi (*)
2007-08-01 Includes\PUPSC.sbi (*)
2003-11-12 Includes\QA Tests.sbi (*)
2007-08-01 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-01 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-01 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2007-08-01 Includes\Trojans.sbi (*)
2007-08-01 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll



looks like success .. so far .. I will post back in this thread if it reappears


Thanks for all your patient help

Mike
lagger
Regular Member
 
Posts: 43
Joined: April 23rd, 2007, 4:05 pm

Unread postby Scotty » August 2nd, 2007, 11:17 am

Hi lagger

Could you hold on a little longer? We like to be sure you are clean before you go.

Please delete the Combofix.exe and F-Secure Blaclight from your Desktop.

Navigate to and delete the following files and/or folders (if they are present):

Folders:
C:\Qoobox
C:\Regsearch

I would advise updating Adobe Reader, as the latest version clears up any vulnerabilities of previous versions.
First uninstall the version you have on your computer then download and install Adobe Reader 8.1.

Delete the older versions of Java and download the newest.
Please follow these steps to remove older version Java components.
  1. Close any programmes you may have running, ESPECIALLY your web browser
  2. Click Start > Control Panel.
  3. Click Add/Remove Programs.
  4. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  5. Click the Remove or Change/Remove button.
  6. Repeat as many times as necessary to remove all versions of Java.
  7. Reboot your computer once all Java components are removed.
Then download the latest version of Java Runtime Environment (JRE) (4th one down the list), which is JRE6u2, and click Yes at the page warning, then accept the Licence Agreement before downloading the Offline file.

    Please go HERE to run PandaActiveScan...

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to your desktop.


Post back with the pandascan report and a new HijackThis log, please.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware