1. No RED entries in IceSword lists.
2. The data column at reganal32 contains C:\WINDOWS\system32\reganal32.exe but couldn't be found in files list.
3.Please find below the requested reports :
ComboFix 07-09-18.4 - "Oved" 2007-09-26 12:01:15.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.117 [GMT 2:00]
* Created a new restore point
FILE::
C:\WINDOWS\system32\dbghd3dx.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\dbghd3dx.exe
.
((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.
2007-09-24 21:00 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-19 20:56 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-18 18:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 02:48 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-08-31 15:05 16 --a------ C:\WINDOWS\gfr.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-23 19:30 741376 --a------ C:\WINDOWS\system32\libeay32.dll
2007-08-23 19:30 155648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-08-05 01:02 --------- d-------- C:\DOCUME~1\OVED\APPLIC~1\SPAMfighter
2007-07-04 14:22 1184400 --a------ C:\WINDOWS\system32\FreeImage.dll
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((( snapshot_2007-09-18_185929.86 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-23 06:52:20 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 6,025,216 2007-09-24 19:00:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
----a-w 81,920 2007-09-24 19:00:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-23 06:52:20 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 6,025,216 2007-09-24 19:01:02 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 81,920 2007-09-24 19:01:02 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"LGODDFU"="D:\Programs\lg_fwupdate\fwupdate.exe" [2006-02-20 11:40]
"reganal32"="C:\WINDOWS\system32\reganal32.exe" []
"!AVG Anti-Spyware"="D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 21:40]
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - D:\Programs\Microsoft Office 2000\Office\OSA9.EXE [1999-02-17 22:05:56]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Oved^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\Oved\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"D:\Programs\ICQLite\ICQLite.exe" -minimize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
D:\Programs\OLYMPUS\OLYMPUS Master\FirstStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"D:\Programs\Skype\Phone\Skype.exe" /nosplash /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"D:\Programs\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized
R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys
R2 ONSIO;ONSIO;\??\C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
R3 admjoy;Aureal Game Port Enumerator;C:\WINDOWS\system32\DRIVERS\admjoy.sys
R3 METROP;Hewlett Packard ScanJet 5300C;C:\WINDOWS\system32\DRIVERS\hp53pw2k.sys
R3 mf;mf;C:\WINDOWS\system32\DRIVERS\mf.sys
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8830.sys
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 12:05:16
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-26 12:08:04
C:\ComboFix2.txt ... 2007-09-24 21:37
C:\ComboFix-quarantined-files.txt ... 2007-09-26 12:08
C:\ComboFix3.txt ... 2007-09-24 02:17
.
--- E O F ---
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:44:52 PM 9/26/2007
+ Scan result:
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122588.EXE -> Adware.BargainBuddy : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122589.EXE -> Adware.BargainBuddy : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122586.exe/cd_clint.dll -> Adware.Cydoor : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122586.exe/cd_load.exe -> Adware.Cydoor : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122586.exe/cd_swf.dll -> Adware.Cydoor : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122590.DLL -> Adware.Exact : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122591.DLL -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122585.exe/Sponsor.exe -> Downloader.Swizzor.bt : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122587.EXE -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\Documents and Settings\Oved\Cookies\oved@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@adtech[1].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.289:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@castup[1].txt -> TrackingCookie.Castup : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@switch5.castup[1].txt -> TrackingCookie.Castup : Cleaned.
:mozilla.394:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Cnn : Cleaned.
:mozilla.491:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.392:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Info : Cleaned.
:mozilla.410:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Info : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.210:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.224:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.237:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.239:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.87:C:\Documents and Settings\Oved\Application Data\Mozilla\Firefox\Profiles\4nlo95o6.default\cookies.txt -> TrackingCookie.Skype : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@a.total-media[1].txt -> TrackingCookie.Total-media : Cleaned.
C:\Documents and Settings\Oved\Cookies\oved@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122579.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122580.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122581.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122582.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122573.exe -> Worm.Warezov : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP726\A0125261.exe -> Worm.Warezov : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\system32\dbghd3dx.exe.vir -> Worm.Warezov : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122574.exe -> Worm.Warezov.mg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122575.dll -> Worm.Warezov.mg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122576.dll -> Worm.Warezov.mg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122594.dll -> Worm.Warezov.mo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122577.dll -> Worm.Warezov.nm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122578.exe -> Worm.Warezov.nm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122584.exe -> Worm.Warezov.ou : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122595.DLL -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122596.DLL -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122597.dll -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122598.EXE -> Worm.Warezov.pi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{81EA1667-4F2F-4068-8DD3-B891AB90278C}\RP720\A0122583.exe -> Worm.Warezov.ps : Cleaned with backup (quarantined).
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 2:47:26 PM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Programs\lg_fwupdate\fwupdate.exe
D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
D:\Programs\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O4 - HKLM\..\Run: [RemoteControl] "D:\Programs\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] D:\Programs\lg_fwupdate\fwupdate.exe
O4 - HKLM\..\Run: [reganal32] C:\WINDOWS\system32\reganal32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programs\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = D:\Programs\Microsoft Office 2000\Office\OSA9.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Programs\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Programs\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Programs\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Programs\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://d:\Programs\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programs\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Programs\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe