ok I recently updated my norton. I also installed glary utilities. First I ran a full system scan it found 3 things things. VBS.autorun whatever. They were quarantined. Still are. I also used the 1 click maintenance repair in glary, it found 556 problems with my registry. I clicked repair. I unchecked any that said system32, because im not that smart on computers. Ive heard horror stories about so called registry repait tools. Moving right along. I go to do something in my C drive, I open up my computer, double click on local disk. It gives me "can not find script file C:\MSd1947.vbs" The same thing happens when I try to open my two external drives. But the script files it cannot find on my externals are hidden like always in the root of my two externals. For some reason I cant double click to open them. I have to right click, the open.Also, ever since then, whenever I log onto windows my hidden files are showing. Like clockwork, i log off, when i log on their showing. I have to go hide thiem. I want this mess fixed. The 3 problems that norton found are still in quarantine. Is norton to blame for this? or did the virus just corrupt my whole script and norton had no choice but to quarantine them? I thought maybe restoring them from norton, but i dont know. I decided to come here and ask for help. Can I fix the drive opening problem by rewriting something? My laptop had vista, I put xp pro on it. I have more than one xp pro disc. But no actual recovery disc that would have come with the laptop. Its a toshiba satellite. Ill have more specifics about it later. Am i screwed or what?

sousabone,

Let's make sure all the malware is gone.

There are a few steps we must complete before we can begin running some programs to get these nasty viruses off your PC.

Please do the following to begin with your disinfection:

Read this before moving on:
http://www.pchelpforum.com/new-hijac...tructions.html

After that:

Please note: It is common for a computer to appear free from malware even when the malware has not been completely removed. Even if your computer appears to be clean after following the PreWork, to avoid further problems, or even reinfection, please post the requested logs in order to have a Security Staff member verify that all traces are removed. Thank you for your cooperation.

First: read the following article, and follow suggestions/instructions if required

Warnings Regarding P2P Sharing Sites

Next Please Do the Following:


1. Set System and Hidden files and folders to show:

For Vista:

• Click the (Vista Icon) and click on Computer.
• Click Organize and click on Folder and Search Options.
• Click on the View tab.
• Un-check the Hide Protected Operating System Files (Recommended) box.
• Under Hidden files and folders, click Show hidden files and folders.
• If you see a warning message, click Yes.
• Click Apply.
• Click OK.

For XP:

• Right-Click My Computer choose Explore, click on Tools, Folder Options.
• Click the View tab.
• Place a tick next to Display content of System folders, (answer OK to warnings)
• Under Hidden files and folders, click Show hidden files and folders.
• If you see a warning message, click Yes.
• Click Apply.
• Click OK.

For 98/2000/ME:

• Double-click the My Computer icon
• Click on the View menu, click Folder Options
• Advanced Settings box, under the "Hidden files" folder, click Show all files.
• If you see a warning message, click Yes.
• Click Apply.
• Click OK.

2. Disable System Restore to prevent re-infection.
(If you have/use it.)

Vista:

• Click the (Vista Icon) and right click on Computer and select Properties.
• Click on System Protection (click OK if you are prompted with a warning).
• Un-check all of the boxes in the list of Available Disks for Automatic Restore Points.
• Click Apply.
• Click OK.

WinXP.

• Click the Start button.
• Right-click My Computer, and then click Properties.
• On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

WinME.

• Click Start > Settings > Control Panel.
• Double-click the System icon.
• If the System icon is not visible, click View all Control Panel options to display it.
• On the Performance tab, click File System.
• On the Troubleshooting tab check Disable System Restore.
• Click OK. Click Yes when you are prompted to restart Windows.

Please do not follow any instructions from any user or staff member other than those listed in the Please Read Before Following Advice thread.
Also note as stated above, that we do not support the use of illegal software. If you have any type of illegal or cracked software installed, please un-install them as soon as possible. In the case of your operating system, please obtain a valid licensed copy. Read more here.

We have an excellent Security Team, and will take the time and effort to assist you according to your technical abilities. Please feel free to ask for any clarification, guidance or information that you may need. That's what we're here for.

After all that is done please follow up with the following:
Run both these programs.


Please download Malwarebytes' Anti-Malware from one of these places:

|MG| Malwarebytes Anti-Malware 1.31

http://www.besttechie.net/tools/mbam-setup.exe


Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, navigate to the Update tab and click Check For Updates. It will then download the latest updates for you
* Now navigate back to the Scan tab
* Select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


================================================== ===================================

================================================== ===================================


Next, lets download ComboFix.exe. This will give me a better view to the files running, those that are hidden, and also those in the registry..Please download from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.

Double-click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the HJT log prior to everything, MBAM log, C:\ComboFix.txt, and HJT log after running everything in your next reply.

Ok, thanks crush. I am in afghanistan right now, so it might be 48 hours or so until I can complete all the things you ask. But!, I will. Thank you very much again. I will get back

Alright. Looking forward to your next post and I think I speak for everyone when I say thank you, and stay safe

Ok, Ive managed to get a copy of xp sp2 to install recovery. Is there anything I need to do (like creating a restore point with system restore?) with recovery before I use the software I downloaded? Ive read up on it, but havent made alot out of it. I would like to know how to use it. So, if theres nothing I need to do ill go ahead. I know theres no instructions listed, i jst wanted to ask?? thanks alot, also we come home in about a month, back to Fort Campbell, Ky. Thanks for the kind words though. Thanks alot everyone.

Nope. You should be fine with just running the programs. Time is short for me however, I will be inactive on malware related threads after 31 January so another tech will most likely assess your logs

OK, took me long enough but here are my logs. After running it all the problem has gone away. At first I had a quaratined folder in the root of my hard drives, but they are no longer there now, and I have no problems. But here are my logs, and if whoever is helping me with this wouldnt mind, maybe explain anything they think would help be better understand what all the stuff means. Thanks again.


HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:25 PM, on 01-Feb-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SarbyxTrayClock\trayclock.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Home Page Reset - Symantec Corp.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINDOWS\system32\CrazyTalk.dll,DllServeMediaFil e
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SarbyxTrayClock] C:\Program Files\SarbyxTrayClock\trayclock.exe
O4 - Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=https://www.us.army.mil/suite/login/welcome.html
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.7.109.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1230227863009
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1230227629993
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O23 - Service: Norton2009 Reset (.norton2009Reset) - Unknown owner - C:\Program Files\Norton2009Reset.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
--
End of file - 8268 bytes


MalBytes
Malwarebytes' Anti-Malware 1.33
Database version: 1688
Windows 5.1.2600 Service Pack 3
2009-01-31 07:40:10
mbam-log-2009-01-31 (07-40-10).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 169986
Time elapsed: 2 hour(s), 56 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
E:\Bone\Software\DVD ripping ****\cracked dvdfab torrents\DVDFab Platinum 5.0.9.0 + Crack\universal.dvdfab.platinum.5-patch.2.2.exe (Rogue.Patch) -> Not selected for removal.
E:\Bone\Software\DVD ripping ****\cracked dvdfab torrents\DVDFab Platinum 5.1.1.0 + Serial + patch.2.2....using now....seems good\universal.dvdfab.platinum.5-patch.2.2.exe (Rogue.Patch) -> Not selected for removal.

Combofix
ComboFix 09-01-21.02 - Administrator 2009-02-01 23:48:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.525 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((( Files Created from 2009-01-02 to 2009-02-02 )))))))))))))))))))))))))))))))
.
2009-02-01 21:27 . 2009-02-01 21:42 <DIR> d-------- c:\program files\Media Keyboard 2 Media Player
2009-01-30 23:20 . 2009-01-30 23:20 <DIR> d-------- C:\$WIN_NT$.~BT
2009-01-26 21:16 . 2009-01-26 21:38 <DIR> d-------- C:\standalonestack
2009-01-24 19:53 . 2009-01-24 19:53 <DIR> d-------- c:\program files\Trend Micro
2009-01-23 19:48 . 2009-01-23 19:48 <DIR> d-------- c:\program files\Belarc
2009-01-23 19:48 . 2008-02-27 12:49 3,840 --a------ c:\windows\system32\drivers\BANTExt.sys
2009-01-22 21:08 . 2009-01-22 21:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-22 21:08 . 2009-01-22 21:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-22 21:08 . 2009-01-22 21:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-22 21:08 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-22 21:08 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-20 21:56 . 2009-01-20 21:56 107 --a------ c:\windows\system32\bup202.dll
2009-01-20 21:55 . 2009-01-20 21:55 <DIR> d-------- c:\program files\InfraDrive
2009-01-20 21:55 . 2006-03-30 16:15 1,007,616 --a------ c:\windows\system32\CrazyTalk.dll
2009-01-20 21:55 . 2006-03-30 16:15 260,096 --a------ c:\windows\system32\Richtx32.ocx
2009-01-20 21:55 . 2009-01-20 22:07 107 --a------ c:\windows\system32\stech202.dll
2009-01-20 21:50 . 2009-01-20 21:50 <DIR> d-------- c:\program files\Musicnotes
2009-01-20 21:50 . 2007-04-23 14:12 343,216 --a------ c:\windows\system32\KeyHelp.ocx
2009-01-20 20:17 . 2009-01-20 21:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GlarySoft
2009-01-20 20:10 . 2009-01-20 20:10 <DIR> d-------- c:\program files\Glary Utilities
2009-01-20 19:43 . 2009-01-20 19:43 <DIR> d-------- c:\program files\Celestia
2009-01-19 19:12 . 2009-01-19 19:16 <DIR> d-------- c:\program files\AoA Audio Extractor
2009-01-16 19:49 . 2009-01-16 19:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\NeroDigital™
2009-01-16 17:23 . 2009-01-16 17:23 <DIR> d-------- c:\program files\Essentials Codec Pack
2009-01-12 19:45 . 2009-01-12 19:56 <DIR> d-------- c:\program files\SEGA
2009-01-12 19:44 . 2009-01-12 19:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-01-10 20:35 . 2009-01-10 20:35 17 --a------ c:\windows\WINTOYS.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-02-02 04:39 --------- d-----w c:\documents and settings\Administrator\Application Data\Any Video Converter
2009-01-31 13:50 --------- d-----w c:\documents and settings\Administrator\Application Data\stickies
2009-01-25 20:18 --------- d-----w c:\program files\CCleaner
2009-01-25 20:17 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-01-21 03:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-20 00:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Vso
2009-01-19 17:07 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-13 01:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 01:49 --------- d-----w c:\documents and settings\Administrator\Application Data\vlc
2009-01-10 00:50 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-12-30 19:13 --------- d-----w c:\program files\Winamp
2008-12-28 00:37 --------- d-----w c:\program files\Common Files\Nero
2008-12-28 00:34 --------- d-----w c:\program files\Nero
2008-12-28 00:34 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-12-26 13:38 --------- d-----w c:\documents and settings\Administrator\Application Data\Windows Search
2008-12-25 20:19 --------- d-----w c:\program files\Synaptics
2008-12-25 20:19 --------- d-----w c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2008-12-25 20:18 --------- d-----w c:\program files\Windows Desktop Search
2008-12-25 20:17 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-24 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\Geek Squad
2008-12-23 22:40 --------- d-----w c:\program files\ESET
2008-12-22 23:50 --------- d-----w c:\program files\SlySoft
2008-12-22 03:35 --------- d-----w c:\documents and settings\All Users\Application Data\SlySoft
2008-12-22 02:46 --------- d-----w c:\documents and settings\Administrator\Application Data\tunebite
2008-12-22 01:30 --------- d-----w c:\program files\iPhotoSoft
2008-12-22 01:15 --------- d--h--w c:\program files\Aztec shot
2008-12-19 02:17 --------- d-----w c:\documents and settings\Administrator\Application Data\DVDFab
2008-12-18 22:31 --------- d-----w c:\program files\Real War
2008-12-18 02:30 --------- d-----w c:\program files\Microsoft Virtual PC
2008-12-18 01:32 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2008-12-15 00:51 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-14 23:02 --------- d-----w c:\program files\Firaxis Games
2008-12-12 19:24 --------- d-----w c:\documents and settings\Administrator\Application Data\VSRevoGroup
2008-12-12 18:42 --------- d-----w c:\program files\DVDFab 5
2008-12-12 18:38 87,608 ----a-w c:\documents and settings\Administrator\Application Data\inst.exe
2008-12-12 18:38 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-12-12 18:38 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2008-12-12 17:46 --------- d-----w c:\windows\system32\config\systemprofile\Applicati on Data\Nuance
2008-12-12 03:28 36,272 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-12-12 00:18 --------- d-----w c:\program files\Call of Duty
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 03:54 --------- d-----w c:\program files\WMV9_VCM
2008-12-05 00:31 --------- d-----w c:\documents and settings\Administrator\Application Data\Winamp
2008-12-02 03:26 --------- d-----w c:\program files\Microangelo Toolset 6
2008-12-02 03:16 --------- d-----w c:\documents and settings\Administrator\Application Data\Roxio
2008-12-02 03:11 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-02 03:11 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-12-02 03:11 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-12-02 03:10 --------- d-----w c:\program files\Roxio
2008-12-02 03:10 --------- d-----w c:\program files\Common Files\SureThing Shared
2008-12-02 03:10 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-12-02 03:10 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-12-02 00:02 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-01 23:55 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-11-29 23:48 10,271,105 ----a-w c:\windows\SublimeScreensaver.SCR
2008-09-17 13:16 549,159 --sha-r c:\program files\Norton2009Reset.exe
2008-08-21 16:14 22,328 ------w c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2005-05-26 20:35 1,422 ----a-w c:\program files\ReadMe.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SarbyxTrayClock"="c:\program files\SarbyxTrayClock\trayclock.exe" [2006-10-19 60928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"CrazyTalk Serve"="c:\windows\system32\CrazyTalk.dll" [2006-03-30 1007616]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\Stickies\stickies.exe [2008-08-28 765952]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-02 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Button Manager v1.874.lnk - c:\program files\INITIO\Button Manager v1.874\inihid.exe [2008-11-15 200704]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-11 16:08 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-23 20:30 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 00:20 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 09:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 07:13 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Internet Explorer\\iexplore.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\rundll32.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\filters\\ac3config.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Launcher\\TFDLauncher.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade(tm)\\Renegade\\Renegade.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade(tm)\\Renegade\\game2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:Yahoo voice
"80:TCP"= 80:TCP:Yahoo Voice 2
"5050:TCP"= 5050:TCP:Yahoo Voice 3
"8701:TCP"= 8701:TCP:SoftPerfect
"15529:TCP"= 15529:TCP:BitComet 15529 TCP
"15529:UDP"= 15529:UDP:BitComet 15529 UDP
R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Driver s\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\10020 00.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007 \BHDrvx86.sys [2008-12-25 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.0 07\cchpx86.sys [2008-12-25 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090115. 001\IDSxpx86.sys [2009-01-19 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-01 99376]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2005-07-27 77056]
R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-25 115560]
R4 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2005-07-27 14080]
R4 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2005-07-27 36352]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk4 1.sys [2008-09-24 36928]
S4 .norton2009Reset;Norton2009 Reset;c:\program files\Norton2009Reset.exe [2008-09-17 549159]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MSd45B.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{46db2146-6c62-11dd-aaa0-001e33308738}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{4b9c3fad-e363-11dd-ab40-001b9ead2cc4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MSdE24.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5bf3ab9c-41f7-11dd-95ef-001e33308738}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6e52951b-d7a2-11dd-ab3a-001b9ead2cc4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MSdAEC.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{7489f5bb-c4c6-11dd-ab1c-001e33308738}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{78082d07-9eda-11dd-aacc-001e33308738}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MSd93B.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{867a38ba-4f20-11dd-95f7-001b9ead2cc4}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{9bab4e4b-8b01-11dd-aab4-001e33308738}]
\Shell\AutoRun\command - e:\.\MigWiz\migsetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ade7d54a-3ed3-11dd-95e9-001e33308738}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ade7d54b-3ed3-11dd-95e9-001e33308738}]
\Shell\Auto\command - boot.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{bf135e33-dc55-11dd-ab3b-001b9ead2cc4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MSd67B.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{bf24fdbf-69bb-11dd-aa9c-001e33308738}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cb97a211-617e-11dd-aa95-001e33308738}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cb97a212-617e-11dd-aa95-001e33308738}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{f2e30908-a4aa-11dd-aadf-001b9ead2cc4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
Contents of the 'Scheduled Tasks' folder
2009-01-31 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 19:12]
2009-01-31 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-01-10 17:02]
2008-08-01 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_ exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe []
2009-01-31 c:\windows\Tasks\Norton Internet Security - Administrator - Full System Scan.job
- c:\program files\Norton Internet Security\Engine\16.2.0.7\Navw32.exe [2008-12-11 21:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*Yahoo! SearchBar Home Page
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*Yahoo!
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cin93em3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cin93em3.default\ext ensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn. dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl. dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 23:48:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CrazyTalk Serve = rundll32.exe c:\windows\system32\CrazyTalk.dll,DllServeMediaFil e?1?????????????|???|????????????h?U ???????????|?????????????????E?|@??|???|YF?|?U?|yE ?|????????????0???'???|????~?|????????????????? ????????????????????????0???T???????????e??|?????? ??H????}?|
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N orton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION ! NEVER A OR CHANGE ANY KEY*]
"??"=hex:50,de,33,f2,a7,32,a4,ca,4a,63,d1,24,d5,60 ,48,ea,90,92,0f,da,cf,5c,71,
2f,da,97,5e,2e,af,84,a0,b9,db,ec,2c,1d,05,11,ea,61 ,f2,23,0d,3c,2b,c2,77,46,\
"??"=hex:b9,c4,61,be,b8,86,19,df,c0,70,95,f9,02,3f ,af,56
[HKEY_USERS\Administrator\Software\SecuROM\License information*]
"datasecu"=hex:6b,a8,2d,93,66,f1,5b,84,31,97,da,3e ,5a,08,8e,4f,66,73,4e,84,5f,
9e,ab,fd,29,25,c5,8d,c7,24,b0,7a,5a,3c,fd,ef,7a,7c ,1d,b6,ae,63,78,7d,49,3a,\
"rkeysecu"=hex:dd,bc,ad,1e,30,35,24,4f,1a,47,c7,1e ,c5,3b,48,c4
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED6077 9-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):08,be,a8,6f,59,c9,9f,2e,2f,d4,89,6 6,e6,a8,e8,f1,f0,a4,a3,6a,ff,
a0,e9,8a,8c,59,64,e8,b1,82,7d,d8,48,28,86,ae,cb,37 ,05,aa,00,00,00,00,00,00,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{abe25ec b-ac4d-431a-87a6-8f6e352a0c34}]
@Denied: (Full) (Everyone)
"Model"=dword:00000131
"Therad"=dword:00000024
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5 ,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe ,41,71,cb,3f,46,a4,7c,ab,\
.
Completion time: 2009-02-01 23:50:42
ComboFix-quarantined-files.txt 2009-02-02 05:50:40
ComboFix2.txt 2009-01-31 13:53:52
Pre-Run: 57,494,433,792 bytes free
Post-Run: 57,481,347,072 bytes free
301 --- E O F --- 2009-01-19 17:07:50

There they are, thanks again everyone