View Full Version : Virtumonde will not die
Thank you in advance for trying to help me! Spybot detects virtumonde but is unable to remove it. I have tried Malwarebyte and Vundofix to no avail. I am unable to change Kqfpqyei.dll and rtqwryr.dll in any way. When computer boots I get a warning that Autochk.exe file can not be found briefly before logon screen.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:06 AM, on 4/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=presario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: tqqujzct - C:\WINDOWS\SYSTEM32\rtqwryr.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
--
End of file - 6245 bytes
Hello and welcome to Safer Networking
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
I f you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
There is no sign of an antivirus installed on your system. There are several reasons for it. Either you have disabled your antivirus or there's no antivirus installed.
If you have disabled it, please re-enable it. If you have no antivirus installed, please get ONE antivirus and install it. Restart the computer for changes to take effect.
avast! 4 Home Edition (http://files.avast.com/iavs4pro/setupeng.exe)
AntiVir Free Edition (http://www.antivir-pe.com/freet/index.php?id=25&domain=free-av.com)
1 - Download and Run ComboFix
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html#)
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
3 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log
Thanks peku006
Thank you very much for your time and help. Here is the Combofix log and HijackThis log. I have AVG running now.
ComboFix 09-04-25.A3 - Rob 04/26/2009 10:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.163 [GMT -5:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\PIXANNOT.DLL
c:\windows\system32\PIXAPS.DLL
c:\windows\system32\PIXDFLTN.DLL
c:\windows\system32\PIXDLGN.DLL
c:\windows\system32\PIXJBGN.DLL
c:\windows\system32\PIXJP2K.DLL
c:\windows\system32\PIXLOCN.DLL
c:\windows\system32\PIXLZWN.DLL
c:\windows\system32\PIXMDLGN.DLL
c:\windows\system32\PIXMDLN.DLL
c:\windows\system32\PIXMPN.DLL
c:\windows\system32\PIXNAMEN.DLL
c:\windows\system32\PIXNOTEN.DLL
c:\windows\system32\PIXPANN.DLL
c:\windows\system32\PIXPERMN.DLL
c:\windows\system32\PIXRAMN.DLL
c:\windows\system32\PIXSLN.DLL
c:\windows\system32\PIXTHK32.DLL
c:\windows\system32\PIXTIFFN.DLL
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.
2009-04-26 14:42 . 2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 14:42 . 2009-04-26 14:42 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-26 14:42 . 2009-04-26 14:42 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 14:42 . 2009-04-26 14:48 -------- d-----w c:\documents and settings\Rob\Application Data\AVGTOOLBAR
2009-04-26 14:42 . 2009-04-26 14:46 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-25 01:23 . 2009-04-25 02:33 -------- d-----w C:\VundoFix Backups
2009-04-24 20:29 . 2009-04-24 20:29 -------- d-----w c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj
2009-04-24 20:29 . 2009-04-24 20:29 -------- d-----w c:\documents and settings\Rob\Application Data\tcbjmqlj
2009-04-24 03:56 . 2009-04-24 03:56 -------- d-----w C:\727f743fab11e26b7bbd0a
2009-04-24 03:52 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-24 03:52 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-24 03:52 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-24 03:52 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-24 03:52 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-24 03:52 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-24 03:52 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-24 03:52 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-24 03:52 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-24 03:51 . 2009-03-27 07:09 1193414 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-24 03:51 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-23 15:24 . 2009-04-23 15:24 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj
2009-04-23 15:24 . 2009-04-23 15:24 -------- d-----w c:\documents and settings\NetworkService\Application Data\tcbjmqlj
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\Rob\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 15:10 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 14:04 . 2009-04-23 14:04 140 ----a-w C:\pch.bat
2009-04-22 17:46 . 2009-04-22 17:47 4969 ----a-w c:\windows\pixcache.ini
2009-04-22 17:46 . 2009-04-22 17:47 -------- d-----w c:\documents and settings\Rob\Application Data\Canon Electronics
2009-04-22 17:44 . 2006-05-17 02:23 6416 ----a-w c:\windows\system32\PIXTHK16.DLL
2009-04-22 17:44 . 2006-05-17 02:22 231552 ----a-w c:\windows\system32\PIXDFLT.DLL
2009-04-22 17:44 . 2006-05-17 02:22 23152 ----a-w c:\windows\system32\PIXPERM.DLL
2009-04-22 17:44 . 2006-05-17 02:22 16048 ----a-w c:\windows\system32\PIXLOC.DLL
2009-04-22 17:44 . 2006-05-17 02:19 21008 ----a-w c:\windows\system32\CTL3D.DLL
2009-04-22 17:44 . 2005-02-10 23:17 11968 ----a-w c:\windows\system32\PIXMDLLC.CPL
2009-04-22 17:44 . 2006-05-17 02:19 51959 ----a-w c:\windows\system32\PIXNAME.HLP
2009-04-22 17:44 . 2006-05-17 02:19 327680 ----a-w c:\windows\system32\PIXJP2KI.DLL
2009-04-22 17:43 . 2007-01-29 19:34 61440 ----a-w c:\windows\system32\SuStiUtl.dll
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 17:42 . 2009-04-23 18:26 140 ----a-w c:\windows\SetScan.ini
2009-04-22 17:42 . 2007-03-02 17:40 229376 ----a-w c:\windows\system32\DR2KSVC.dll
2009-04-22 17:42 . 2006-09-11 19:12 45056 ----a-w c:\windows\system32\WNASPI32.DLL
2009-04-22 17:42 . 2006-09-11 19:12 16512 ----a-w c:\windows\system32\drivers\ASPI32.SYS
2009-04-22 17:42 . 2006-08-10 15:36 42536 ----a-w c:\windows\system32\CeiUSB.dll
2009-04-22 17:42 . 2006-09-21 13:44 83496 ----a-w c:\windows\system32\CaDRcpl.dll
2009-04-22 17:42 . 2006-06-13 19:33 157224 ----a-w c:\windows\system32\CeiSCSI.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\program files\AVG
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-25 14:32 . 2009-04-25 14:32 -------- d-----w c:\program files\Trend Micro
2009-04-25 14:23 . 2009-04-25 03:49 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 14:20 . 2009-04-25 14:20 -------- d-----w c:\program files\ERUNT
2009-04-25 01:41 . 2009-04-25 01:23 391 ----a-w C:\VundoFix.txt
2009-04-24 23:09 . 2006-08-19 08:16 -------- d-----w c:\program files\Java
2009-04-24 23:04 . 2006-08-19 09:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-24 13:50 . 2006-08-19 09:25 -------- d-----w c:\program files\Hewlett-Packard
2009-04-24 03:59 . 2007-10-24 19:02 -------- d-----w c:\documents and settings\Rob\Application Data\U3
2009-04-24 03:47 . 2007-10-15 01:49 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 03:45 . 2007-10-15 01:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 17:43 . 2009-04-22 17:41 -------- d-----w c:\program files\Canon Electronics
2009-04-22 17:43 . 2006-08-19 08:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 14:18 . 2006-07-05 10:55 986112 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:00 . 2004-08-04 21:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-11-08 03:03 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 21:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 18:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-04-24 14:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 09:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 09:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-10 23:31 . 2009-02-10 23:31 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-04 21:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-08-17 12:28 728576 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 21:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 21:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:32 . 2007-02-28 09:55 2186112 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 10:32 . 2004-08-04 21:00 2186112 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:29 . 2007-02-28 09:53 2142720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:22 . 2004-08-04 21:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 21:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2007-02-28 09:15 2020864 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 09:49 . 2007-02-28 09:15 2062976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 09:49 . 2004-08-04 21:00 2062976 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 2004-08-04 21:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-10-16 22:31 . 2008-10-16 22:17 30 ----a-w c:\documents and settings\Rob\jagex_runescape_preferences.dat
2008-08-14 00:09 . 2008-10-13 00:09 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-02-12 20:53 . 2006-12-15 20:35 67680 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-09 19:09 . 2007-01-26 21:25 13012 ----a-w c:\documents and settings\Rob\Bubblets.dat
2006-12-15 20:37 . 2006-12-15 20:35 126 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\fusioncache.dat
2006-08-19 10:22 . 2009-04-25 03:09 49632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-08-19 09:22 . 2009-04-25 03:09 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2006-12-16 22:52 . 2006-12-16 22:52 22 --sha-w c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}]
2004-08-04 21:00 104448 ----a-w c:\windows\system32\rtqwryr.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
"CANON DR2080C SVC"="DR2KSVC.dll" - c:\windows\system32\DR2KSVC.dll [2007-03-02 229376]
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct]
2004-08-04 21:00 104448 ----a-w c:\windows\system32\rtqwryr.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Rob\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vongo Service"=2 (0x2)
"UPS"=3 (0x3)
"gusvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
S0 wlubdewd;wlubdewd;c:\windows\system32\drivers\wlubdewd.sys [2004-08-04 23424]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-26 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - AVG8EMC
*NewlyCreated* - AVG8WD
*NewlyCreated* - AVGLDX86
*NewlyCreated* - AVGMFX86
*NewlyCreated* - AVGTDIX
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sibblcbe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a262d412-8263-11dc-b587-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-25 c:\windows\Tasks\At1.job
- c:\windows\system32\rtqwryr.dll [2004-08-04 21:00]
.
- - - - ORPHANS REMOVED - - - -
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 10:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???hX??????`?@?????L?@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\CLBCATQ.DLL
.
Completion time: 2009-04-26 10:06
ComboFix-quarantined-files.txt 2009-04-26 15:05
Pre-Run: 34,779,660,288 bytes free
Post-Run: 35,197,505,536 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
252
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:15 AM, on 4/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tqqujzct - C:\WINDOWS\SYSTEM32\rtqwryr.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
--
End of file - 7127 bytes
Hi Richue
AVG is a good choice :yes:
1 - Run CFScript
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\pch.bat
c:\windows\system32\rtqwryr.dll
c:\windows\Tasks\At1.job
Folder::
c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj
c:\documents and settings\Rob\Application Data\tcbjmqlj
C:\727f743fab11e26b7bbd0a
c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj
c:\documents and settings\NetworkService\Application Data\tcbjmqlj
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct]
NetSvc::
sibblcbe
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
2 - Run Malwarebytes' Anti-Malware
Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.
http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/mbam1.png
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
Thanks peku006
Hello Peku006
Here is the combofix log:
ComboFix 09-04-25.A3 - Rob 04/26/2009 14:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.133 [GMT -5:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rob\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
C:\pch.bat
c:\windows\system32\rtqwryr.dll
c:\windows\Tasks\At1.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\727f743fab11e26b7bbd0a
c:\727f743fab11e26b7bbd0a\$shtdwn$.req
c:\727f743fab11e26b7bbd0a\mrt.exe
c:\727f743fab11e26b7bbd0a\mrtstub.exe
c:\documents and settings\NetworkService\Application Data\tcbjmqlj
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\profiles.ini
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cert8.db
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\key3.db
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\prefs.js
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\secmod.db
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj
c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\XPC.mfl
c:\documents and settings\Rob\Application Data\tcbjmqlj
c:\documents and settings\Rob\Application Data\tcbjmqlj\profiles.ini
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cert8.db
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compatibility.ini
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compreg.dat
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cookies.sqlite
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\formhistory.sqlite
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\key3.db
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\localstore.rdf
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\permissions.sqlite
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite-journal
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\pluginreg.dat
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\prefs.js
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\secmod.db
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\webappsstore.sqlite
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\xpti.dat
c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj
c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\urlclassifier3.sqlite
c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\XPC.mfl
C:\pch.bat
c:\windows\Tasks\At1.job
c:\windows\system32\rtqwryr.dll . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.
2009-04-25 14:20 . 2009-04-25 14:20 -------- d-----w c:\program files\ERUNT
2009-04-25 03:49 . 2009-04-25 14:23 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 01:23 . 2009-04-25 02:33 -------- d-----w C:\VundoFix Backups
2009-04-24 03:52 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-24 03:52 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-24 03:52 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-24 03:52 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-24 03:52 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-24 03:52 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-24 03:52 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-24 03:52 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-24 03:52 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-24 03:51 . 2009-03-27 07:09 1193414 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-24 03:51 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\Rob\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 15:10 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 17:46 . 2009-04-22 17:47 4969 ----a-w c:\windows\pixcache.ini
2009-04-22 17:46 . 2009-04-22 17:47 -------- d-----w c:\documents and settings\Rob\Application Data\Canon Electronics
2009-04-22 17:44 . 2006-05-17 02:23 6416 ----a-w c:\windows\system32\PIXTHK16.DLL
2009-04-22 17:44 . 2006-05-17 02:22 231552 ----a-w c:\windows\system32\PIXDFLT.DLL
2009-04-22 17:44 . 2006-05-17 02:22 23152 ----a-w c:\windows\system32\PIXPERM.DLL
2009-04-22 17:44 . 2006-05-17 02:22 16048 ----a-w c:\windows\system32\PIXLOC.DLL
2009-04-22 17:44 . 2006-05-17 02:19 21008 ----a-w c:\windows\system32\CTL3D.DLL
2009-04-22 17:44 . 2005-02-10 23:17 11968 ----a-w c:\windows\system32\PIXMDLLC.CPL
2009-04-22 17:44 . 2006-05-17 02:19 51959 ----a-w c:\windows\system32\PIXNAME.HLP
2009-04-22 17:44 . 2006-05-17 02:19 327680 ----a-w c:\windows\system32\PIXJP2KI.DLL
2009-04-22 17:43 . 2007-01-29 19:34 61440 ----a-w c:\windows\system32\SuStiUtl.dll
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 17:42 . 2009-04-23 18:26 140 ----a-w c:\windows\SetScan.ini
2009-04-22 17:42 . 2007-03-02 17:40 229376 ----a-w c:\windows\system32\DR2KSVC.dll
2009-04-22 17:42 . 2006-09-11 19:12 45056 ----a-w c:\windows\system32\WNASPI32.DLL
2009-04-22 17:42 . 2006-09-11 19:12 16512 ----a-w c:\windows\system32\drivers\ASPI32.SYS
2009-04-22 17:42 . 2006-08-10 15:36 42536 ----a-w c:\windows\system32\CeiUSB.dll
2009-04-22 17:42 . 2006-09-21 13:44 83496 ----a-w c:\windows\system32\CaDRcpl.dll
2009-04-22 17:42 . 2006-06-13 19:33 157224 ----a-w c:\windows\system32\CeiSCSI.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 14:48 . 2009-04-26 14:42 -------- d-----w c:\documents and settings\Rob\Application Data\AVGTOOLBAR
2009-04-26 14:42 . 2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 14:42 . 2009-04-26 14:42 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-26 14:42 . 2009-04-26 14:42 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\program files\AVG
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-25 14:32 . 2009-04-25 14:32 -------- d-----w c:\program files\Trend Micro
2009-04-25 01:41 . 2009-04-25 01:23 391 ----a-w C:\VundoFix.txt
2009-04-24 23:09 . 2006-08-19 08:16 -------- d-----w c:\program files\Java
2009-04-24 23:04 . 2006-08-19 09:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-24 13:50 . 2006-08-19 09:25 -------- d-----w c:\program files\Hewlett-Packard
2009-04-24 03:59 . 2007-10-24 19:02 -------- d-----w c:\documents and settings\Rob\Application Data\U3
2009-04-24 03:47 . 2007-10-15 01:49 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 03:45 . 2007-10-15 01:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 17:43 . 2009-04-22 17:41 -------- d-----w c:\program files\Canon Electronics
2009-04-22 17:43 . 2006-08-19 08:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 14:18 . 2006-07-05 10:55 986112 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:00 . 2004-08-04 21:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-11-08 03:03 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 21:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 18:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-04-24 14:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 09:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 09:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-10 23:31 . 2009-02-10 23:31 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-04 21:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-08-17 12:28 728576 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 21:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 21:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:32 . 2007-02-28 09:55 2186112 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 10:32 . 2004-08-04 21:00 2186112 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:29 . 2007-02-28 09:53 2142720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:22 . 2004-08-04 21:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 21:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2007-02-28 09:15 2020864 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 09:49 . 2007-02-28 09:15 2062976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 09:49 . 2004-08-04 21:00 2062976 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 2004-08-04 21:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-10-16 22:31 . 2008-10-16 22:17 30 ----a-w c:\documents and settings\Rob\jagex_runescape_preferences.dat
2008-08-14 00:09 . 2008-10-13 00:09 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-02-12 20:53 . 2006-12-15 20:35 67680 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-09 19:09 . 2007-01-26 21:25 13012 ----a-w c:\documents and settings\Rob\Bubblets.dat
2006-12-15 20:37 . 2006-12-15 20:35 126 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\fusioncache.dat
2006-08-19 10:22 . 2009-04-25 03:09 49632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-08-19 09:22 . 2009-04-25 03:09 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2006-12-16 22:52 . 2006-12-16 22:52 22 --sha-w c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}]
2004-08-04 21:00 104448 ----a-w c:\windows\system32\rtqwryr.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
"CANON DR2080C SVC"="DR2KSVC.dll" - c:\windows\system32\DR2KSVC.dll [2007-03-02 229376]
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct]
2004-08-04 21:00 104448 ----a-w c:\windows\system32\rtqwryr.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Rob\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vongo Service"=2 (0x2)
"UPS"=3 (0x3)
"gusvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
S0 wlubdewd;wlubdewd;c:\windows\system32\drivers\wlubdewd.sys [2004-08-04 23424]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-26 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a262d412-8263-11dc-b587-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 14:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???hX??????`?@?????L?@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2009-04-26 14:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 19:40
ComboFix2.txt 2009-04-26 15:06
Pre-Run: 35,188,015,104 bytes free
Post-Run: 35,144,679,424 bytes free
265
:oreo:
and Malwarebyte log:
Malwarebytes' Anti-Malware 1.36
Database version: 2045
Windows 5.1.2600 Service Pack 2
4/26/2009 3:18:41 PM
mbam-log-2009-04-26 (15-18-41).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 171243
Time elapsed: 31 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bdba0dfb-8b5f-47e2-9d77-cb181749b4de} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tqqujzct (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{bdba0dfb-8b5f-47e2-9d77-cb181749b4de} (Trojan.Vundo.H) -> Delete on reboot.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\rtqwryr.dll (Trojan.Vundo.H) -> Delete on reboot.
:oreo:
and finally the latest HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:36 PM, on 4/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tqqujzct - C:\WINDOWS\SYSTEM32\rtqwryr.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
--
End of file - 7099 bytes
I did receive a message that "some items could not be removed but would be on reboot" during the Malware scan. I ran Hijack after rebbot.
Thanks
Hi Richue
1- Download and Run OTMoveIt3
Download OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by Old Timer and save it to your Desktop.
Double-click OTMoveIt3.exe.
Copy the lines in the codebox below.
:files
c:\windows\system32\rtqwryr.dll
:Reg
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct]
Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
5 - Status Check
Please reply with
1. the OTMoveIt3 log
2. a fresh HijackThis log
Thanks peku006
As always thanks for your time and patients,
I ran OTMoveIT3.exe, pasted the text from the codebox, clicked Moveit!, then got error message :
The application or DLL c:\windows\system32\uxehitb.dll is not a valid Windows image.Please check this against your installation diskette
OTMoveIt3log:
========== FILES ==========
LoadLibrary failed for c:\windows\system32\rtqwryr.dll
c:\windows\system32\rtqwryr.dll NOT unregistered.
File move failed. c:\windows\system32\rtqwryr.dll scheduled to be moved on reboot.
========== REGISTRY ==========
Unable to delete registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct\\ .
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04272009_070749
I then rebooted and tried again with the same results. Here is the HiijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:42 AM, on 4/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OTMoveIt] C:\Documents and Settings\Rob\Desktop\OTMoveIt3.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tqqujzct - C:\WINDOWS\SYSTEM32\rtqwryr.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
--
End of file - 7152 bytes
Hi Richue
"strange" error message,let us take a deeper look.
OTScanIt2...by OldTimer.
Please download OTScanIt2 (http://oldtimer.geekstogo.com/OTScanIt2.exe) from Geeks to Go by OldTimer. Alternate download site (http://download.bleepingcomputer.com/oldtimer/OTScanIt2.exe).
Save it to your desktop.
Double click on OTScanIt2.exe to run it.
Click on Extract. Once done, when prompted. Click OK and click Close.
This is a self-extracting file...It will create a folder named OTScanIt2 on your desktop.
Double click on the OTScanIt2 folder to open... then double click on OTScanIt2.exe to run it.
Under Rookit Search, select Yes.
Click on Run Scan at the top left hand corner. It may take a few minutes...be patient, let it run.
When done, Notepad will open with the log file "OTScanIt.Txt" contents.
Please post the contents of the OTScanIt.Txt Notepad file in your next reply.
Thanks peku006
Hello Peku006,
Here is the OTScanIt.txt:
OTScanIt2 logfile created on: 4/27/2009 8:33:33 AM - Run 1
OTScanIt2 by OldTimer - Version 1.0.14.0 Folder = C:\Documents and Settings\Rob\Desktop\OTScanIt2
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
502.05 Mb Total Physical Memory | 126.78 Mb Available Physical Memory | 25.25% Memory free
1.20 Gb Paging File | 0.84 Gb Available in Paging File | 69.98% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 47.74 Gb Total Space | 32.71 Gb Free Space | 68.53% Space Free | Partition Type: NTFS
Drive D: | 8.13 Gb Total Space | 1.03 Gb Free Space | 12.71% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: PC161035812295
Current User Name: Rob
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
[Processes - Safe List]
avgcsrvx.exe -> %ProgramFiles%\AVG\AVG8\avgcsrvx.exe -> [2009/04/26 09:42:15 | 00,691,992 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgemc.exe -> %ProgramFiles%\AVG\AVG8\avgemc.exe -> [2009/04/26 09:42:12 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgnsx.exe -> %ProgramFiles%\AVG\AVG8\avgnsx.exe -> [2009/04/26 09:42:15 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgrsx.exe -> %ProgramFiles%\AVG\AVG8\avgrsx.exe -> [2009/04/26 09:42:15 | 00,485,144 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgtray.exe -> %ProgramFiles%\AVG\AVG8\avgtray.exe -> [2009/04/26 09:42:12 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgwdsvc.exe -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/04/26 09:42:11 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
explorer.exe -> %SystemRoot%\Explorer.EXE -> [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation)
hkcmd.exe -> %SystemRoot%\system32\hkcmd.exe -> [2006/03/23 07:13:40 | 00,077,824 | ---- | M] (Intel Corporation)
hp wireless assistant.exe -> %ProgramFiles%\hpq\HP Wireless Assistant\HP Wireless Assistant.exe -> [2006/05/04 00:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.)
hpqtoa~1.exe -> %ProgramFiles%\HPQ\Shared\HpqToaster.exe -> [2005/12/23 23:44:26 | 00,491,606 | ---- | M] ()
hpqwmiex.exe -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> [2006/05/02 17:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.)
iexplore.exe -> %ProgramFiles%\Internet Explorer\iexplore.exe -> [2009/02/27 23:54:41 | 00,636,072 | ---- | M] (Microsoft Corporation)
igfxpers.exe -> %SystemRoot%\system32\igfxpers.exe -> [2006/03/23 07:17:50 | 00,118,784 | ---- | M] (Intel Corporation)
issch.exe -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> [2005/08/11 18:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation)
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe -> [2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/04/11 16:32:52 | 00,494,080 | ---- | M] (OldTimer Tools)
qlbctrl.exe -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe -> [2006/06/02 17:21:42 | 00,135,168 | ---- | M] ( Hewlett-Packard Development Company, L.P.)
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> [2007/09/15 03:27:20 | 01,015,808 | ---- | M] (Synaptics, Inc.)
wdfmgr.exe -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 15:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
wmiprvse.exe -> %SystemRoot%\system32\wbem\wmiprvse.exe -> [2009/02/06 04:41:05 | 00,227,840 | ---- | M] (Microsoft Corporation)
wscntfy.exe -> %SystemRoot%\system32\wscntfy.exe -> [2004/08/04 16:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation)
[Win32 Services - Safe List]
(AddFiltr) AddFiltr [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -> [2006/05/08 12:49:02 | 00,098,304 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -> [2004/07/15 11:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation)
(avg8emc) AVG Free8 E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgemc.exe -> [2009/04/26 09:42:12 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.)
(avg8wd) AVG Free8 WatchDog [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/04/26 09:42:11 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
(gusvc) Google Updater Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2007/11/23 22:47:52 | 00,138,168 | ---- | M] (Google)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2004/08/04 16:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation)
(hpqwmiex) hpqwmiex [Win32_Own | Auto | Running] -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> [2006/05/02 17:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> [2005/04/04 02:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation)
(UMWdf) Windows User Mode Driver Framework [Win32_Own | Auto | Running] -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 15:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
(Vongo Service) Vongo Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Vongo\VongoService.exe -> [2006/05/09 16:11:10 | 00,176,128 | ---- | M] (Starz Entertainment Group LLC)
[Driver Services - Safe List]
(AliIde) AliIde [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\aliide.sys -> [2001/08/17 23:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.)
(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\amdagp.sys -> [2004/08/04 09:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.)
(asc) asc [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc.sys -> [2001/08/17 23:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.)
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc3550.sys -> [2001/08/17 23:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.)
(Aspi32) Aspi32 [Kernel | Auto | Running] -> %SystemRoot%\System32\drivers\ASPI32.SYS -> [2006/09/11 14:12:26 | 00,016,512 | ---- | M] (Adaptec)
(AvgLdx86) AVG Free AVI Loader Driver x86 [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgldx86.sys -> [2009/04/26 09:42:30 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgMfx86) AVG Free On-access Scanner Minifilter Driver x86 [File_System | System | Running] -> %SystemRoot%\System32\Drivers\avgmfx86.sys -> [2009/04/26 09:42:29 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgTdiX) AVG Free8 Network Redirector [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgtdix.sys -> [2009/04/26 09:42:34 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
(BCM43XX) Broadcom 802.11 Network Adapter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\bcmwl5.sys -> [2006/10/13 00:26:56 | 00,604,928 | ---- | M] (Broadcom Corporation)
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\cmdide.sys -> [2001/08/17 23:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.)
(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\dac2w2k.sys -> [2001/08/17 23:52:16 | 00,179,584 | ---- | M] (Mylex Corporation)
(eabfiltr) eabfiltr [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\eabfiltr.sys -> [2005/09/19 16:23:52 | 00,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(eabusb) eabusb [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\eabusb.sys -> [2005/09/19 16:24:20 | 00,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(HBtnKey) HBtnKey [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\cpqbttn.sys -> [2005/09/19 16:24:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(HdAudAddService) Microsoft UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\CHDAud.sys -> [2007/05/01 02:11:54 | 00,630,272 | ---- | M] (Conexant Systems Inc.)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HDAudBus.sys -> [2005/01/07 19:07:18 | 00,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HSFHWAZL) HSFHWAZL [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSFHWAZL.sys -> [2005/08/21 19:06:16 | 00,201,600 | ---- | M] (Conexant Systems, Inc.)
(HSF_DPV) HSF_DPV [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSF_DPV.sys -> [2005/08/21 19:07:00 | 01,035,008 | ---- | M] (Conexant Systems, Inc.)
(ialm) ialm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ialmnt5.sys -> [2006/03/23 07:47:06 | 01,166,972 | ---- | M] (Intel Corporation)
(iaStor) Intel AHCI Controller [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\iaStor.sys -> [2005/10/13 04:07:12 | 00,874,240 | ---- | M] (Intel Corporation)
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\mdmxsdk.sys -> [2006/02/14 14:57:46 | 00,012,672 | ---- | M] (Conexant)
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\mraid35x.sys -> [2001/08/17 23:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.)
(NwlnkIpx) NWLink IPX/SPX/NetBIOS Compatible Transport Protocol [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnkipx.sys -> [2004/08/04 16:00:00 | 00,088,448 | ---- | M] (Microsoft Corporation)
(NwlnkNb) NWLink NetBIOS [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnknb.sys -> [2004/08/04 16:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation)
(NwlnkSpx) NWLink SPX/SPXII Protocol [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnkspx.sys -> [2004/08/04 16:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ptilink.sys -> [2004/08/04 16:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\PxHelp20.sys -> [2005/06/20 19:05:58 | 00,020,640 | ---- | M] (Sonic Solutions)
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1080.sys -> [2001/08/17 23:52:20 | 00,040,320 | ---- | M] (QLogic Corporation)
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql12160.sys -> [2001/08/17 23:52:20 | 00,045,312 | ---- | M] (QLogic Corporation)
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1280.sys -> [2001/08/17 23:52:18 | 00,049,024 | ---- | M] (QLogic Corporation)
(RTL8023xp) Realtek 10/100/1000 PCI NIC Family NDIS XP Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\Rtnicxp.sys -> [2007/08/22 13:51:38 | 00,097,152 | ---- | M] (Realtek Semiconductor Corporation )
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\RTL8139.SYS -> [2004/08/04 01:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\secdrv.sys -> [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sisagp.sys -> [2004/08/04 09:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation)
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sparrow.sys -> [2001/08/18 00:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.)
(symc810) symc810 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc810.sys -> [2001/08/18 00:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.)
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc8xx.sys -> [2001/08/18 00:07:36 | 00,032,640 | ---- | M] (LSI Logic)
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_hi.sys -> [2001/08/18 00:07:40 | 00,028,384 | ---- | M] (LSI Logic)
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_u3.sys -> [2001/08/18 00:07:42 | 00,030,688 | ---- | M] (LSI Logic)
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\SynTP.sys -> [2007/09/15 03:09:44 | 00,213,696 | ---- | M] (Synaptics, Inc.)
(ultra) ultra [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ultra.sys -> [2001/08/17 23:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.)
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSF_CNXT.sys -> [2005/08/21 19:06:10 | 00,718,464 | ---- | M] (Conexant Systems, Inc.)
(wlubdewd) wlubdewd [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\wlubdewd.sys -> [2004/08/04 16:00:00 | 00,023,424 | ---- | M] (S3/Diamond Multimedia Systems)
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> Reg Error: Invalid data type. ->
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKEY_LOCAL_MACHINE\: "ProxyEnable" -> 1 ->
HKEY_LOCAL_MACHINE\: "ProxyOverride" -> *.local;<local> ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_CURRENT_USER\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar] -> File not found
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
HKEY_CURRENT_USER\: "ProxyOverride" -> *.local;<local> ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions -> ->
< FireFox Extensions [User Folders] > ->
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
Reset Hosts
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/12/18 04:16:42 | 00,059,032 | ---- | M] (Adobe Systems Incorporated)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgssie.dll [AVG Safe Search] -> [2009/04/26 09:42:18 | 01,078,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> [2008/06/10 04:27:02 | 00,509,328 | ---- | M] (Sun Microsystems, Inc.)
{A057A204-BACC-4D26-9990-79A187E2698E} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2009/04/26 09:42:24 | 01,968,920 | ---- | M] ([[[COMPANYNAME]]]----------------------------)
{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} [HKLM] -> %SystemRoot%\system32\rtqwryr.dll [] -> [2004/08/04 16:00:00 | 00,104,448 | ---- | M] ()
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2009/04/26 09:42:24 | 01,968,920 | ---- | M] ([[[COMPANYNAME]]]----------------------------)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2009/04/26 09:42:24 | 01,968,920 | ---- | M] ([[[COMPANYNAME]]]----------------------------)
WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AVG8_TRAY" -> %ProgramFiles%\AVG\AVG8\avgtray.exe [C:\PROGRA~1\AVG\AVG8\avgtray.exe] -> [2009/04/26 09:42:12 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.)
"CANON DR2080C SVC" -> %SystemRoot%\system32\DR2KSVC.DLL [rundll32.exe DR2KSVC.dll,EntryPointUserMessage] -> [2007/03/02 12:40:36 | 00,229,376 | ---- | M] (Canon Electronics)
"Cpqset" -> %ProgramFiles%\Hewlett-Packard\Default Settings\cpqset.exe [C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe] -> [2006/06/19 12:50:40 | 00,040,960 | ---- | M] ()
"High Definition Audio Property Page Shortcut" -> %SystemRoot%\system32\CHDAudPropShortcut.exe [CHDAudPropShortcut.exe] -> [2006/06/02 10:02:50 | 00,061,952 | ---- | M] (Windows (R) Server 2003 DDK provider)
"hpWirelessAssistant" -> %ProgramFiles%\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe] -> [2006/05/04 00:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.)
"igfxhkcmd" -> %SystemRoot%\system32\hkcmd.exe [C:\WINDOWS\system32\hkcmd.exe] -> [2006/03/23 07:13:40 | 00,077,824 | ---- | M] (Intel Corporation)
"igfxpers" -> %SystemRoot%\system32\igfxpers.exe [C:\WINDOWS\system32\igfxpers.exe] -> [2006/03/23 07:17:50 | 00,118,784 | ---- | M] (Intel Corporation)
"igfxtray" -> %SystemRoot%\system32\igfxtray.exe [C:\WINDOWS\system32\igfxtray.exe] -> [2006/03/23 07:17:04 | 00,094,208 | ---- | M] (Intel Corporation)
"ISUSPM Startup" -> %CommonProgramFiles%\InstallShield\UpdateService\isuspm.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup] -> [2005/08/11 18:30:30 | 00,249,856 | ---- | M] (Macrovision Corporation)
"ISUSScheduler" -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start] -> [2005/08/11 18:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation)
"QlbCtrl" -> [%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start] -> File not found
"RecGuard" -> %SystemRoot%\SMINST\RecGuard.exe [C:\Windows\SMINST\RecGuard.exe] -> [2005/10/11 12:23:50 | 01,187,840 | ---- | M] ()
"SunJavaUpdateSched" -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"] -> [2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
"SynTPEnh" -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [C:\Program Files\Synaptics\SynTP\SynTPEnh.exe] -> [2007/09/15 03:27:20 | 01,015,808 | ---- | M] (Synaptics, Inc.)
"SynTPStart" -> %ProgramFiles%\Synaptics\SynTP\SynTPStart.exe [C:\Program Files\Synaptics\SynTP\SynTPStart.exe] -> [2007/09/15 03:29:10 | 00,102,400 | ---- | M] (Synaptics, Inc.)
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ->
"OTMoveIt" -> %UserProfile%\Desktop\OTMoveIt3.exe [C:\Documents and Settings\Rob\Desktop\OTMoveIt3.exe] -> [2009/04/27 06:55:19 | 00,389,632 | ---- | M] (OldTimer Tools)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Rob Startup Folder > -> C:\Documents and Settings\Rob\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" -> [1] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" -> [0] -> File not found
\\"legalnoticecaption" -> [] -> File not found
\\"legalnoticetext" -> [] -> File not found
\\"shutdownwithoutlogon" -> [1] -> File not found
\\"undockwithoutlogon" -> [1] -> File not found
\\"DisableRegistryTools" -> [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> %ProgramFiles%\Microsoft Office\Office10\EXCEL.EXE [res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000] -> [2001/02/16 02:05:38 | 09,164,192 | R--- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Menu: Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search & Destroy Configuration] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2004/10/13 19:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2004/10/13 19:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.] -> File not found
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 19:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5506 domain(s) found. ->
50 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5501 domain(s) found. ->
49 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{233C1507-6A77-46A4-9443-F871F945D258} [HKLM] -> http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab [Shockwave ActiveX Control] ->
{6414512B-B978-451D-A0D8-FCFDF33E833C} [HKLM] -> http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232901218718 [WUWebControl Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] ->
{A90A5822-F108-45AD-8482-9BC8B12DD539} [HKLM] -> http://www.crucial.com/controls/cpcScanner.cab [Crucial cpcScan] ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab [Java Plug-in 1.5.0_06] ->
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab [Java Plug-in 1.6.0_01] ->
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab [Java Plug-in 1.6.0_02] ->
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Java Plug-in 1.6.0_05] ->
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{4F861CE6-223A-4578-B2A7-69BD3BA7C5EF} -> (Broadcom 802.11b/g WLAN) ->
{828F6C98-926B-49AD-AE17-C88EF5588F55} -> (Realtek RTL8139/810x Family Fast Ethernet NIC) ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\Explorer.exe -> [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
avgrsstarter -> %SystemRoot%\system32\avgrsstx.dll -> [2009/04/26 09:42:35 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> [2006/03/23 07:12:42 | 00,139,264 | ---- | M] (Intel Corporation)
tqqujzct -> %SystemRoot%\system32\rtqwryr.dll -> [2004/08/04 16:00:00 | 00,104,448 | ---- | M] ()
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2004/08/04 16:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"C:\Program Files\AVG\AVG8\avgemc.exe" -> C:\Program Files\AVG\AVG8\avgemc.exe [C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe] -> [2009/04/26 09:42:12 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" -> C:\Program Files\AVG\AVG8\avgnsx.exe [C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe] -> [2009/04/26 09:42:15 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgupd.exe" -> C:\Program Files\AVG\AVG8\avgupd.exe [C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe] -> [2009/04/26 09:42:12 | 01,057,048 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\WINDOWS\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019] -> [2004/08/04 16:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
"AlternateShell" -> cmd.exe ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2004/08/04 16:00:00 | 00,049,536 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > -> ->
D:\AUTOEXEC.BAT [] -> D:\AUTOEXEC.BAT [ FAT32 ] -> [2001/07/27 22:07:38 | 00,000,000 | -HS- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
\F
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell
\F\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun
\F\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command
\F\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe -a] -> File not found
\{11653a28-c6ba-11db-b4ed-0014a5d1302c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}\Shell\AutoRun\command
\{11653a28-c6ba-11db-b4ed-0014a5d1302c}\Shell\AutoRun\command\\"" -> F:\setupSNK.exe [F:\setupSNK.exe] -> File not found
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun\command
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe -a] -> File not found
\{a262d412-8263-11dc-b587-0014a5d1302c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell
\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun
\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun\command
\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe] -> File not found
[Files/Folders - Created Within 30 Days]
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2009/04/27 08:32:50 | 00,000,000 | ---D | C]
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/04/27 08:31:43 | 00,665,196 | ---- | C] ()
RECYCLER -> %SystemDrive%\RECYCLER -> [2009/04/27 07:19:58 | 00,000,000 | -HSD | C]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [2009/04/27 07:07:49 | 00,000,000 | ---D | C]
OTMoveIt3.exe -> %UserProfile%\Desktop\OTMoveIt3.exe -> [2009/04/27 06:55:18 | 00,389,632 | ---- | C] (OldTimer Tools)
temp -> %SystemRoot%\temp -> [2009/04/26 14:40:53 | 00,000,000 | ---D | C]
Boot.bak -> %SystemDrive%\Boot.bak -> [2009/04/26 09:59:24 | 00,000,211 | ---- | C] ()
cmldr -> %SystemDrive%\cmldr -> [2009/04/26 09:59:18 | 00,260,272 | ---- | C] ()
cmdcons -> %SystemDrive%\cmdcons -> [2009/04/26 09:59:13 | 00,000,000 | RHSD | C]
SWXCACLS.exe -> %SystemRoot%\SWXCACLS.exe -> [2009/04/26 09:57:19 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> %SystemRoot%\SWREG.exe -> [2009/04/26 09:57:19 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> %SystemRoot%\SWSC.exe -> [2009/04/26 09:57:19 | 00,136,704 | ---- | C] (SteelWerX)
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/04/26 09:57:19 | 00,111,104 | ---- | C] ()
sed.exe -> %SystemRoot%\sed.exe -> [2009/04/26 09:57:19 | 00,098,816 | ---- | C] ()
grep.exe -> %SystemRoot%\grep.exe -> [2009/04/26 09:57:19 | 00,080,412 | ---- | C] ()
zip.exe -> %SystemRoot%\zip.exe -> [2009/04/26 09:57:19 | 00,068,096 | ---- | C] ()
NIRCMD.exe -> %SystemRoot%\NIRCMD.exe -> [2009/04/26 09:57:19 | 00,029,696 | ---- | C] (NirSoft)
Qoobox -> %SystemDrive%\Qoobox -> [2009/04/26 09:52:14 | 00,000,000 | ---D | C]
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/04/26 09:51:20 | 03,006,230 | R--- | C] ()
avgrsstx.dll -> %SystemRoot%\System32\avgrsstx.dll -> [2009/04/26 09:42:35 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgtdix.sys -> %SystemRoot%\System32\drivers\avgtdix.sys -> [2009/04/26 09:42:34 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys -> [2009/04/26 09:42:30 | 00,325,640 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2009/04/26 09:42:29 | 00,027,656 | ---- | C] (AVG Technologies CZ, s.r.o.)
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [2009/04/26 09:42:25 | 35,477,808 | ---- | C] ()
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [2009/04/26 09:42:25 | 06,061,540 | ---- | C] ()
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [2009/04/26 09:42:25 | 00,434,673 | ---- | C] ()
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [2009/04/26 09:42:25 | 00,032,111 | ---- | C] ()
AVGTOOLBAR -> %AppData%\AVGTOOLBAR -> [2009/04/26 09:42:25 | 00,000,000 | ---D | C]
Avg -> %SystemRoot%\System32\drivers\Avg -> [2009/04/26 09:42:25 | 00,000,000 | ---D | C]
AVG -> %ProgramFiles%\AVG -> [2009/04/26 09:42:11 | 00,000,000 | ---D | C]
avg8 -> %AllUsersProfile%\Application Data\avg8 -> [2009/04/26 09:42:10 | 00,000,000 | ---D | C]
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2009/04/25 09:32:06 | 00,001,734 | ---- | C] ()
Trend Micro -> %ProgramFiles%\Trend Micro -> [2009/04/25 09:32:06 | 00,000,000 | ---D | C]
ERDNT -> %SystemRoot%\ERDNT -> [2009/04/25 09:26:21 | 00,000,000 | ---D | C]
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk -> [2009/04/25 09:20:06 | 00,000,611 | ---- | C] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/04/25 09:20:06 | 00,000,592 | ---- | C] ()
ERUNT -> %ProgramFiles%\ERUNT -> [2009/04/25 09:20:05 | 00,000,000 | ---D | C]
TEMP -> %AllUsersProfile%\Application Data\TEMP -> [2009/04/24 22:49:38 | 00,000,000 | ---D | C]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/04/24 22:29:23 | 52,650,3936 | -HS- | C] ()
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [2009/04/24 20:23:31 | 00,000,000 | ---D | C]
fastprox.dll -> %SystemRoot%\System32\dllcache\fastprox.dll -> [2009/04/23 22:52:08 | 00,473,088 | ---- | C] (Microsoft Corporation)
rpcss.dll -> %SystemRoot%\System32\dllcache\rpcss.dll -> [2009/04/23 22:52:08 | 00,401,408 | ---- | C] (Microsoft Corporation)
pdh.dll -> %SystemRoot%\System32\dllcache\pdh.dll -> [2009/04/23 22:52:08 | 00,284,160 | ---- | C] (Microsoft Corporation)
wmiprvse.exe -> %SystemRoot%\System32\dllcache\wmiprvse.exe -> [2009/04/23 22:52:08 | 00,227,840 | ---- | C] (Microsoft Corporation)
services.exe -> %SystemRoot%\System32\dllcache\services.exe -> [2009/04/23 22:52:08 | 00,110,592 | ---- | C] (Microsoft Corporation)
colbact.dll -> %SystemRoot%\System32\dllcache\colbact.dll -> [2009/04/23 22:52:08 | 00,060,416 | ---- | C] (Microsoft Corporation)
sc.exe -> %SystemRoot%\System32\dllcache\sc.exe -> [2009/04/23 22:52:08 | 00,035,328 | ---- | C] (Microsoft Corporation)
ntdll.dll -> %SystemRoot%\System32\dllcache\ntdll.dll -> [2009/04/23 22:52:07 | 00,715,264 | ---- | C] (Microsoft Corporation)
advapi32.dll -> %SystemRoot%\System32\dllcache\advapi32.dll -> [2009/04/23 22:52:07 | 00,617,984 | ---- | C] (Microsoft Corporation)
sysmain.sdb -> %SystemRoot%\System32\dllcache\sysmain.sdb -> [2009/04/23 22:51:39 | 01,193,414 | ---- | C] ()
wordpad.exe -> %SystemRoot%\System32\dllcache\wordpad.exe -> [2009/04/23 22:51:39 | 00,215,552 | ---- | C] (Microsoft Corporation)
Mozilla -> %AppData%\Mozilla -> [2009/04/23 10:22:29 | 00,000,000 | ---D | C]
Malwarebytes -> %AppData%\Malwarebytes -> [2009/04/23 10:10:31 | 00,000,000 | ---D | C]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/04/23 10:10:29 | 00,015,504 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/04/23 10:10:29 | 00,000,696 | ---- | C] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/04/23 10:10:27 | 00,038,496 | ---- | C] (Malwarebytes Corporation)
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes -> [2009/04/23 10:10:26 | 00,000,000 | ---D | C]
Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware -> [2009/04/23 10:10:25 | 00,000,000 | ---D | C]
Shortcut (2) to All Wells.lnk -> %UserProfile%\Desktop\Shortcut (2) to All Wells.lnk -> [2009/04/22 15:39:36 | 00,000,254 | ---- | C] ()
pixcache.ini -> %SystemRoot%\pixcache.ini -> [2009/04/22 12:46:29 | 00,004,969 | ---- | C] ()
Canon Electronics -> %AppData%\Canon Electronics -> [2009/04/22 12:46:28 | 00,000,000 | ---D | C]
PIXDFLT.DLL -> %SystemRoot%\System32\PIXDFLT.DLL -> [2009/04/22 12:44:04 | 00,231,552 | ---- | C] (EMC Corporation)
PIXPERM.DLL -> %SystemRoot%\System32\PIXPERM.DLL -> [2009/04/22 12:44:04 | 00,023,152 | ---- | C] (EMC Corporation)
CTL3D.DLL -> %SystemRoot%\System32\CTL3D.DLL -> [2009/04/22 12:44:04 | 00,021,008 | ---- | C] (Microsoft Corporation)
PIXLOC.DLL -> %SystemRoot%\System32\PIXLOC.DLL -> [2009/04/22 12:44:04 | 00,016,048 | ---- | C] (EMC Corporation)
PIXMDLLC.CPL -> %SystemRoot%\System32\PIXMDLLC.CPL -> [2009/04/22 12:44:04 | 00,011,968 | ---- | C] (Pixel Translations Incorporated)
PIXTHK16.DLL -> %SystemRoot%\System32\PIXTHK16.DLL -> [2009/04/22 12:44:04 | 00,006,416 | ---- | C] (EMC Corporation)
PIXJP2KI.DLL -> %SystemRoot%\System32\PIXJP2KI.DLL -> [2009/04/22 12:44:03 | 00,327,680 | ---- | C] (The University of New South Wales)
PIXNAME.HLP -> %SystemRoot%\System32\PIXNAME.HLP -> [2009/04/22 12:44:03 | 00,051,959 | ---- | C] ()
SuStiUtl.dll -> %SystemRoot%\System32\SuStiUtl.dll -> [2009/04/22 12:43:59 | 00,061,440 | ---- | C] (Canon Electronics Inc.)
usbscan.sys -> %SystemRoot%\System32\drivers\usbscan.sys -> [2009/04/22 12:42:33 | 00,015,104 | ---- | C] (Microsoft Corporation)
usbscan.sys -> %SystemRoot%\System32\dllcache\usbscan.sys -> [2009/04/22 12:42:33 | 00,015,104 | ---- | C] (Microsoft Corporation)
DR2KSVC.dll -> %SystemRoot%\System32\DR2KSVC.dll -> [2009/04/22 12:42:13 | 00,229,376 | ---- | C] (Canon Electronics)
WNASPI32.DLL -> %SystemRoot%\System32\WNASPI32.DLL -> [2009/04/22 12:42:13 | 00,045,056 | ---- | C] (Adaptec)
CeiUSB.dll -> %SystemRoot%\System32\CeiUSB.dll -> [2009/04/22 12:42:13 | 00,042,536 | ---- | C] (Canon Electronics Inc.)
ASPI32.SYS -> %SystemRoot%\System32\drivers\ASPI32.SYS -> [2009/04/22 12:42:13 | 00,016,512 | ---- | C] (Adaptec)
SetScan.ini -> %SystemRoot%\SetScan.ini -> [2009/04/22 12:42:13 | 00,000,140 | ---- | C] ()
CeiSCSI.dll -> %SystemRoot%\System32\CeiSCSI.dll -> [2009/04/22 12:42:12 | 00,157,224 | ---- | C] (Canon Electronics Inc.)
CaDRcpl.dll -> %SystemRoot%\System32\CaDRcpl.dll -> [2009/04/22 12:42:12 | 00,083,496 | ---- | C] (Canon Electronics Inc.)
qd1.dll -> %SystemRoot%\System32\qd1.dll -> [2009/04/22 12:41:42 | 00,504,080 | ---- | C] (Captiva Software Corp.)
Msvcrtd.dll -> %SystemRoot%\System32\Msvcrtd.dll -> [2009/04/22 12:41:41 | 00,401,484 | ---- | C] (Microsoft Corporation)
Pixdflt.dll -> %SystemRoot%\System\Pixdflt.dll -> [2009/04/22 12:41:41 | 00,231,552 | ---- | C] (Pixel Translations Incorporated)
canoit32.exe -> %SystemRoot%\System32\canoit32.exe -> [2009/04/22 12:41:41 | 00,045,056 | ---- | C] (CANON INC.)
Pixperm.dll -> %SystemRoot%\System\Pixperm.dll -> [2009/04/22 12:41:41 | 00,023,152 | ---- | C] (Pixel Translations Incorporated)
Ctl3d.dll -> %SystemRoot%\System\Ctl3d.dll -> [2009/04/22 12:41:41 | 00,021,008 | ---- | C] (Microsoft Corporation)
Pixloc.dll -> %SystemRoot%\System\Pixloc.dll -> [2009/04/22 12:41:41 | 00,016,064 | ---- | C] (Pixel Translations Incorporated)
twpix32.dll -> %SystemRoot%\System32\twpix32.dll -> [2009/04/22 12:41:40 | 00,184,320 | ---- | C] (Input Software Inc.)
PIXN1120.DLL -> %SystemRoot%\System32\PIXN1120.DLL -> [2009/04/22 12:41:40 | 00,180,224 | ---- | C] (Pegasus Imaging Corp.)
PIXN1520.DLL -> %SystemRoot%\System32\PIXN1520.DLL -> [2009/04/22 12:41:40 | 00,176,128 | ---- | C] (Pegasus Imaging Corp.)
PIXN1020.DLL -> %SystemRoot%\System32\PIXN1020.DLL -> [2009/04/22 12:41:40 | 00,155,648 | ---- | C] (Pegasus Imaging Corp.)
PIXN1320.DLL -> %SystemRoot%\System32\PIXN1320.DLL -> [2009/04/22 12:41:40 | 00,114,688 | ---- | C] (Pegasus Imaging Corp.)
Wiaext32.dll -> %SystemRoot%\System32\Wiaext32.dll -> [2009/04/22 12:41:40 | 00,098,304 | ---- | C] (Cornerstone Imaging, Inc.)
PIXN20.DLL -> %SystemRoot%\System32\PIXN20.DLL -> [2009/04/22 12:41:40 | 00,051,712 | ---- | C] (Pegasus Imaging Corp.)
pixtran -> %SystemRoot%\pixtran -> [2009/04/22 12:41:40 | 00,000,000 | ---D | C]
Canon Electronics -> %ProgramFiles%\Canon Electronics -> [2009/04/22 12:41:38 | 00,000,000 | ---D | C]
All Wells -> %UserProfile%\My Documents\All Wells -> [2009/04/22 11:16:48 | 00,000,000 | ---D | C]
Clay JOA's -> %UserProfile%\My Documents\Clay JOA's -> [2009/04/20 16:59:29 | 00,000,000 | ---D | C]
Shortcut to Clay 11A-1.lnk -> %UserProfile%\Desktop\Shortcut to Clay 11A-1.lnk -> [2009/04/20 16:55:30 | 00,000,257 | ---- | C] ()
projected ira.xls -> %UserProfile%\My Documents\projected ira.xls -> [2009/04/14 15:33:39 | 00,048,640 | ---- | C] ()
Map98.INI -> %SystemRoot%\Map98.INI -> [2008/11/19 17:34:51 | 00,000,349 | ---- | C] ()
vshp1020.dll -> %SystemRoot%\System32\vshp1020.dll -> [2008/11/18 13:19:28 | 00,106,496 | R--- | C] ()
iPlayer.INI -> %SystemRoot%\iPlayer.INI -> [2007/09/08 21:31:34 | 00,000,000 | ---- | C] ()
SmartAudio.INI -> %SystemRoot%\SmartAudio.INI -> [2007/01/06 23:46:24 | 00,000,027 | ---- | C] ()
QUICKEN.INI -> %SystemRoot%\QUICKEN.INI -> [2006/08/19 05:08:37 | 00,000,166 | ---- | C] ()
NSSetDefaultBrowser.ini -> %SystemRoot%\NSSetDefaultBrowser.ini -> [2006/08/19 05:03:23 | 00,000,698 | ---- | C] ()
ODBC.INI -> %SystemRoot%\ODBC.INI -> [2006/08/19 04:48:13 | 00,000,376 | ---- | C] ()
oeminfo.ini -> %SystemRoot%\System32\oeminfo.ini -> [2006/08/19 04:43:52 | 00,028,836 | ---- | C] ()
smscfg.ini -> %SystemRoot%\smscfg.ini -> [2006/05/10 09:23:38 | 00,000,061 | ---- | C] ()
WININIT.INI -> %SystemRoot%\WININIT.INI -> [2006/05/10 08:46:02 | 00,000,257 | ---- | C] ()
orun32.ini -> %SystemRoot%\orun32.ini -> [2006/05/10 08:42:38 | 00,000,780 | ---- | C] ()
win.ini -> %SystemRoot%\win.ini -> [2006/05/10 08:25:36 | 00,000,482 | ---- | C] ()
system.ini -> %SystemRoot%\system.ini -> [2006/05/10 01:16:26 | 00,000,227 | ---- | C] ()
px.ini -> %SystemRoot%\System32\px.ini -> [2005/12/02 13:09:10 | 00,000,000 | ---- | C] ()
qt-mt331.dll -> %SystemRoot%\System32\qt-mt331.dll -> [2004/09/16 15:24:26 | 03,375,104 | ---- | C] ()
kqfpqyei.dll -> %SystemRoot%\System32\kqfpqyei.dll -> [2004/08/04 16:00:00 | 00,143,872 | ---- | C] ()
uxehitb.dll -> %SystemRoot%\System32\uxehitb.dll -> [2004/08/04 16:00:00 | 00,104,448 | ---- | C] ()
rtqwryr.dll -> %SystemRoot%\System32\rtqwryr.dll -> [2004/08/04 16:00:00 | 00,104,448 | ---- | C] ()
[Files/Folders - Modified Within 30 Days]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
4 C:\Documents and Settings\Rob\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Rob\Local Settings\Temp\*.tmp ->
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/04/27 08:31:45 | 00,665,196 | ---- | M] ()
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [2009/04/27 08:31:17 | 35,477,808 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2009/04/27 07:22:50 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2009/04/27 07:22:47 | 00,002,048 | --S- | M] ()
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/04/27 07:22:43 | 52,650,3936 | -HS- | M] ()
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [2009/04/27 07:22:43 | 00,270,984 | ---- | M] ()
NTUSER.DAT -> %UserProfile%\NTUSER.DAT -> [2009/04/27 07:21:32 | 07,340,032 | -H-- | M] ()
ntuser.ini -> %UserProfile%\ntuser.ini -> [2009/04/27 07:21:32 | 00,000,178 | -HS- | M] ()
OTMoveIt3.exe -> %UserProfile%\Desktop\OTMoveIt3.exe -> [2009/04/27 06:55:19 | 00,389,632 | ---- | M] (OldTimer Tools)
Norton PC Checkup Weekend Scanner.job -> %SystemRoot%\tasks\Norton PC Checkup Weekend Scanner.job -> [2009/04/26 15:46:00 | 00,000,342 | ---- | M] ()
system.ini -> %SystemRoot%\system.ini -> [2009/04/26 14:37:01 | 00,000,227 | ---- | M] ()
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [2009/04/26 14:36:30 | 00,000,027 | ---- | M] ()
Perflib_Perfdata__755.dat -> %UserProfile%\Local Settings\Temp\Perflib_Perfdata__755.dat -> [2009/04/26 14:32:53 | 00,060,416 | ---- | M] ()
boot.ini -> %SystemDrive%\boot.ini -> [2009/04/26 09:59:25 | 00,000,281 | RHS- | M] ()
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/04/26 09:51:32 | 03,006,230 | R--- | M] ()
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [2009/04/26 09:46:25 | 00,434,673 | ---- | M] ()
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [2009/04/26 09:46:25 | 00,032,111 | ---- | M] ()
avgrsstx.dll -> %SystemRoot%\System32\avgrsstx.dll -> [2009/04/26 09:42:35 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgtdix.sys -> %SystemRoot%\System32\drivers\avgtdix.sys -> [2009/04/26 09:42:34 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys -> [2009/04/26 09:42:30 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2009/04/26 09:42:29 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.)
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [2009/04/26 09:42:25 | 06,061,540 | ---- | M] ()
WININIT.INI -> %SystemRoot%\WININIT.INI -> [2009/04/25 17:51:26 | 00,000,257 | ---- | M] ()
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/04/25 13:59:03 | 00,111,104 | ---- | M] ()
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2009/04/25 09:32:06 | 00,001,734 | ---- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2009/04/25 09:27:56 | 00,439,376 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2009/04/25 09:27:56 | 00,380,918 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2009/04/25 09:27:56 | 00,053,166 | ---- | M] ()
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk -> [2009/04/25 09:20:06 | 00,000,611 | ---- | M] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/04/25 09:20:06 | 00,000,592 | ---- | M] ()
win.ini -> %SystemRoot%\win.ini -> [2009/04/24 18:30:21 | 00,000,482 | ---- | M] ()
Boot.bak -> %SystemDrive%\Boot.bak -> [2009/04/24 18:30:21 | 00,000,211 | ---- | M] ()
qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/04/24 18:02:55 | 00,004,232 | ---- | M] ()
qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/04/24 18:02:53 | 00,005,338 | ---- | M] ()
imsins.BAK -> %SystemRoot%\imsins.BAK -> [2009/04/23 22:55:56 | 00,001,374 | ---- | M] ()
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2009/04/23 22:50:50 | 00,001,158 | ---- | M] ()
spider.sav -> %UserProfile%\My Documents\spider.sav -> [2009/04/23 16:55:40 | 00,000,532 | ---- | M] ()
SetScan.ini -> %SystemRoot%\SetScan.ini -> [2009/04/23 13:26:35 | 00,000,140 | ---- | M] ()
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/04/23 10:10:29 | 00,000,696 | ---- | M] ()
Shortcut (2) to All Wells.lnk -> %UserProfile%\Desktop\Shortcut (2) to All Wells.lnk -> [2009/04/22 15:39:36 | 00,000,254 | ---- | M] ()
pixcache.ini -> %SystemRoot%\pixcache.ini -> [2009/04/22 12:47:17 | 00,004,969 | ---- | M] ()
Shortcut to Clay 11A-1.lnk -> %UserProfile%\Desktop\Shortcut to Clay 11A-1.lnk -> [2009/04/20 16:55:30 | 00,000,257 | ---- | M] ()
projected ira.xls -> %UserProfile%\My Documents\projected ira.xls -> [2009/04/14 15:33:39 | 00,048,640 | ---- | M] ()
DRU Sec._12-3N-6W__Lots[1].doc -> %UserProfile%\Desktop\DRU Sec._12-3N-6W__Lots[1].doc -> [2009/04/07 09:46:16 | 02,120,192 | ---- | M] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation)
MRT.exe -> %SystemRoot%\System32\MRT.exe -> [2009/04/06 07:57:26 | 24,921,544 | ---- | M] (Microsoft Corporation)
data.dat -> %AllUsersProfile%\Application Data\Microsoft\Office\Data\data.dat -> [2006/12/16 18:56:01 | 00,001,372 | ---- | M] ()
[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000001b
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
< Document and Settings folder & sub folders >
scanning hidden files ...
C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD 101 bytes
C:\Documents and Settings\Rob\Favorites\Driving Directions from 8505 Sw 36th St, Oklahoma City, OK to Buffalo, OK.url:favicon 1406 bytes
C:\Documents and Settings\Rob\Favorites\amazon.com Used and New PELICAN ACCESSORIES PL-2050 Xbox Edge Wireless Controller.url:favicon 1406 bytes
C:\Documents and Settings\Rob\Favorites\corporate name changes index.url:favicon 1406 bytes
C:\Documents and Settings\Rob\Favorites\County Clerk Public Records - various counties.url:favicon 2806 bytes
C:\Documents and Settings\Rob\Favorites\MSN.com.url:favicon 3638 bytes
C:\Documents and Settings\Rob\Favorites\Quick Sand 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Quick Sand Pyro 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Square Feet to Acres conversion calculator - Area conversions.url:favicon 3638 bytes
C:\Documents and Settings\Rob\Favorites\Super Crazy Guitar 2 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Treasure of Cutlass Reef 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Game Giveaway of the Day.url:favicon 2038 bytes
C:\Documents and Settings\Rob\Favorites\Grow Island 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\http--www.playlist.com-.url:favicon 1150 bytes
C:\Documents and Settings\Rob\Favorites\Land to Acre Conversion Calculator.url:favicon 822 bytes
scan completed successfully
hidden files: 67
[Alternate Data Streams]
@Alternate Data Stream - 101 bytes -> %AllUsersProfile%\Application Data\TEMP:7E95B6FD
< End of report >
I hope it is okay with you, I have reposted the above info minus "code" in order to make it easier to read.
OTScanIt2 logfile created on: 4/27/2009 8:33:33 AM - Run 1
OTScanIt2 by OldTimer - Version 1.0.14.0 Folder = C:\Documents and Settings\Rob\Desktop\OTScanIt2
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
502.05 Mb Total Physical Memory | 126.78 Mb Available Physical Memory | 25.25% Memory free
1.20 Gb Paging File | 0.84 Gb Available in Paging File | 69.98% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 47.74 Gb Total Space | 32.71 Gb Free Space | 68.53% Space Free | Partition Type: NTFS
Drive D: | 8.13 Gb Total Space | 1.03 Gb Free Space | 12.71% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: PC161035812295
Current User Name: Rob
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
[Processes - Safe List]
avgcsrvx.exe -> %ProgramFiles%\AVG\AVG8\avgcsrvx.exe -> [2009/04/26 09:42:15 | 00,691,992 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgemc.exe -> %ProgramFiles%\AVG\AVG8\avgemc.exe -> [2009/04/26 09:42:12 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgnsx.exe -> %ProgramFiles%\AVG\AVG8\avgnsx.exe -> [2009/04/26 09:42:15 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgrsx.exe -> %ProgramFiles%\AVG\AVG8\avgrsx.exe -> [2009/04/26 09:42:15 | 00,485,144 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgtray.exe -> %ProgramFiles%\AVG\AVG8\avgtray.exe -> [2009/04/26 09:42:12 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgwdsvc.exe -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/04/26 09:42:11 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
explorer.exe -> %SystemRoot%\Explorer.EXE -> [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation)
hkcmd.exe -> %SystemRoot%\system32\hkcmd.exe -> [2006/03/23 07:13:40 | 00,077,824 | ---- | M] (Intel Corporation)
hp wireless assistant.exe -> %ProgramFiles%\hpq\HP Wireless Assistant\HP Wireless Assistant.exe -> [2006/05/04 00:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.)
hpqtoa~1.exe -> %ProgramFiles%\HPQ\Shared\HpqToaster.exe -> [2005/12/23 23:44:26 | 00,491,606 | ---- | M] ()
hpqwmiex.exe -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> [2006/05/02 17:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.)
iexplore.exe -> %ProgramFiles%\Internet Explorer\iexplore.exe -> [2009/02/27 23:54:41 | 00,636,072 | ---- | M] (Microsoft Corporation)
igfxpers.exe -> %SystemRoot%\system32\igfxpers.exe -> [2006/03/23 07:17:50 | 00,118,784 | ---- | M] (Intel Corporation)
issch.exe -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> [2005/08/11 18:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation)
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe -> [2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/04/11 16:32:52 | 00,494,080 | ---- | M] (OldTimer Tools)
qlbctrl.exe -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe -> [2006/06/02 17:21:42 | 00,135,168 | ---- | M] ( Hewlett-Packard Development Company, L.P.)
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> [2007/09/15 03:27:20 | 01,015,808 | ---- | M] (Synaptics, Inc.)
wdfmgr.exe -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 15:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
wmiprvse.exe -> %SystemRoot%\system32\wbem\wmiprvse.exe -> [2009/02/06 04:41:05 | 00,227,840 | ---- | M] (Microsoft Corporation)
wscntfy.exe -> %SystemRoot%\system32\wscntfy.exe -> [2004/08/04 16:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation)
[Win32 Services - Safe List]
(AddFiltr) AddFiltr [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -> [2006/05/08 12:49:02 | 00,098,304 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -> [2004/07/15 11:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation)
(avg8emc) AVG Free8 E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgemc.exe -> [2009/04/26 09:42:12 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.)
(avg8wd) AVG Free8 WatchDog [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/04/26 09:42:11 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
(gusvc) Google Updater Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2007/11/23 22:47:52 | 00,138,168 | ---- | M] (Google)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2004/08/04 16:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation)
(hpqwmiex) hpqwmiex [Win32_Own | Auto | Running] -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> [2006/05/02 17:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> [2005/04/04 02:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation)
(UMWdf) Windows User Mode Driver Framework [Win32_Own | Auto | Running] -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 15:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
(Vongo Service) Vongo Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Vongo\VongoService.exe -> [2006/05/09 16:11:10 | 00,176,128 | ---- | M] (Starz Entertainment Group LLC)
[Driver Services - Safe List]
(AliIde) AliIde [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\aliide.sys -> [2001/08/17 23:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.)
(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\amdagp.sys -> [2004/08/04 09:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.)
(asc) asc [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc.sys -> [2001/08/17 23:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.)
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc3550.sys -> [2001/08/17 23:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.)
(Aspi32) Aspi32 [Kernel | Auto | Running] -> %SystemRoot%\System32\drivers\ASPI32.SYS -> [2006/09/11 14:12:26 | 00,016,512 | ---- | M] (Adaptec)
(AvgLdx86) AVG Free AVI Loader Driver x86 [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgldx86.sys -> [2009/04/26 09:42:30 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgMfx86) AVG Free On-access Scanner Minifilter Driver x86 [File_System | System | Running] -> %SystemRoot%\System32\Drivers\avgmfx86.sys -> [2009/04/26 09:42:29 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgTdiX) AVG Free8 Network Redirector [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgtdix.sys -> [2009/04/26 09:42:34 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
(BCM43XX) Broadcom 802.11 Network Adapter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\bcmwl5.sys -> [2006/10/13 00:26:56 | 00,604,928 | ---- | M] (Broadcom Corporation)
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\cmdide.sys -> [2001/08/17 23:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.)
(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\dac2w2k.sys -> [2001/08/17 23:52:16 | 00,179,584 | ---- | M] (Mylex Corporation)
(eabfiltr) eabfiltr [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\eabfiltr.sys -> [2005/09/19 16:23:52 | 00,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(eabusb) eabusb [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\eabusb.sys -> [2005/09/19 16:24:20 | 00,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(HBtnKey) HBtnKey [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\cpqbttn.sys -> [2005/09/19 16:24:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(HdAudAddService) Microsoft UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\CHDAud.sys -> [2007/05/01 02:11:54 | 00,630,272 | ---- | M] (Conexant Systems Inc.)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HDAudBus.sys -> [2005/01/07 19:07:18 | 00,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HSFHWAZL) HSFHWAZL [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSFHWAZL.sys -> [2005/08/21 19:06:16 | 00,201,600 | ---- | M] (Conexant Systems, Inc.)
(HSF_DPV) HSF_DPV [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSF_DPV.sys -> [2005/08/21 19:07:00 | 01,035,008 | ---- | M] (Conexant Systems, Inc.)
(ialm) ialm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ialmnt5.sys -> [2006/03/23 07:47:06 | 01,166,972 | ---- | M] (Intel Corporation)
(iaStor) Intel AHCI Controller [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\iaStor.sys -> [2005/10/13 04:07:12 | 00,874,240 | ---- | M] (Intel Corporation)
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\mdmxsdk.sys -> [2006/02/14 14:57:46 | 00,012,672 | ---- | M] (Conexant)
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\mraid35x.sys -> [2001/08/17 23:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.)
(NwlnkIpx) NWLink IPX/SPX/NetBIOS Compatible Transport Protocol [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnkipx.sys -> [2004/08/04 16:00:00 | 00,088,448 | ---- | M] (Microsoft Corporation)
(NwlnkNb) NWLink NetBIOS [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnknb.sys -> [2004/08/04 16:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation)
(NwlnkSpx) NWLink SPX/SPXII Protocol [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnkspx.sys -> [2004/08/04 16:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ptilink.sys -> [2004/08/04 16:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\PxHelp20.sys -> [2005/06/20 19:05:58 | 00,020,640 | ---- | M] (Sonic Solutions)
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1080.sys -> [2001/08/17 23:52:20 | 00,040,320 | ---- | M] (QLogic Corporation)
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql12160.sys -> [2001/08/17 23:52:20 | 00,045,312 | ---- | M] (QLogic Corporation)
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1280.sys -> [2001/08/17 23:52:18 | 00,049,024 | ---- | M] (QLogic Corporation)
(RTL8023xp) Realtek 10/100/1000 PCI NIC Family NDIS XP Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\Rtnicxp.sys -> [2007/08/22 13:51:38 | 00,097,152 | ---- | M] (Realtek Semiconductor Corporation )
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\RTL8139.SYS -> [2004/08/04 01:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\secdrv.sys -> [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sisagp.sys -> [2004/08/04 09:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation)
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sparrow.sys -> [2001/08/18 00:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.)
(symc810) symc810 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc810.sys -> [2001/08/18 00:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.)
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc8xx.sys -> [2001/08/18 00:07:36 | 00,032,640 | ---- | M] (LSI Logic)
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_hi.sys -> [2001/08/18 00:07:40 | 00,028,384 | ---- | M] (LSI Logic)
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_u3.sys -> [2001/08/18 00:07:42 | 00,030,688 | ---- | M] (LSI Logic)
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\SynTP.sys -> [2007/09/15 03:09:44 | 00,213,696 | ---- | M] (Synaptics, Inc.)
(ultra) ultra [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ultra.sys -> [2001/08/17 23:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.)
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSF_CNXT.sys -> [2005/08/21 19:06:10 | 00,718,464 | ---- | M] (Conexant Systems, Inc.)
(wlubdewd) wlubdewd [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\wlubdewd.sys -> [2004/08/04 16:00:00 | 00,023,424 | ---- | M] (S3/Diamond Multimedia Systems)
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> Reg Error: Invalid data type. ->
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKEY_LOCAL_MACHINE\: "ProxyEnable" -> 1 ->
HKEY_LOCAL_MACHINE\: "ProxyOverride" -> *.local;<local> ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_CURRENT_USER\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar] -> File not found
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
HKEY_CURRENT_USER\: "ProxyOverride" -> *.local;<local> ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions -> ->
< FireFox Extensions [User Folders] > ->
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
Reset Hosts
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/12/18 04:16:42 | 00,059,032 | ---- | M] (Adobe Systems Incorporated)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgssie.dll [AVG Safe Search] -> [2009/04/26 09:42:18 | 01,078,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> [2008/06/10 04:27:02 | 00,509,328 | ---- | M] (Sun Microsystems, Inc.)
{A057A204-BACC-4D26-9990-79A187E2698E} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2009/04/26 09:42:24 | 01,968,920 | ---- | M] ([[[COMPANYNAME]]]----------------------------)
{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} [HKLM] -> %SystemRoot%\system32\rtqwryr.dll [] -> [2004/08/04 16:00:00 | 00,104,448 | ---- | M] ()
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2009/04/26 09:42:24 | 01,968,920 | ---- | M] ([[[COMPANYNAME]]]----------------------------)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2009/04/26 09:42:24 | 01,968,920 | ---- | M] ([[[COMPANYNAME]]]----------------------------)
WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AVG8_TRAY" -> %ProgramFiles%\AVG\AVG8\avgtray.exe [C:\PROGRA~1\AVG\AVG8\avgtray.exe] -> [2009/04/26 09:42:12 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.)
"CANON DR2080C SVC" -> %SystemRoot%\system32\DR2KSVC.DLL [rundll32.exe DR2KSVC.dll,EntryPointUserMessage] -> [2007/03/02 12:40:36 | 00,229,376 | ---- | M] (Canon Electronics)
"Cpqset" -> %ProgramFiles%\Hewlett-Packard\Default Settings\cpqset.exe [C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe] -> [2006/06/19 12:50:40 | 00,040,960 | ---- | M] ()
"High Definition Audio Property Page Shortcut" -> %SystemRoot%\system32\CHDAudPropShortcut.exe [CHDAudPropShortcut.exe] -> [2006/06/02 10:02:50 | 00,061,952 | ---- | M] (Windows (R) Server 2003 DDK provider)
"hpWirelessAssistant" -> %ProgramFiles%\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe] -> [2006/05/04 00:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.)
"igfxhkcmd" -> %SystemRoot%\system32\hkcmd.exe [C:\WINDOWS\system32\hkcmd.exe] -> [2006/03/23 07:13:40 | 00,077,824 | ---- | M] (Intel Corporation)
"igfxpers" -> %SystemRoot%\system32\igfxpers.exe [C:\WINDOWS\system32\igfxpers.exe] -> [2006/03/23 07:17:50 | 00,118,784 | ---- | M] (Intel Corporation)
"igfxtray" -> %SystemRoot%\system32\igfxtray.exe [C:\WINDOWS\system32\igfxtray.exe] -> [2006/03/23 07:17:04 | 00,094,208 | ---- | M] (Intel Corporation)
"ISUSPM Startup" -> %CommonProgramFiles%\InstallShield\UpdateService\isuspm.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup] -> [2005/08/11 18:30:30 | 00,249,856 | ---- | M] (Macrovision Corporation)
"ISUSScheduler" -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start] -> [2005/08/11 18:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation)
"QlbCtrl" -> [%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start] -> File not found
"RecGuard" -> %SystemRoot%\SMINST\RecGuard.exe [C:\Windows\SMINST\RecGuard.exe] -> [2005/10/11 12:23:50 | 01,187,840 | ---- | M] ()
"SunJavaUpdateSched" -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"] -> [2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
"SynTPEnh" -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [C:\Program Files\Synaptics\SynTP\SynTPEnh.exe] -> [2007/09/15 03:27:20 | 01,015,808 | ---- | M] (Synaptics, Inc.)
"SynTPStart" -> %ProgramFiles%\Synaptics\SynTP\SynTPStart.exe [C:\Program Files\Synaptics\SynTP\SynTPStart.exe] -> [2007/09/15 03:29:10 | 00,102,400 | ---- | M] (Synaptics, Inc.)
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ->
"OTMoveIt" -> %UserProfile%\Desktop\OTMoveIt3.exe [C:\Documents and Settings\Rob\Desktop\OTMoveIt3.exe] -> [2009/04/27 06:55:19 | 00,389,632 | ---- | M] (OldTimer Tools)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Rob Startup Folder > -> C:\Documents and Settings\Rob\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" -> [1] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" -> [0] -> File not found
\\"legalnoticecaption" -> [] -> File not found
\\"legalnoticetext" -> [] -> File not found
\\"shutdownwithoutlogon" -> [1] -> File not found
\\"undockwithoutlogon" -> [1] -> File not found
\\"DisableRegistryTools" -> [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> %ProgramFiles%\Microsoft Office\Office10\EXCEL.EXE [res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000] -> [2001/02/16 02:05:38 | 09,164,192 | R--- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Menu: Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search & Destroy Configuration] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2004/10/13 19:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2004/10/13 19:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.] -> File not found
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 19:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5506 domain(s) found. ->
50 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5501 domain(s) found. ->
49 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{233C1507-6A77-46A4-9443-F871F945D258} [HKLM] -> http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab [Shockwave ActiveX Control] ->
{6414512B-B978-451D-A0D8-FCFDF33E833C} [HKLM] -> http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232901218718 [WUWebControl Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] ->
{A90A5822-F108-45AD-8482-9BC8B12DD539} [HKLM] -> http://www.crucial.com/controls/cpcScanner.cab [Crucial cpcScan] ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab [Java Plug-in 1.5.0_06] ->
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab [Java Plug-in 1.6.0_01] ->
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab [Java Plug-in 1.6.0_02] ->
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Java Plug-in 1.6.0_05] ->
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{4F861CE6-223A-4578-B2A7-69BD3BA7C5EF} -> (Broadcom 802.11b/g WLAN) ->
{828F6C98-926B-49AD-AE17-C88EF5588F55} -> (Realtek RTL8139/810x Family Fast Ethernet NIC) ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\Explorer.exe -> [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
avgrsstarter -> %SystemRoot%\system32\avgrsstx.dll -> [2009/04/26 09:42:35 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> [2006/03/23 07:12:42 | 00,139,264 | ---- | M] (Intel Corporation)
tqqujzct -> %SystemRoot%\system32\rtqwryr.dll -> [2004/08/04 16:00:00 | 00,104,448 | ---- | M] ()
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2004/08/04 16:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"C:\Program Files\AVG\AVG8\avgemc.exe" -> C:\Program Files\AVG\AVG8\avgemc.exe [C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe] -> [2009/04/26 09:42:12 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" -> C:\Program Files\AVG\AVG8\avgnsx.exe [C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe] -> [2009/04/26 09:42:15 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgupd.exe" -> C:\Program Files\AVG\AVG8\avgupd.exe [C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe] -> [2009/04/26 09:42:12 | 01,057,048 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\WINDOWS\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019] -> [2004/08/04 16:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
"AlternateShell" -> cmd.exe ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2004/08/04 16:00:00 | 00,049,536 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > -> ->
D:\AUTOEXEC.BAT [] -> D:\AUTOEXEC.BAT [ FAT32 ] -> [2001/07/27 22:07:38 | 00,000,000 | -HS- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
\F
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell
\F\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun
\F\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command
\F\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe -a] -> File not found
\{11653a28-c6ba-11db-b4ed-0014a5d1302c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}\Shell\AutoRun\command
\{11653a28-c6ba-11db-b4ed-0014a5d1302c}\Shell\AutoRun\command\\"" -> F:\setupSNK.exe [F:\setupSNK.exe] -> File not found
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun\command
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe -a] -> File not found
\{a262d412-8263-11dc-b587-0014a5d1302c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell
\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun
\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun\command
\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe] -> File not found
[Files/Folders - Created Within 30 Days]
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2009/04/27 08:32:50 | 00,000,000 | ---D | C]
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/04/27 08:31:43 | 00,665,196 | ---- | C] ()
RECYCLER -> %SystemDrive%\RECYCLER -> [2009/04/27 07:19:58 | 00,000,000 | -HSD | C]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [2009/04/27 07:07:49 | 00,000,000 | ---D | C]
OTMoveIt3.exe -> %UserProfile%\Desktop\OTMoveIt3.exe -> [2009/04/27 06:55:18 | 00,389,632 | ---- | C] (OldTimer Tools)
temp -> %SystemRoot%\temp -> [2009/04/26 14:40:53 | 00,000,000 | ---D | C]
Boot.bak -> %SystemDrive%\Boot.bak -> [2009/04/26 09:59:24 | 00,000,211 | ---- | C] ()
cmldr -> %SystemDrive%\cmldr -> [2009/04/26 09:59:18 | 00,260,272 | ---- | C] ()
cmdcons -> %SystemDrive%\cmdcons -> [2009/04/26 09:59:13 | 00,000,000 | RHSD | C]
SWXCACLS.exe -> %SystemRoot%\SWXCACLS.exe -> [2009/04/26 09:57:19 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> %SystemRoot%\SWREG.exe -> [2009/04/26 09:57:19 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> %SystemRoot%\SWSC.exe -> [2009/04/26 09:57:19 | 00,136,704 | ---- | C] (SteelWerX)
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/04/26 09:57:19 | 00,111,104 | ---- | C] ()
sed.exe -> %SystemRoot%\sed.exe -> [2009/04/26 09:57:19 | 00,098,816 | ---- | C] ()
grep.exe -> %SystemRoot%\grep.exe -> [2009/04/26 09:57:19 | 00,080,412 | ---- | C] ()
zip.exe -> %SystemRoot%\zip.exe -> [2009/04/26 09:57:19 | 00,068,096 | ---- | C] ()
NIRCMD.exe -> %SystemRoot%\NIRCMD.exe -> [2009/04/26 09:57:19 | 00,029,696 | ---- | C] (NirSoft)
Qoobox -> %SystemDrive%\Qoobox -> [2009/04/26 09:52:14 | 00,000,000 | ---D | C]
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/04/26 09:51:20 | 03,006,230 | R--- | C] ()
avgrsstx.dll -> %SystemRoot%\System32\avgrsstx.dll -> [2009/04/26 09:42:35 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgtdix.sys -> %SystemRoot%\System32\drivers\avgtdix.sys -> [2009/04/26 09:42:34 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys -> [2009/04/26 09:42:30 | 00,325,640 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2009/04/26 09:42:29 | 00,027,656 | ---- | C] (AVG Technologies CZ, s.r.o.)
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [2009/04/26 09:42:25 | 35,477,808 | ---- | C] ()
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [2009/04/26 09:42:25 | 06,061,540 | ---- | C] ()
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [2009/04/26 09:42:25 | 00,434,673 | ---- | C] ()
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [2009/04/26 09:42:25 | 00,032,111 | ---- | C] ()
AVGTOOLBAR -> %AppData%\AVGTOOLBAR -> [2009/04/26 09:42:25 | 00,000,000 | ---D | C]
Avg -> %SystemRoot%\System32\drivers\Avg -> [2009/04/26 09:42:25 | 00,000,000 | ---D | C]
AVG -> %ProgramFiles%\AVG -> [2009/04/26 09:42:11 | 00,000,000 | ---D | C]
avg8 -> %AllUsersProfile%\Application Data\avg8 -> [2009/04/26 09:42:10 | 00,000,000 | ---D | C]
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2009/04/25 09:32:06 | 00,001,734 | ---- | C] ()
Trend Micro -> %ProgramFiles%\Trend Micro -> [2009/04/25 09:32:06 | 00,000,000 | ---D | C]
ERDNT -> %SystemRoot%\ERDNT -> [2009/04/25 09:26:21 | 00,000,000 | ---D | C]
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk -> [2009/04/25 09:20:06 | 00,000,611 | ---- | C] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/04/25 09:20:06 | 00,000,592 | ---- | C] ()
ERUNT -> %ProgramFiles%\ERUNT -> [2009/04/25 09:20:05 | 00,000,000 | ---D | C]
TEMP -> %AllUsersProfile%\Application Data\TEMP -> [2009/04/24 22:49:38 | 00,000,000 | ---D | C]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/04/24 22:29:23 | 52,650,3936 | -HS- | C] ()
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [2009/04/24 20:23:31 | 00,000,000 | ---D | C]
fastprox.dll -> %SystemRoot%\System32\dllcache\fastprox.dll -> [2009/04/23 22:52:08 | 00,473,088 | ---- | C] (Microsoft Corporation)
rpcss.dll -> %SystemRoot%\System32\dllcache\rpcss.dll -> [2009/04/23 22:52:08 | 00,401,408 | ---- | C] (Microsoft Corporation)
pdh.dll -> %SystemRoot%\System32\dllcache\pdh.dll -> [2009/04/23 22:52:08 | 00,284,160 | ---- | C] (Microsoft Corporation)
wmiprvse.exe -> %SystemRoot%\System32\dllcache\wmiprvse.exe -> [2009/04/23 22:52:08 | 00,227,840 | ---- | C] (Microsoft Corporation)
services.exe -> %SystemRoot%\System32\dllcache\services.exe -> [2009/04/23 22:52:08 | 00,110,592 | ---- | C] (Microsoft Corporation)
colbact.dll -> %SystemRoot%\System32\dllcache\colbact.dll -> [2009/04/23 22:52:08 | 00,060,416 | ---- | C] (Microsoft Corporation)
sc.exe -> %SystemRoot%\System32\dllcache\sc.exe -> [2009/04/23 22:52:08 | 00,035,328 | ---- | C] (Microsoft Corporation)
ntdll.dll -> %SystemRoot%\System32\dllcache\ntdll.dll -> [2009/04/23 22:52:07 | 00,715,264 | ---- | C] (Microsoft Corporation)
advapi32.dll -> %SystemRoot%\System32\dllcache\advapi32.dll -> [2009/04/23 22:52:07 | 00,617,984 | ---- | C] (Microsoft Corporation)
sysmain.sdb -> %SystemRoot%\System32\dllcache\sysmain.sdb -> [2009/04/23 22:51:39 | 01,193,414 | ---- | C] ()
wordpad.exe -> %SystemRoot%\System32\dllcache\wordpad.exe -> [2009/04/23 22:51:39 | 00,215,552 | ---- | C] (Microsoft Corporation)
Mozilla -> %AppData%\Mozilla -> [2009/04/23 10:22:29 | 00,000,000 | ---D | C]
Malwarebytes -> %AppData%\Malwarebytes -> [2009/04/23 10:10:31 | 00,000,000 | ---D | C]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/04/23 10:10:29 | 00,015,504 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/04/23 10:10:29 | 00,000,696 | ---- | C] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/04/23 10:10:27 | 00,038,496 | ---- | C] (Malwarebytes Corporation)
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes -> [2009/04/23 10:10:26 | 00,000,000 | ---D | C]
Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware -> [2009/04/23 10:10:25 | 00,000,000 | ---D | C]
Shortcut (2) to All Wells.lnk -> %UserProfile%\Desktop\Shortcut (2) to All Wells.lnk -> [2009/04/22 15:39:36 | 00,000,254 | ---- | C] ()
pixcache.ini -> %SystemRoot%\pixcache.ini -> [2009/04/22 12:46:29 | 00,004,969 | ---- | C] ()
Canon Electronics -> %AppData%\Canon Electronics -> [2009/04/22 12:46:28 | 00,000,000 | ---D | C]
PIXDFLT.DLL -> %SystemRoot%\System32\PIXDFLT.DLL -> [2009/04/22 12:44:04 | 00,231,552 | ---- | C] (EMC Corporation)
PIXPERM.DLL -> %SystemRoot%\System32\PIXPERM.DLL -> [2009/04/22 12:44:04 | 00,023,152 | ---- | C] (EMC Corporation)
CTL3D.DLL -> %SystemRoot%\System32\CTL3D.DLL -> [2009/04/22 12:44:04 | 00,021,008 | ---- | C] (Microsoft Corporation)
PIXLOC.DLL -> %SystemRoot%\System32\PIXLOC.DLL -> [2009/04/22 12:44:04 | 00,016,048 | ---- | C] (EMC Corporation)
PIXMDLLC.CPL -> %SystemRoot%\System32\PIXMDLLC.CPL -> [2009/04/22 12:44:04 | 00,011,968 | ---- | C] (Pixel Translations Incorporated)
PIXTHK16.DLL -> %SystemRoot%\System32\PIXTHK16.DLL -> [2009/04/22 12:44:04 | 00,006,416 | ---- | C] (EMC Corporation)
PIXJP2KI.DLL -> %SystemRoot%\System32\PIXJP2KI.DLL -> [2009/04/22 12:44:03 | 00,327,680 | ---- | C] (The University of New South Wales)
PIXNAME.HLP -> %SystemRoot%\System32\PIXNAME.HLP -> [2009/04/22 12:44:03 | 00,051,959 | ---- | C] ()
SuStiUtl.dll -> %SystemRoot%\System32\SuStiUtl.dll -> [2009/04/22 12:43:59 | 00,061,440 | ---- | C] (Canon Electronics Inc.)
usbscan.sys -> %SystemRoot%\System32\drivers\usbscan.sys -> [2009/04/22 12:42:33 | 00,015,104 | ---- | C] (Microsoft Corporation)
usbscan.sys -> %SystemRoot%\System32\dllcache\usbscan.sys -> [2009/04/22 12:42:33 | 00,015,104 | ---- | C] (Microsoft Corporation)
DR2KSVC.dll -> %SystemRoot%\System32\DR2KSVC.dll -> [2009/04/22 12:42:13 | 00,229,376 | ---- | C] (Canon Electronics)
WNASPI32.DLL -> %SystemRoot%\System32\WNASPI32.DLL -> [2009/04/22 12:42:13 | 00,045,056 | ---- | C] (Adaptec)
CeiUSB.dll -> %SystemRoot%\System32\CeiUSB.dll -> [2009/04/22 12:42:13 | 00,042,536 | ---- | C] (Canon Electronics Inc.)
ASPI32.SYS -> %SystemRoot%\System32\drivers\ASPI32.SYS -> [2009/04/22 12:42:13 | 00,016,512 | ---- | C] (Adaptec)
SetScan.ini -> %SystemRoot%\SetScan.ini -> [2009/04/22 12:42:13 | 00,000,140 | ---- | C] ()
CeiSCSI.dll -> %SystemRoot%\System32\CeiSCSI.dll -> [2009/04/22 12:42:12 | 00,157,224 | ---- | C] (Canon Electronics Inc.)
CaDRcpl.dll -> %SystemRoot%\System32\CaDRcpl.dll -> [2009/04/22 12:42:12 | 00,083,496 | ---- | C] (Canon Electronics Inc.)
qd1.dll -> %SystemRoot%\System32\qd1.dll -> [2009/04/22 12:41:42 | 00,504,080 | ---- | C] (Captiva Software Corp.)
Msvcrtd.dll -> %SystemRoot%\System32\Msvcrtd.dll -> [2009/04/22 12:41:41 | 00,401,484 | ---- | C] (Microsoft Corporation)
Pixdflt.dll -> %SystemRoot%\System\Pixdflt.dll -> [2009/04/22 12:41:41 | 00,231,552 | ---- | C] (Pixel Translations Incorporated)
canoit32.exe -> %SystemRoot%\System32\canoit32.exe -> [2009/04/22 12:41:41 | 00,045,056 | ---- | C] (CANON INC.)
Pixperm.dll -> %SystemRoot%\System\Pixperm.dll -> [2009/04/22 12:41:41 | 00,023,152 | ---- | C] (Pixel Translations Incorporated)
Ctl3d.dll -> %SystemRoot%\System\Ctl3d.dll -> [2009/04/22 12:41:41 | 00,021,008 | ---- | C] (Microsoft Corporation)
Pixloc.dll -> %SystemRoot%\System\Pixloc.dll -> [2009/04/22 12:41:41 | 00,016,064 | ---- | C] (Pixel Translations Incorporated)
twpix32.dll -> %SystemRoot%\System32\twpix32.dll -> [2009/04/22 12:41:40 | 00,184,320 | ---- | C] (Input Software Inc.)
PIXN1120.DLL -> %SystemRoot%\System32\PIXN1120.DLL -> [2009/04/22 12:41:40 | 00,180,224 | ---- | C] (Pegasus Imaging Corp.)
PIXN1520.DLL -> %SystemRoot%\System32\PIXN1520.DLL -> [2009/04/22 12:41:40 | 00,176,128 | ---- | C] (Pegasus Imaging Corp.)
PIXN1020.DLL -> %SystemRoot%\System32\PIXN1020.DLL -> [2009/04/22 12:41:40 | 00,155,648 | ---- | C] (Pegasus Imaging Corp.)
PIXN1320.DLL -> %SystemRoot%\System32\PIXN1320.DLL -> [2009/04/22 12:41:40 | 00,114,688 | ---- | C] (Pegasus Imaging Corp.)
Wiaext32.dll -> %SystemRoot%\System32\Wiaext32.dll -> [2009/04/22 12:41:40 | 00,098,304 | ---- | C] (Cornerstone Imaging, Inc.)
PIXN20.DLL -> %SystemRoot%\System32\PIXN20.DLL -> [2009/04/22 12:41:40 | 00,051,712 | ---- | C] (Pegasus Imaging Corp.)
pixtran -> %SystemRoot%\pixtran -> [2009/04/22 12:41:40 | 00,000,000 | ---D | C]
Canon Electronics -> %ProgramFiles%\Canon Electronics -> [2009/04/22 12:41:38 | 00,000,000 | ---D | C]
All Wells -> %UserProfile%\My Documents\All Wells -> [2009/04/22 11:16:48 | 00,000,000 | ---D | C]
Clay JOA's -> %UserProfile%\My Documents\Clay JOA's -> [2009/04/20 16:59:29 | 00,000,000 | ---D | C]
Shortcut to Clay 11A-1.lnk -> %UserProfile%\Desktop\Shortcut to Clay 11A-1.lnk -> [2009/04/20 16:55:30 | 00,000,257 | ---- | C] ()
projected ira.xls -> %UserProfile%\My Documents\projected ira.xls -> [2009/04/14 15:33:39 | 00,048,640 | ---- | C] ()
Map98.INI -> %SystemRoot%\Map98.INI -> [2008/11/19 17:34:51 | 00,000,349 | ---- | C] ()
vshp1020.dll -> %SystemRoot%\System32\vshp1020.dll -> [2008/11/18 13:19:28 | 00,106,496 | R--- | C] ()
iPlayer.INI -> %SystemRoot%\iPlayer.INI -> [2007/09/08 21:31:34 | 00,000,000 | ---- | C] ()
SmartAudio.INI -> %SystemRoot%\SmartAudio.INI -> [2007/01/06 23:46:24 | 00,000,027 | ---- | C] ()
QUICKEN.INI -> %SystemRoot%\QUICKEN.INI -> [2006/08/19 05:08:37 | 00,000,166 | ---- | C] ()
NSSetDefaultBrowser.ini -> %SystemRoot%\NSSetDefaultBrowser.ini -> [2006/08/19 05:03:23 | 00,000,698 | ---- | C] ()
ODBC.INI -> %SystemRoot%\ODBC.INI -> [2006/08/19 04:48:13 | 00,000,376 | ---- | C] ()
oeminfo.ini -> %SystemRoot%\System32\oeminfo.ini -> [2006/08/19 04:43:52 | 00,028,836 | ---- | C] ()
smscfg.ini -> %SystemRoot%\smscfg.ini -> [2006/05/10 09:23:38 | 00,000,061 | ---- | C] ()
WININIT.INI -> %SystemRoot%\WININIT.INI -> [2006/05/10 08:46:02 | 00,000,257 | ---- | C] ()
orun32.ini -> %SystemRoot%\orun32.ini -> [2006/05/10 08:42:38 | 00,000,780 | ---- | C] ()
win.ini -> %SystemRoot%\win.ini -> [2006/05/10 08:25:36 | 00,000,482 | ---- | C] ()
system.ini -> %SystemRoot%\system.ini -> [2006/05/10 01:16:26 | 00,000,227 | ---- | C] ()
px.ini -> %SystemRoot%\System32\px.ini -> [2005/12/02 13:09:10 | 00,000,000 | ---- | C] ()
qt-mt331.dll -> %SystemRoot%\System32\qt-mt331.dll -> [2004/09/16 15:24:26 | 03,375,104 | ---- | C] ()
kqfpqyei.dll -> %SystemRoot%\System32\kqfpqyei.dll -> [2004/08/04 16:00:00 | 00,143,872 | ---- | C] ()
uxehitb.dll -> %SystemRoot%\System32\uxehitb.dll -> [2004/08/04 16:00:00 | 00,104,448 | ---- | C] ()
rtqwryr.dll -> %SystemRoot%\System32\rtqwryr.dll -> [2004/08/04 16:00:00 | 00,104,448 | ---- | C] ()
[Files/Folders - Modified Within 30 Days]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
4 C:\Documents and Settings\Rob\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Rob\Local Settings\Temp\*.tmp ->
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/04/27 08:31:45 | 00,665,196 | ---- | M] ()
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [2009/04/27 08:31:17 | 35,477,808 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2009/04/27 07:22:50 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2009/04/27 07:22:47 | 00,002,048 | --S- | M] ()
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/04/27 07:22:43 | 52,650,3936 | -HS- | M] ()
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [2009/04/27 07:22:43 | 00,270,984 | ---- | M] ()
NTUSER.DAT -> %UserProfile%\NTUSER.DAT -> [2009/04/27 07:21:32 | 07,340,032 | -H-- | M] ()
ntuser.ini -> %UserProfile%\ntuser.ini -> [2009/04/27 07:21:32 | 00,000,178 | -HS- | M] ()
OTMoveIt3.exe -> %UserProfile%\Desktop\OTMoveIt3.exe -> [2009/04/27 06:55:19 | 00,389,632 | ---- | M] (OldTimer Tools)
Norton PC Checkup Weekend Scanner.job -> %SystemRoot%\tasks\Norton PC Checkup Weekend Scanner.job -> [2009/04/26 15:46:00 | 00,000,342 | ---- | M] ()
system.ini -> %SystemRoot%\system.ini -> [2009/04/26 14:37:01 | 00,000,227 | ---- | M] ()
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [2009/04/26 14:36:30 | 00,000,027 | ---- | M] ()
Perflib_Perfdata__755.dat -> %UserProfile%\Local Settings\Temp\Perflib_Perfdata__755.dat -> [2009/04/26 14:32:53 | 00,060,416 | ---- | M] ()
boot.ini -> %SystemDrive%\boot.ini -> [2009/04/26 09:59:25 | 00,000,281 | RHS- | M] ()
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/04/26 09:51:32 | 03,006,230 | R--- | M] ()
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [2009/04/26 09:46:25 | 00,434,673 | ---- | M] ()
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [2009/04/26 09:46:25 | 00,032,111 | ---- | M] ()
avgrsstx.dll -> %SystemRoot%\System32\avgrsstx.dll -> [2009/04/26 09:42:35 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgtdix.sys -> %SystemRoot%\System32\drivers\avgtdix.sys -> [2009/04/26 09:42:34 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys -> [2009/04/26 09:42:30 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2009/04/26 09:42:29 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.)
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [2009/04/26 09:42:25 | 06,061,540 | ---- | M] ()
WININIT.INI -> %SystemRoot%\WININIT.INI -> [2009/04/25 17:51:26 | 00,000,257 | ---- | M] ()
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/04/25 13:59:03 | 00,111,104 | ---- | M] ()
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2009/04/25 09:32:06 | 00,001,734 | ---- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2009/04/25 09:27:56 | 00,439,376 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2009/04/25 09:27:56 | 00,380,918 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2009/04/25 09:27:56 | 00,053,166 | ---- | M] ()
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk -> [2009/04/25 09:20:06 | 00,000,611 | ---- | M] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/04/25 09:20:06 | 00,000,592 | ---- | M] ()
win.ini -> %SystemRoot%\win.ini -> [2009/04/24 18:30:21 | 00,000,482 | ---- | M] ()
Boot.bak -> %SystemDrive%\Boot.bak -> [2009/04/24 18:30:21 | 00,000,211 | ---- | M] ()
qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/04/24 18:02:55 | 00,004,232 | ---- | M] ()
qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/04/24 18:02:53 | 00,005,338 | ---- | M] ()
imsins.BAK -> %SystemRoot%\imsins.BAK -> [2009/04/23 22:55:56 | 00,001,374 | ---- | M] ()
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2009/04/23 22:50:50 | 00,001,158 | ---- | M] ()
spider.sav -> %UserProfile%\My Documents\spider.sav -> [2009/04/23 16:55:40 | 00,000,532 | ---- | M] ()
SetScan.ini -> %SystemRoot%\SetScan.ini -> [2009/04/23 13:26:35 | 00,000,140 | ---- | M] ()
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/04/23 10:10:29 | 00,000,696 | ---- | M] ()
Shortcut (2) to All Wells.lnk -> %UserProfile%\Desktop\Shortcut (2) to All Wells.lnk -> [2009/04/22 15:39:36 | 00,000,254 | ---- | M] ()
pixcache.ini -> %SystemRoot%\pixcache.ini -> [2009/04/22 12:47:17 | 00,004,969 | ---- | M] ()
Shortcut to Clay 11A-1.lnk -> %UserProfile%\Desktop\Shortcut to Clay 11A-1.lnk -> [2009/04/20 16:55:30 | 00,000,257 | ---- | M] ()
projected ira.xls -> %UserProfile%\My Documents\projected ira.xls -> [2009/04/14 15:33:39 | 00,048,640 | ---- | M] ()
DRU Sec._12-3N-6W__Lots[1].doc -> %UserProfile%\Desktop\DRU Sec._12-3N-6W__Lots[1].doc -> [2009/04/07 09:46:16 | 02,120,192 | ---- | M] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation)
MRT.exe -> %SystemRoot%\System32\MRT.exe -> [2009/04/06 07:57:26 | 24,921,544 | ---- | M] (Microsoft Corporation)
data.dat -> %AllUsersProfile%\Application Data\Microsoft\Office\Data\data.dat -> [2006/12/16 18:56:01 | 00,001,372 | ---- | M] ()
[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000001b
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
< Document and Settings folder & sub folders >
scanning hidden files ...
C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD 101 bytes
C:\Documents and Settings\Rob\Favorites\Driving Directions from 8505 Sw 36th St, Oklahoma City, OK to Buffalo, OK.url:favicon 1406 bytes
C:\Documents and Settings\Rob\Favorites\amazon.com Used and New PELICAN ACCESSORIES PL-2050 Xbox Edge Wireless Controller.url:favicon 1406 bytes
C:\Documents and Settings\Rob\Favorites\corporate name changes index.url:favicon 1406 bytes
C:\Documents and Settings\Rob\Favorites\County Clerk Public Records - various counties.url:favicon 2806 bytes
C:\Documents and Settings\Rob\Favorites\MSN.com.url:favicon 3638 bytes
C:\Documents and Settings\Rob\Favorites\Quick Sand 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Quick Sand Pyro 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Square Feet to Acres conversion calculator - Area conversions.url:favicon 3638 bytes
C:\Documents and Settings\Rob\Favorites\Super Crazy Guitar 2 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Treasure of Cutlass Reef 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Game Giveaway of the Day.url:favicon 2038 bytes
C:\Documents and Settings\Rob\Favorites\Grow Island 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\http--www.playlist.com-.url:favicon 1150 bytes
C:\Documents and Settings\Rob\Favorites\Land to Acre Conversion Calculator.url:favicon 822 bytes
scan completed successfully
hidden files: 67
[Alternate Data Streams]
@Alternate Data Stream - 101 bytes -> %AllUsersProfile%\Application Data\TEMP:7E95B6FD
< End of report >
Hi Richue
1 - Run OTScanIt2
Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} [HKLM] -> %SystemRoot%\system32\rtqwryr.dll []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> tqqujzct -> %SystemRoot%\system32\rtqwryr.dll
[Files/Folders - Created Within 30 Days]
NY -> kqfpqyei.dll -> %SystemRoot%\System32\kqfpqyei.dll
NY -> uxehitb.dll -> %SystemRoot%\System32\uxehitb.dll
NY -> rtqwryr.dll -> %SystemRoot%\System32\rtqwryr.dll
[Files/Folders - Modified Within 30 Days]
NY -> qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat
[Alternate Data Streams]
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersProfile%\Application Data\TEMP:7E95B6FD
The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back with a fresh HiJackThis log
Thanks peku006
Greetings Peku006
I pasted the code into OTSanIt2, clicked Run fix. Got message that reboot was needed. Rebooted and got error message again: "The application or DLL c:\windows\system32\uxehitb.dll is not a valid Windows image.Please check this against your installation diskette".
It seems OTMoveIt3 was running again.Notepad opened with:04272009_072654.log
========== FILES ==========
LoadLibrary failed for c:\windows\system32\rtqwryr.dll
c:\windows\system32\rtqwryr.dll NOT unregistered.
File move failed. c:\windows\system32\rtqwryr.dll scheduled to be moved on reboot.
========== REGISTRY ==========
Unable to delete registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct\\ .
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04272009_072654
Files moved on Reboot...
LoadLibrary failed for c:\windows\system32\rtqwryr.dll
c:\windows\system32\rtqwryr.dll NOT unregistered.
File move failed. c:\windows\system32\rtqwryr.dll scheduled to be moved on reboot.
Then notepad oopened 04272009_134729.log
[Registry - Safe List]
Registry delete failed. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}\ scheduled to be deleted on reboot.
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}\ .
File move failed. C:\WINDOWS\system32\rtqwryr.dll scheduled to be moved on reboot.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tqqujzct\ scheduled to be deleted on reboot.
File move failed. C:\WINDOWS\system32\rtqwryr.dll scheduled to be moved on reboot.
[Files/Folders - Created Within 30 Days]
File move failed. C:\WINDOWS\System32\kqfpqyei.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\uxehitb.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\rtqwryr.dll scheduled to be moved on reboot.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
[Alternate Data Streams]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD deleted successfully.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.14.0 fix logfile created on 04272009_134729
Files moved on Reboot...
File move failed. C:\WINDOWS\system32\rtqwryr.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\kqfpqyei.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\uxehitb.dll scheduled to be moved on reboot.
Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}\ scheduled to be deleted on reboot.
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}\ .
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tqqujzct\ scheduled to be deleted on reboot.
Here is the latest HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:33 PM, on 4/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OTScanIt] "C:\Documents and Settings\Rob\Desktop\OTScanIt2\OTScanIt2.exe"
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tqqujzct - C:\WINDOWS\SYSTEM32\rtqwryr.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
--
End of file - 7213 bytes
Thanks again, I am not sure what you mean by page 2 does not show, do I need to repost something?
HiRichue
I am not sure what you mean by page 2 does not show, do I need to repost something?
it is not for you, I had to write one more message since my last message was not visible
Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
Do not use the NTREGOPT that comes with the installation package.
Please download erunt-setup.exe (http://aumha.org/downloads/erunt-setup.exe) to your desktop.
Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt
When we are finished, you may, remove ERUNT using Add/Remove Programs (http://www.bleepingcomputer.com/forums/topic42133.html).
Download The Avenger and Run Script
Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.
Right click avenger.zip and extract the contents to your desktop
Start the Avenger.exe.
Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
Registry keys to delete:
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct
Files to delete:
c:\windows\system32\rtqwryr.dll
Click http://s296.photobucket.com/albums/mm195/DaPropagandaPanda/th_AvengerPasteFromClipBoard.jpg to paste the script from the clipboard.
Click the Execute button
Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.
The Avenger will do the following:
It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt . Post back with it in your next reply, with a fresh HiJackThis log
Thanks peku006
Hi Peku006
I already had Erunt installed.I had it create a fresh reg backup then ran Avenger with code supplied. Upon reboot OTScanIt2 opened up and nothing would happen until I closed it. (On a side note it seems I am having to right click where I would usually use a left click while some os these programs are running) When I closed it the log opened:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: could not open file "c:\windows\system32\rtqwryr.dll"
Deletion of file "c:\windows\system32\rtqwryr.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)
Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: could not open registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)
Completed script processing.
*******************
Finished! Terminate.
[B]Here is the latest HiJackThis Log[B]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:00 PM, on 4/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tqqujzct - C:\WINDOWS\SYSTEM32\rtqwryr.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
--
End of file - 7066 bytes
As always, Thank you for your time.
Hi Richue
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:file
c:\windows\system32\rtqwryr.dll
:reg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
Thanks peku006
Hello Peku006
Here is the log as requested:
SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 07:22 on 28/04/2009 by Rob (Administrator - Elevation successful)
========== file ==========
c:\windows\system32\rtqwryr.dll - File found and opened.
MD5: E7C653D660393316877F11C109D39908
Created at 21:00 on 04/08/2004
Modified at 21:00 on 04/08/2004
Size: 104448 bytes
Attributes: --a---
No version information available.
========== reg ==========
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct]
"Asynchronous"= 0x00000000 (0)
"DLLName"="rtqwryr.dll"
"Impersonate"= 0x00000000 (0)
"Logoff"="WLEventLogoff"
"Logon"="WLEventLogon"
-=End Of File=-
Many thanks, richue
Hi Richue
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:regfind
kqfpqyei.dll
uxehitb.dll
rtqwryr.dll
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
Thanks peku006
Hello Peku006,
I did as instructed however I kept getting a Microsoft error " Sytem Querying Tool has encountered a problem and needs to close..."
I tried inserting each dll individually but got the same results.
I tried a registry search for kqfpqyei.dll via regedit and it did find it.
Thanks richue
Hi Richue
Let´s try this......
Please download GMER (http://gmer.net/gmer.zip) by GMER. An alternate download site (http://www2.gmer.net/).
Unzip it to a folder on your desktop.
Double click on gmer.exe to execute.
If asked, allow the gmer.sys driver load.
If you get a warning prompt about rootkit activity ... asking if you want to run Scan, click OK.
If you don't get a warning then... Click the Rootkit/Malware tab at the top of the GMER window.
Click the Scan button. Once the scan has finished... click Copy. ... Do not close the GMER window yet...
Open Notepad and paste what you copied. Ctrl+V
Select "Save As" in Notepad...saving the file to your desktop as "gmerroot.txt"... then close Notepad.
In the GMER window...
Click on the >>> tab at the top of the GMER window.
This displays the rest of the "selection" tabs for you.
Click on the Autostart tab.
Click on Scan button.
Once the scan has finished... click Copy.
Open Notepad (again) and paste what you copied. Ctrl+V
Select "Save As" in Notepad...saving the file to your desktop as "gmerauto.txt"
Copy and paste the contents of the files gmerroot.txt and gmerauto.txt in you next reply.
Thanks peku006
Hi Richue
I made a mistake:banghead:...it is not necessary to download the GMER....
thanks to Shaba :flowers:..........again
here’s what we do next.
1 - Run CFScript
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Driver::
wlubdewd
File::
c:\windows\system32\drivers\wlubdewd.sys
c:\windows\system32\rtqwryr.dll
C:\WINDOWS\System32\kqfpqyei.dll
C:\WINDOWS\System32\uxehitb.dll
C:\WINDOWS\System32\rtqwryr.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct]
FCopy::
C:\Qoobox\Quarantine\c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\Rob\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\NetworkService\Application Data\tcbjmqlj
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Thanks peku006
Here is gmerroot:
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-28 13:30:39
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.15 ----
PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 4BF 805B0BD9 7 Bytes JMP 82FB5AF8
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
And gmerauto
GMER 1.0.15.14966 - http://www.gmer.net
Autostart scan 2009-04-28 13:33:05
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
avgrsstarter@DLLName = avgrsstx.dll
igfxcui@DLLName = igfxdev.dll
tqqujzct@DLLName = rtqwryr.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
avg8emc@ = C:\PROGRA~1\AVG\AVG8\avgemc.exe
avg8wd@ = C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
hpqwmiex@ = C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
UMWdf@ = C:\WINDOWS\system32\wdfmgr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@hpWirelessAssistantC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe = C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
@SunJavaUpdateSched"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
@igfxtrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe
@igfxhkcmdC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
@igfxpersC:\WINDOWS\system32\igfxpers.exe = C:\WINDOWS\system32\igfxpers.exe
@High Definition Audio Property Page ShortcutCHDAudPropShortcut.exe = CHDAudPropShortcut.exe
@SynTPEnhC:\Program Files\Synaptics\SynTP\SynTPEnh.exe = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
@ISUSPM Startup"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
@ISUSScheduler"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
@QlbCtrl%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start /*file not found*/ = %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start /*file not found*/
@CpqsetC:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe ? ??L?@ ??hX? `?@ L?@ = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe ? ??L?@ ??hX? `?@ L?@
@RecGuardC:\Windows\SMINST\RecGuard.exe = C:\Windows\SMINST\RecGuard.exe
@SynTPStartC:\Program Files\Synaptics\SynTP\SynTPStart.exe = C:\Program Files\Synaptics\SynTP\SynTPStart.exe
@CANON DR2080C SVCrundll32.exe DR2KSVC.dll,EntryPointUserMessage = rundll32.exe DR2KSVC.dll,EntryPointUserMessage
@AVG8_TRAYC:\PROGRA~1\AVG\AVG8\avgtray.exe = C:\PROGRA~1\AVG\AVG8\avgtray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/C:\Program Files\Synaptics\SynTP\SynTPCpl.dll = C:\Program Files\Synaptics\SynTP\SynTPCpl.dll
@{7F67036B-66F1-411A-AD85-759FB9C5B0DB} /*ShellViewRTF*/C:\WINDOWS\system32\ShellvRTF.dll = C:\WINDOWS\system32\ShellvRTF.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG8 Shell Extension*/C:\Program Files\AVG\AVG8\avgse.dll = C:\Program Files\AVG\AVG8\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG8 Find Extension*/(null) =
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\AVG8 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\AVG\AVG8\avgse.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG8 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\AVG\AVG8\avgse.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}C:\Program Files\AVG\AVG8\avgssie.dll = C:\Program Files\AVG\AVG8\avgssie.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
@{A057A204-BACC-4D26-9990-79A187E2698E}C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL = C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
@{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}c:\windows\system32\rtqwryr.dll = c:\windows\system32\rtqwryr.dll
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
linkscanner@CLSID = C:\Program Files\AVG\AVG8\avgpp.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll
---- EOF - GMER 1.0.15 ----
Sorry for the delay, it was a lengthy scan. I just read your last post and will follow through.
Hello Peku006, Here is the Combofix.txt
ComboFix 09-04-25.A3 - Rob 04/28/2009 13:46.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.110 [GMT -5:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rob\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\system32\drivers\wlubdewd.sys
c:\windows\System32\kqfpqyei.dll
c:\windows\System32\rtqwryr.dll
c:\windows\System32\uxehitb.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\wlubdewd.sys
c:\windows\System32\kqfpqyei.dll
c:\windows\System32\rtqwryr.dll
c:\windows\System32\uxehitb.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_WLUBDEWD
-------\Service_wlubdewd
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.
2009-04-27 18:47 . 2009-04-27 18:47 -------- d-----w C:\_OTScanIt
2009-04-27 12:07 . 2009-04-27 12:07 -------- d-----w C:\_OTMoveIt
2009-04-26 14:42 . 2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 14:42 . 2009-04-26 14:42 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-26 14:42 . 2009-04-26 14:42 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 14:42 . 2009-04-28 13:48 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-26 14:42 . 2009-04-26 14:48 -------- d-----w c:\documents and settings\Rob\Application Data\AVGTOOLBAR
2009-04-25 01:23 . 2009-04-25 02:33 -------- d-----w C:\VundoFix Backups
2009-04-24 03:52 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-24 03:52 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-24 03:52 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-24 03:52 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-24 03:52 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-24 03:52 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-24 03:52 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-24 03:52 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-24 03:52 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-24 03:51 . 2009-03-27 07:09 1193414 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-24 03:51 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\Rob\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 15:10 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 17:46 . 2009-04-22 17:47 4969 ----a-w c:\windows\pixcache.ini
2009-04-22 17:46 . 2009-04-22 17:47 -------- d-----w c:\documents and settings\Rob\Application Data\Canon Electronics
2009-04-22 17:44 . 2006-05-17 02:23 6416 ----a-w c:\windows\system32\PIXTHK16.DLL
2009-04-22 17:44 . 2006-05-17 02:22 231552 ----a-w c:\windows\system32\PIXDFLT.DLL
2009-04-22 17:44 . 2006-05-17 02:22 23152 ----a-w c:\windows\system32\PIXPERM.DLL
2009-04-22 17:44 . 2006-05-17 02:22 16048 ----a-w c:\windows\system32\PIXLOC.DLL
2009-04-22 17:44 . 2006-05-17 02:19 21008 ----a-w c:\windows\system32\CTL3D.DLL
2009-04-22 17:44 . 2005-02-10 23:17 11968 ----a-w c:\windows\system32\PIXMDLLC.CPL
2009-04-22 17:44 . 2006-05-17 02:19 51959 ----a-w c:\windows\system32\PIXNAME.HLP
2009-04-22 17:44 . 2006-05-17 02:19 327680 ----a-w c:\windows\system32\PIXJP2KI.DLL
2009-04-22 17:43 . 2007-01-29 19:34 61440 ----a-w c:\windows\system32\SuStiUtl.dll
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 17:42 . 2009-04-23 18:26 140 ----a-w c:\windows\SetScan.ini
2009-04-22 17:42 . 2007-03-02 17:40 229376 ----a-w c:\windows\system32\DR2KSVC.dll
2009-04-22 17:42 . 2006-09-11 19:12 45056 ----a-w c:\windows\system32\WNASPI32.DLL
2009-04-22 17:42 . 2006-09-11 19:12 16512 ----a-w c:\windows\system32\drivers\ASPI32.SYS
2009-04-22 17:42 . 2006-08-10 15:36 42536 ----a-w c:\windows\system32\CeiUSB.dll
2009-04-22 17:42 . 2006-09-21 13:44 83496 ----a-w c:\windows\system32\CaDRcpl.dll
2009-04-22 17:42 . 2006-06-13 19:33 157224 ----a-w c:\windows\system32\CeiSCSI.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 18:47 . 2004-08-04 21:00 23424 ----a-w c:\windows\system32\drivers\qerpuylv.sys
2009-04-27 20:17 . 2009-04-27 20:17 2502 ----a-w C:\avenger.txt
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\program files\AVG
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-25 14:32 . 2009-04-25 14:32 -------- d-----w c:\program files\Trend Micro
2009-04-25 14:23 . 2009-04-25 03:49 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 14:20 . 2009-04-25 14:20 -------- d-----w c:\program files\ERUNT
2009-04-25 01:41 . 2009-04-25 01:23 391 ----a-w C:\VundoFix.txt
2009-04-24 23:09 . 2006-08-19 08:16 -------- d-----w c:\program files\Java
2009-04-24 23:04 . 2006-08-19 09:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-24 13:50 . 2006-08-19 09:25 -------- d-----w c:\program files\Hewlett-Packard
2009-04-24 03:59 . 2007-10-24 19:02 -------- d-----w c:\documents and settings\Rob\Application Data\U3
2009-04-24 03:47 . 2007-10-15 01:49 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 03:45 . 2007-10-15 01:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 17:43 . 2009-04-22 17:41 -------- d-----w c:\program files\Canon Electronics
2009-04-22 17:43 . 2006-08-19 08:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 14:18 . 2006-07-05 10:55 986112 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:00 . 2004-08-04 21:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-11-08 03:03 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 21:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 18:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-04-24 14:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 09:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 09:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-10 23:31 . 2009-02-10 23:31 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-04 21:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-08-17 12:28 728576 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 21:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 21:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:32 . 2007-02-28 09:55 2186112 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 10:32 . 2004-08-04 21:00 2186112 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:29 . 2007-02-28 09:53 2142720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:22 . 2004-08-04 21:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 21:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2007-02-28 09:15 2020864 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 09:49 . 2007-02-28 09:15 2062976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 09:49 . 2004-08-04 21:00 2062976 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 2004-08-04 21:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-10-16 22:31 . 2008-10-16 22:17 30 ----a-w c:\documents and settings\Rob\jagex_runescape_preferences.dat
2008-08-14 00:09 . 2008-10-13 00:09 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-02-12 20:53 . 2006-12-15 20:35 67680 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-09 19:09 . 2007-01-26 21:25 13012 ----a-w c:\documents and settings\Rob\Bubblets.dat
2006-12-15 20:37 . 2006-12-15 20:35 126 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\fusioncache.dat
2006-08-19 10:22 . 2009-04-25 03:09 49632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-08-19 09:22 . 2009-04-25 03:09 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2006-12-16 22:52 . 2006-12-16 22:52 22 --sha-w c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-26_15.03.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-05-10 13:29 . 2009-04-27 20:17 270984 c:\windows\system32\FNTCACHE.DAT
- 2006-05-10 13:29 . 2009-04-24 03:58 270984 c:\windows\system32\FNTCACHE.DAT
+ 2009-04-27 20:12 . 2009-04-27 20:12 241664 c:\windows\ERDNT\4-27-2009\Users\00000002\UsrClass.dat
+ 2009-04-27 20:12 . 2005-10-20 17:02 163328 c:\windows\ERDNT\4-27-2009\ERDNT.EXE
+ 2009-04-27 20:12 . 2009-04-27 20:12 7102464 c:\windows\ERDNT\4-27-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
"CANON DR2080C SVC"="DR2KSVC.dll" - c:\windows\system32\DR2KSVC.dll [2007-03-02 229376]
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Rob\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vongo Service"=2 (0x2)
"UPS"=3 (0x3)
"gusvc"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-26 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - WLUBDEWD
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a262d412-8263-11dc-b587-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 13:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???hX??????`?@?????L?@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2009-04-28 13:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 18:54
ComboFix2.txt 2009-04-26 19:40
ComboFix3.txt 2009-04-26 15:06
Pre-Run: 35,038,318,592 bytes free
Post-Run: 34,941,464,576 bytes free
239
That looked promising!
Hi Richue
finally they are gone......:bow:
We will run one online scan to be sure that there is nothing left.
1 - Update Java
Please download JavaRa (http://prm753.bchea.org/click/click.php?id=9) and unzip it to your desktop.
Double-click on JavaRa.exe to start the program.
Click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a log file has been produced. Click OK.
A log file will pop up. Please save it to a convenient location.
Download the latest version of Java Runtime Environment (JRE) 6 Update 13 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.
2 - Clean temp files
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
3 - Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
5 - Status Check
Please reply with
1. the Kaspersky online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?
Thanks peku006
Hello Peku006, I am having problems with step 1 , every time I run Javara.exe and click on remove older versions,I get Microsoft error "Javara has encountered a problem and needs to close...". Rebooting did not help. I am also still getting warning message that autochk file could not be found skipping autocheck. this comes up momentarily right before login screen. I did not try to proceed past step 1.
Thanks richue
Hi Peku006, one other thing, I see JRE 6 Update 13 on the link you supplied but I do not see anything regarding "allows end-users to run Java applications". I want to make sure I download the correct one.
Thanks richue
Hi Richue
I am having problems with step 1
you can uninstall them manually
Control Panel-> add/remove programs , and uninstall any old versions
I want to make sure I download the correct one.
it is this
JDK 6 Update 13 with JavaFX SDK
For your convenience, Sun has bundled Update 13 of the JDK (the Java development platform) and the JavaFX 1.1 SDK, which provides the JavaFX functionality needed to develop RIAs directly. Each product included is subject to its own license.
Thanks peku006
Hello again Peku006,
Here is Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, April 29, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 29, 2009 14:13:39
Records in database: 2092713
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 89335
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:59:16
File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_wlubdewd_.sys.zip Infected: Trojan.Win32.BHO.ext 1
The selected area was scanned.
And the Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:58 AM, on 4/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 6798 bytes
Still get error about file sytemroot......system32/autochk.exe not found.
Sorry I did not write down entire path.
Thank ypu so much,
richue
Hi Richue
Run CFScript
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
DeQuarantine::
C:\Qoobox\Quarantine\c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\Rob\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\NetworkService\Application Data\tcbjmqlj
Quit::
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at DeQuarantine_log.txt which I will require in your next reply.
Thanks peku006
Hello Peku006,
Combofix created this log:
ComboFix 09-04-25.A3 - Rob 04/29/2009 11:49.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.169 [GMT -5:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rob\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.
2009-04-29 12:34 . 2009-04-29 12:34 -------- d-----w c:\program files\JavaFX
2009-04-29 12:29 . 2009-04-29 12:29 -------- d-----w c:\program files\Sun
2009-04-29 12:29 . 2009-04-29 12:29 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-29 12:29 . 2009-04-29 12:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-29 12:27 . 2009-04-29 12:29 -------- d-----w c:\program files\Java
2009-04-29 12:02 . 2009-04-29 12:02 0 ----a-w c:\windows\system32\REN1C.tmp
2009-04-29 12:02 . 2009-04-29 12:02 0 ----a-w c:\windows\system32\REN1B.tmp
2009-04-29 12:02 . 2009-04-29 12:02 0 ----a-w c:\windows\system32\REN1A.tmp
2009-04-27 18:47 . 2009-04-27 18:47 -------- d-----w C:\_OTScanIt
2009-04-27 12:07 . 2009-04-27 12:07 -------- d-----w C:\_OTMoveIt
2009-04-26 14:42 . 2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 14:42 . 2009-04-26 14:42 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-26 14:42 . 2009-04-26 14:42 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 14:42 . 2009-04-29 14:54 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-26 14:42 . 2009-04-26 14:48 -------- d-----w c:\documents and settings\Rob\Application Data\AVGTOOLBAR
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\program files\AVG
2009-04-25 01:23 . 2009-04-25 02:33 -------- d-----w C:\VundoFix Backups
2009-04-24 03:52 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-24 03:52 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-24 03:52 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-24 03:52 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-24 03:52 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-24 03:52 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-24 03:52 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-24 03:52 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-24 03:52 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-24 03:51 . 2009-03-27 07:09 1193414 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-24 03:51 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\Rob\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 15:10 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 17:46 . 2009-04-22 17:47 4969 ----a-w c:\windows\pixcache.ini
2009-04-22 17:46 . 2009-04-22 17:47 -------- d-----w c:\documents and settings\Rob\Application Data\Canon Electronics
2009-04-22 17:44 . 2006-05-17 02:23 6416 ----a-w c:\windows\system32\PIXTHK16.DLL
2009-04-22 17:44 . 2006-05-17 02:22 231552 ----a-w c:\windows\system32\PIXDFLT.DLL
2009-04-22 17:44 . 2006-05-17 02:22 23152 ----a-w c:\windows\system32\PIXPERM.DLL
2009-04-22 17:44 . 2006-05-17 02:22 16048 ----a-w c:\windows\system32\PIXLOC.DLL
2009-04-22 17:44 . 2006-05-17 02:19 21008 ----a-w c:\windows\system32\CTL3D.DLL
2009-04-22 17:44 . 2005-02-10 23:17 11968 ----a-w c:\windows\system32\PIXMDLLC.CPL
2009-04-22 17:44 . 2006-05-17 02:19 51959 ----a-w c:\windows\system32\PIXNAME.HLP
2009-04-22 17:44 . 2006-05-17 02:19 327680 ----a-w c:\windows\system32\PIXJP2KI.DLL
2009-04-22 17:43 . 2007-01-29 19:34 61440 ----a-w c:\windows\system32\SuStiUtl.dll
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 17:42 . 2009-04-23 18:26 140 ----a-w c:\windows\SetScan.ini
2009-04-22 17:42 . 2007-03-02 17:40 229376 ----a-w c:\windows\system32\DR2KSVC.dll
2009-04-22 17:42 . 2006-09-11 19:12 45056 ----a-w c:\windows\system32\WNASPI32.DLL
2009-04-22 17:42 . 2006-09-11 19:12 16512 ----a-w c:\windows\system32\drivers\ASPI32.SYS
2009-04-22 17:42 . 2006-08-10 15:36 42536 ----a-w c:\windows\system32\CeiUSB.dll
2009-04-22 17:42 . 2006-09-21 13:44 83496 ----a-w c:\windows\system32\CaDRcpl.dll
2009-04-22 17:42 . 2006-06-13 19:33 157224 ----a-w c:\windows\system32\CeiSCSI.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 12:11 . 2009-04-28 22:27 1375 ----a-w C:\JavaRa.log
2009-04-28 18:47 . 2004-08-04 21:00 23424 ----a-w c:\windows\system32\drivers\qerpuylv.sys
2009-04-27 20:17 . 2009-04-27 20:17 2502 ----a-w C:\avenger.txt
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-25 14:32 . 2009-04-25 14:32 -------- d-----w c:\program files\Trend Micro
2009-04-25 14:23 . 2009-04-25 03:49 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 14:20 . 2009-04-25 14:20 -------- d-----w c:\program files\ERUNT
2009-04-25 01:41 . 2009-04-25 01:23 391 ----a-w C:\VundoFix.txt
2009-04-24 23:04 . 2006-08-19 09:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-24 13:50 . 2006-08-19 09:25 -------- d-----w c:\program files\Hewlett-Packard
2009-04-24 03:59 . 2007-10-24 19:02 -------- d-----w c:\documents and settings\Rob\Application Data\U3
2009-04-24 03:47 . 2007-10-15 01:49 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 03:45 . 2007-10-15 01:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 17:43 . 2009-04-22 17:41 -------- d-----w c:\program files\Canon Electronics
2009-04-22 17:43 . 2006-08-19 08:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 14:18 . 2006-07-05 10:55 986112 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:00 . 2004-08-04 21:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-11-08 03:03 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 21:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 18:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-04-24 14:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 09:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 09:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-10 23:31 . 2009-02-10 23:31 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-04 21:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-08-17 12:28 728576 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 21:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 21:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:32 . 2007-02-28 09:55 2186112 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 10:32 . 2004-08-04 21:00 2186112 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:29 . 2007-02-28 09:53 2142720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:22 . 2004-08-04 21:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 21:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2007-02-28 09:15 2020864 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 09:49 . 2007-02-28 09:15 2062976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 09:49 . 2004-08-04 21:00 2062976 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 2004-08-04 21:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-10-16 22:31 . 2008-10-16 22:17 30 ----a-w c:\documents and settings\Rob\jagex_runescape_preferences.dat
2008-08-14 00:09 . 2008-10-13 00:09 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-02-12 20:53 . 2006-12-15 20:35 67680 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-09 19:09 . 2007-01-26 21:25 13012 ----a-w c:\documents and settings\Rob\Bubblets.dat
2006-12-15 20:37 . 2006-12-15 20:35 126 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\fusioncache.dat
2006-08-19 10:22 . 2009-04-25 03:09 49632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-08-19 09:22 . 2009-04-25 03:09 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2006-12-16 22:52 . 2006-12-16 22:52 22 --sha-w c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-26_15.03.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 16:12 . 2009-04-29 16:12 16384 c:\windows\temp\Perflib_Perfdata_e4.dat
+ 2009-04-29 12:34 . 2009-04-29 12:34 10134 c:\windows\Installer\{7396F7C8-EDD8-4473-BF6A-2CE4996716E1}\SystemFolder_msiexec.exe
+ 2009-04-29 12:29 . 2009-04-29 12:29 148888 c:\windows\system32\javaws.exe
+ 2009-04-29 12:29 . 2009-04-29 12:29 144792 c:\windows\system32\javaw.exe
+ 2009-04-29 12:29 . 2009-04-29 12:29 144792 c:\windows\system32\java.exe
- 2006-05-10 13:29 . 2009-04-24 03:58 270984 c:\windows\system32\FNTCACHE.DAT
+ 2006-05-10 13:29 . 2009-04-27 20:17 270984 c:\windows\system32\FNTCACHE.DAT
+ 2009-04-27 20:12 . 2009-04-27 20:12 241664 c:\windows\ERDNT\4-27-2009\Users\00000002\UsrClass.dat
+ 2009-04-27 20:12 . 2005-10-20 17:02 163328 c:\windows\ERDNT\4-27-2009\ERDNT.EXE
+ 2009-04-27 20:12 . 2009-04-27 20:12 7102464 c:\windows\ERDNT\4-27-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-29 148888]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
"CANON DR2080C SVC"="DR2KSVC.dll" - c:\windows\system32\DR2KSVC.dll [2007-03-02 229376]
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Rob\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vongo Service"=2 (0x2)
"UPS"=3 (0x3)
"gusvc"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-26 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a262d412-8263-11dc-b587-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 11:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????J??????`?@?????L?@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-04-29 11:54
ComboFix-quarantined-files.txt 2009-04-29 16:53
ComboFix2.txt 2009-04-28 18:54
ComboFix3.txt 2009-04-26 19:40
ComboFix4.txt 2009-04-26 15:06
Pre-Run: 34,428,092,416 bytes free
Post-Run: 34,478,981,120 bytes free
220
I did not see a dequarantine_log.txt
Thank you,
richue
HiRichue
CFScript.txt Failed......
delete the old CFScript.txt (s) from your desktop and we're going to make a new one
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
DeQuarantine::
C:\Qoobox\Quarantine\c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\Rob\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj
C:\Qoobox\Quarantine\c:\documents and settings\NetworkService\Application Data\tcbjmqlj
Quit::
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at DeQuarantine_log.txt which I will require in your next reply.
next yours "autochk.exe not found" error
Click Erunt.exe to backup your registry to the folder of your choice
Open Notepad and copy the contents of the following box to a new file.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"AutoChkTimeOut"=dword:0000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\
00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCScan"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,00,6c,00,\
65,00,61,00,6e,00,6d,00,67,00,72,00,2e,00,65,00,78,00,65,00,20,00,2f,00,44,\
00,20,00,25,00,63,00,00,00
Save it as fix.reg (save type: "All files" (*.*)) to your desktop.
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Go to Desktop, double-click fix.reg and merge the infomation with the registry.
After that, Reboot.
Logs look good. How's the computer running now? Any problems?
Thanks peku006
Hello Peku006,
Computer running fine, no apparent problems. Autochk problem solved. Looks like CFScript.txt failed again. Here is the log produced:
ComboFix 09-04-25.A3 - Rob 04/29/2009 13:07.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.182 [GMT -5:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rob\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.
2009-04-29 12:34 . 2009-04-29 12:34 -------- d-----w c:\program files\JavaFX
2009-04-29 12:29 . 2009-04-29 12:29 -------- d-----w c:\program files\Sun
2009-04-29 12:29 . 2009-04-29 12:29 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-29 12:29 . 2009-04-29 12:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-29 12:27 . 2009-04-29 12:29 -------- d-----w c:\program files\Java
2009-04-29 12:02 . 2009-04-29 12:02 0 ----a-w c:\windows\system32\REN1C.tmp
2009-04-29 12:02 . 2009-04-29 12:02 0 ----a-w c:\windows\system32\REN1B.tmp
2009-04-29 12:02 . 2009-04-29 12:02 0 ----a-w c:\windows\system32\REN1A.tmp
2009-04-27 18:47 . 2009-04-27 18:47 -------- d-----w C:\_OTScanIt
2009-04-27 12:07 . 2009-04-27 12:07 -------- d-----w C:\_OTMoveIt
2009-04-26 14:42 . 2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 14:42 . 2009-04-26 14:42 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-26 14:42 . 2009-04-26 14:42 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 14:42 . 2009-04-29 14:54 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-26 14:42 . 2009-04-26 14:48 -------- d-----w c:\documents and settings\Rob\Application Data\AVGTOOLBAR
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\program files\AVG
2009-04-25 01:23 . 2009-04-25 02:33 -------- d-----w C:\VundoFix Backups
2009-04-24 03:52 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-24 03:52 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-24 03:52 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-24 03:52 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-24 03:52 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-24 03:52 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-24 03:52 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-24 03:52 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-24 03:52 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-24 03:51 . 2009-03-27 07:09 1193414 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-24 03:51 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\Rob\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 15:10 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 17:46 . 2009-04-22 17:47 4969 ----a-w c:\windows\pixcache.ini
2009-04-22 17:46 . 2009-04-22 17:47 -------- d-----w c:\documents and settings\Rob\Application Data\Canon Electronics
2009-04-22 17:44 . 2006-05-17 02:23 6416 ----a-w c:\windows\system32\PIXTHK16.DLL
2009-04-22 17:44 . 2006-05-17 02:22 231552 ----a-w c:\windows\system32\PIXDFLT.DLL
2009-04-22 17:44 . 2006-05-17 02:22 23152 ----a-w c:\windows\system32\PIXPERM.DLL
2009-04-22 17:44 . 2006-05-17 02:22 16048 ----a-w c:\windows\system32\PIXLOC.DLL
2009-04-22 17:44 . 2006-05-17 02:19 21008 ----a-w c:\windows\system32\CTL3D.DLL
2009-04-22 17:44 . 2005-02-10 23:17 11968 ----a-w c:\windows\system32\PIXMDLLC.CPL
2009-04-22 17:44 . 2006-05-17 02:19 51959 ----a-w c:\windows\system32\PIXNAME.HLP
2009-04-22 17:44 . 2006-05-17 02:19 327680 ----a-w c:\windows\system32\PIXJP2KI.DLL
2009-04-22 17:43 . 2007-01-29 19:34 61440 ----a-w c:\windows\system32\SuStiUtl.dll
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 17:42 . 2009-04-23 18:26 140 ----a-w c:\windows\SetScan.ini
2009-04-22 17:42 . 2007-03-02 17:40 229376 ----a-w c:\windows\system32\DR2KSVC.dll
2009-04-22 17:42 . 2006-09-11 19:12 45056 ----a-w c:\windows\system32\WNASPI32.DLL
2009-04-22 17:42 . 2006-09-11 19:12 16512 ----a-w c:\windows\system32\drivers\ASPI32.SYS
2009-04-22 17:42 . 2006-08-10 15:36 42536 ----a-w c:\windows\system32\CeiUSB.dll
2009-04-22 17:42 . 2006-09-21 13:44 83496 ----a-w c:\windows\system32\CaDRcpl.dll
2009-04-22 17:42 . 2006-06-13 19:33 157224 ----a-w c:\windows\system32\CeiSCSI.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 12:11 . 2009-04-28 22:27 1375 ----a-w C:\JavaRa.log
2009-04-28 18:47 . 2004-08-04 21:00 23424 ----a-w c:\windows\system32\drivers\qerpuylv.sys
2009-04-27 20:17 . 2009-04-27 20:17 2502 ----a-w C:\avenger.txt
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-25 14:32 . 2009-04-25 14:32 -------- d-----w c:\program files\Trend Micro
2009-04-25 14:23 . 2009-04-25 03:49 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 14:20 . 2009-04-25 14:20 -------- d-----w c:\program files\ERUNT
2009-04-25 01:41 . 2009-04-25 01:23 391 ----a-w C:\VundoFix.txt
2009-04-24 23:04 . 2006-08-19 09:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-24 13:50 . 2006-08-19 09:25 -------- d-----w c:\program files\Hewlett-Packard
2009-04-24 03:59 . 2007-10-24 19:02 -------- d-----w c:\documents and settings\Rob\Application Data\U3
2009-04-24 03:47 . 2007-10-15 01:49 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 03:45 . 2007-10-15 01:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 17:43 . 2009-04-22 17:41 -------- d-----w c:\program files\Canon Electronics
2009-04-22 17:43 . 2006-08-19 08:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 14:18 . 2006-07-05 10:55 986112 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:00 . 2004-08-04 21:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-11-08 03:03 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 21:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 18:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-04-24 14:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 09:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 09:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-10 23:31 . 2009-02-10 23:31 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-04 21:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-08-17 12:28 728576 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 21:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 21:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:32 . 2007-02-28 09:55 2186112 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 10:32 . 2004-08-04 21:00 2186112 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:29 . 2007-02-28 09:53 2142720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:22 . 2004-08-04 21:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 21:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2007-02-28 09:15 2020864 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 09:49 . 2007-02-28 09:15 2062976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 09:49 . 2004-08-04 21:00 2062976 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 2004-08-04 21:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-10-16 22:31 . 2008-10-16 22:17 30 ----a-w c:\documents and settings\Rob\jagex_runescape_preferences.dat
2008-08-14 00:09 . 2008-10-13 00:09 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-02-12 20:53 . 2006-12-15 20:35 67680 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-09 19:09 . 2007-01-26 21:25 13012 ----a-w c:\documents and settings\Rob\Bubblets.dat
2006-12-15 20:37 . 2006-12-15 20:35 126 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\fusioncache.dat
2006-08-19 10:22 . 2009-04-25 03:09 49632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-08-19 09:22 . 2009-04-25 03:09 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2006-12-16 22:52 . 2006-12-16 22:52 22 --sha-w c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-26_15.03.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 18:05 . 2009-04-29 18:05 16384 c:\windows\temp\Perflib_Perfdata_8c.dat
+ 2009-04-29 12:34 . 2009-04-29 12:34 10134 c:\windows\Installer\{7396F7C8-EDD8-4473-BF6A-2CE4996716E1}\SystemFolder_msiexec.exe
+ 2009-04-29 12:29 . 2009-04-29 12:29 148888 c:\windows\system32\javaws.exe
+ 2009-04-29 12:29 . 2009-04-29 12:29 144792 c:\windows\system32\javaw.exe
+ 2009-04-29 12:29 . 2009-04-29 12:29 144792 c:\windows\system32\java.exe
+ 2006-05-10 13:29 . 2009-04-27 20:17 270984 c:\windows\system32\FNTCACHE.DAT
- 2006-05-10 13:29 . 2009-04-24 03:58 270984 c:\windows\system32\FNTCACHE.DAT
+ 2009-04-29 18:00 . 2009-04-29 18:00 249856 c:\windows\ERDNT\4-29-2009\Users\00000002\UsrClass.dat
+ 2009-04-29 18:00 . 2005-10-20 17:02 163328 c:\windows\ERDNT\4-29-2009\ERDNT.EXE
+ 2009-04-27 20:12 . 2009-04-27 20:12 241664 c:\windows\ERDNT\4-27-2009\Users\00000002\UsrClass.dat
+ 2009-04-27 20:12 . 2005-10-20 17:02 163328 c:\windows\ERDNT\4-27-2009\ERDNT.EXE
+ 2009-04-29 18:00 . 2009-04-29 18:00 7102464 c:\windows\ERDNT\4-29-2009\Users\00000001\NTUSER.DAT
+ 2009-04-27 20:12 . 2009-04-27 20:12 7102464 c:\windows\ERDNT\4-27-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-29 148888]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
"CANON DR2080C SVC"="DR2KSVC.dll" - c:\windows\system32\DR2KSVC.dll [2007-03-02 229376]
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Rob\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vongo Service"=2 (0x2)
"UPS"=3 (0x3)
"gusvc"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-26 908056]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a262d412-8263-11dc-b587-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 13:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????J??????`?@?????L?@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-04-29 13:11
ComboFix-quarantined-files.txt 2009-04-29 18:11
ComboFix2.txt 2009-04-29 17:58
ComboFix3.txt 2009-04-29 16:54
ComboFix4.txt 2009-04-28 18:54
ComboFix5.txt 2009-04-29 18:06
Pre-Run: 34,386,071,552 bytes free
Post-Run: 34,367,717,376 bytes free
227
Thanks a million,
richue
Hi Richue
Great that your machine is running better now
Please do this: Click Start, Run, and in the Open box enter the below:
notepad C:\Qoobox\ComboFix-quarantined-files.txt
Copy and paste the info for your hosts file back here
Thanks peku006
Hello Peku006,
Here is the info requested:
2009-04-28 18:52:53 . 2009-04-28 18:52:53 434 ----a-w C:\Qoobox\Quarantine\Registry_backups\BHO-{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}.reg.dat
2009-04-28 18:48:42 . 2009-04-28 18:48:42 7,168 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_wlubdewd.reg.dat
2009-04-28 18:48:42 . 2009-04-28 18:48:42 1,276 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_WLUBDEWD.reg.dat
2009-04-28 18:47:12 . 2009-04-28 18:47:12 81,104 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_uxehitb_.dll.zip
2009-04-28 18:47:10 . 2009-04-28 18:47:11 304,908 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_rtqwryr_.dll.zip
2009-04-28 18:47:07 . 2009-04-28 18:47:07 141,726 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_kqfpqyei_.dll.zip
2009-04-28 18:47:04 . 2009-04-28 18:47:04 11,443 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_wlubdewd_.sys.zip
2009-04-26 15:04:20 . 2009-04-26 15:04:20 270 ----a-w C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat
2009-04-26 15:03:41 . 2004-04-30 19:01:14 53 ----a-w C:\Qoobox\Quarantine\D\Autorun.inf.vir
2009-04-26 15:02:19 . 2009-04-29 18:09:09 6,353 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-04-26 14:57:12 . 2009-04-29 18:06:38 1,619 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-04-24 20:39:44 . 2009-04-24 20:39:44 367 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\prefs.js.vir
2009-04-24 20:30:26 . 2009-04-24 20:39:50 4,491 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\pluginreg.dat.vir
2009-04-24 20:30:10 . 2009-04-24 20:30:10 569 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\localstore.rdf.vir
2009-04-24 20:30:00 . 2009-04-24 20:42:34 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\webappsstore.sqlite.vir
2009-04-24 20:30:00 . 2009-04-24 20:30:00 4,096 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\formhistory.sqlite.vir
2009-04-24 20:29:56 . 2009-04-24 20:39:58 0 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite-journal.vir
2009-04-24 20:29:56 . 2009-04-24 20:39:58 131,072 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite.vir
2009-04-24 20:29:56 . 2009-04-24 20:31:59 32,768 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\urlclassifier3.sqlite.vir
2009-04-24 20:29:56 . 2009-04-24 20:29:56 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\key3.db.vir
2009-04-24 20:29:56 . 2009-04-24 20:31:59 65,536 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cert8.db.vir
2009-04-24 20:29:56 . 2009-04-24 20:29:56 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\secmod.db.vir
2009-04-24 20:29:55 . 2009-04-24 20:43:08 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cookies.sqlite.vir
2009-04-24 20:29:53 . 2009-04-24 20:29:53 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\permissions.sqlite.vir
2009-04-24 20:29:53 . 2009-04-24 20:39:43 127,885 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compreg.dat.vir
2009-04-24 20:29:53 . 2009-04-24 20:43:08 438,116 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\XPC.mfl.vir
2009-04-24 20:29:52 . 2009-04-24 20:39:43 96,173 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\xpti.dat.vir
2009-04-24 20:29:51 . 2009-04-24 20:39:43 207 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compatibility.ini.vir
2009-04-24 20:29:51 . 2009-04-24 20:29:51 111 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\profiles.ini.vir
2009-04-24 03:56:29 . 2009-04-24 03:56:29 788 ----a-w C:\Qoobox\Quarantine\C\727f743fab11e26b7bbd0a\$shtdwn$.req.vir
2009-04-23 16:29:01 . 2009-04-23 16:29:01 367 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\prefs.js.vir
2009-04-23 15:24:28 . 2009-04-23 15:24:28 569 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\localstore.rdf.vir
2009-04-23 15:24:19 . 2009-04-23 16:29:05 4,491 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\pluginreg.dat.vir
2009-04-23 15:24:17 . 2009-04-23 16:31:40 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\webappsstore.sqlite.vir
2009-04-23 15:24:17 . 2009-04-23 15:24:17 4,096 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\formhistory.sqlite.vir
2009-04-23 15:24:15 . 2009-04-23 16:33:02 0 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite-journal.vir
2009-04-23 15:24:15 . 2009-04-23 16:29:08 131,072 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite.vir
2009-04-23 15:24:15 . 2009-04-23 15:26:20 32,768 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\urlclassifier3.sqlite.vir
2009-04-23 15:24:15 . 2009-04-23 15:24:15 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\key3.db.vir
2009-04-23 15:24:15 . 2009-04-23 15:26:20 65,536 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cert8.db.vir
2009-04-23 15:24:14 . 2009-04-23 15:24:14 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\secmod.db.vir
2009-04-23 15:24:14 . 2009-04-23 16:33:43 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cookies.sqlite.vir
2009-04-23 15:24:13 . 2009-04-23 15:24:13 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\permissions.sqlite.vir
2009-04-23 15:24:13 . 2009-04-23 16:29:00 127,885 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compreg.dat.vir
2009-04-23 15:24:12 . 2009-04-23 16:29:15 378,058 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\XPC.mfl.vir
2009-04-23 15:24:12 . 2009-04-23 16:29:00 96,173 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\xpti.dat.vir
2009-04-23 15:24:12 . 2009-04-23 16:29:00 207 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compatibility.ini.vir
2009-04-23 15:24:12 . 2009-04-23 15:24:12 111 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\profiles.ini.vir
2009-04-23 14:58:54 . 2009-04-23 14:58:54 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\nfr.gpref.vir
2009-04-23 14:04:52 . 2009-04-23 14:04:52 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\nfr.assembly.vir
2009-04-23 14:04:38 . 2009-04-23 14:04:38 140 ----a-w C:\Qoobox\Quarantine\C\pch.bat.vir
2009-04-23 14:03:05 . 2009-04-25 23:49:37 434 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At1.job.vir
2009-04-22 17:44:04 . 2006-05-17 02:40:20 49,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXTHK32.DLL.vir
2009-04-22 17:44:04 . 2006-05-17 02:40:20 102,672 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXTIFFN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:20 45,328 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXRAMN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:20 45,328 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXSLN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:20 45,328 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXPANN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:20 209,168 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXNOTEN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:20 74,000 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXNAMEN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:20 45,328 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXMPN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 233,744 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXMDLN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 45,328 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXMDLGN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 57,616 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXLZWN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 463,120 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXJP2K.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 119,056 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXJBGN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 69,904 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXDLGN.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 94,480 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXAPS.DLL.vir
2009-04-22 17:44:03 . 2006-05-17 02:40:18 753,936 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXANNOT.DLL.vir
2009-04-22 17:41:42 . 2006-05-17 02:40:20 53,520 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXPERMN.DLL.vir
2009-04-22 17:41:42 . 2006-05-17 02:40:18 74,000 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXLOCN.DLL.vir
2009-04-22 17:41:42 . 2006-05-17 02:40:18 221,456 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\PIXDFLTN.DLL.vir
2009-04-06 12:57:26 . 2009-04-06 12:57:26 24,921,544 ----a-w C:\Qoobox\Quarantine\C\727f743fab11e26b7bbd0a\mrt.exe.vir
2009-04-06 12:57:24 . 2009-04-06 12:57:24 25,032 ----a-w C:\Qoobox\Quarantine\C\727f743fab11e26b7bbd0a\mrtstub.exe.vir
2004-08-04 21:00:00 . 2004-08-04 21:00:00 23,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\wlubdewd.sys.vir
2004-08-04 21:00:00 . 2004-08-04 21:00:00 143,872 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\kqfpqyei.dll.vir
2004-08-04 21:00:00 . 2004-08-04 21:00:00 104,448 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\rtqwryr.dll.vir
2004-08-04 21:00:00 . 2004-08-04 21:00:00 104,448 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\uxehitb.dll.vir
THANK YOU,
richue
Hi Richue
this is my last attempt......:wink:
delete the old CFScript.txt from your desktop and we're going to make a new one
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
DeQuarantine::
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\prefs.js.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\pluginreg.dat.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\localstore.rdf.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\webappsstore.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\formhistory.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite-journal.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\urlclassifier3.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\key3.db.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cert8.db.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\secmod.db.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cookies.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\permissions.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compreg.dat.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\XPC.mfl.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\xpti.dat.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compatibility.ini.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\profiles.ini.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\prefs.js.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\localstore.rdf.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\pluginreg.dat.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\webappsstore.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\formhistory.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite-journal.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\urlclassifier3.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\key3.db.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cert8.db.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\secmod.db.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cookies.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\permissions.sqlite.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compreg.dat.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\XPC.mfl.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\xpti.dat.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compatibility.ini.vir
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\profiles.ini
Quit::
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at DeQuarantine_log.txt which I will require in your next reply.
Thanks peku006
Success!!
dequarantine_log:
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cert8.db.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cert8.db ( 65536 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compatibility.ini.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compatibility.ini ( 207 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compreg.dat.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compreg.dat ( 127885 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cookies.sqlite.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cookies.sqlite ( 2048 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\formhistory.sqlite.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\formhistory.sqlite ( 4096 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\key3.db.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\key3.db ( 16384 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\localstore.rdf.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\localstore.rdf ( 569 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\permissions.sqlite.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\permissions.sqlite ( 2048 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite-journal.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite-journal ( 0 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite ( 131072 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\pluginreg.dat.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\pluginreg.dat ( 4491 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\prefs.js.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\prefs.js ( 367 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\secmod.db.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\secmod.db ( 16384 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\webappsstore.sqlite.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\webappsstore.sqlite ( 2048 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\xpti.dat.vir -> C:\Documents and Settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\xpti.dat ( 96173 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\urlclassifier3.sqlite.vir -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\urlclassifier3.sqlite ( 32768 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\XPC.mfl.vir -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\XPC.mfl ( 378058 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\profiles.ini.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\profiles.ini ( 111 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cert8.db.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cert8.db ( 65536 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compatibility.ini.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compatibility.ini ( 207 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compreg.dat.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compreg.dat ( 127885 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cookies.sqlite.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cookies.sqlite ( 2048 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\formhistory.sqlite.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\formhistory.sqlite ( 4096 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\key3.db.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\key3.db ( 16384 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\localstore.rdf.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\localstore.rdf ( 569 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\permissions.sqlite.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\permissions.sqlite ( 2048 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite-journal.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite-journal ( 0 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite ( 131072 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\pluginreg.dat.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\pluginreg.dat ( 4491 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\prefs.js.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\prefs.js ( 367 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\secmod.db.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\secmod.db ( 16384 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\webappsstore.sqlite.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\webappsstore.sqlite ( 2048 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\xpti.dat.vir -> C:\Documents and Settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\xpti.dat ( 96173 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\urlclassifier3.sqlite.vir -> C:\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\urlclassifier3.sqlite ( 32768 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\XPC.mfl.vir -> C:\Documents and Settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\XPC.mfl ( 438116 bytes )
Thank you
richue
Hi Richue
The scans are fine and it looks like your machine is clean :yahoo:
To remove all of the tools we used and the files and folders they created do the following:
Double-click OTMoveIt3.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:
Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.
Here are some free programs I recommend that could help you improve your computer's security.
Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Install SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
Happy safe surfing! :bigthumb:
Greetings Peku006,
I do not know how to thank you enough for all your time and effort! All seems well and I will take your advice about prevention.You guys are awesome.
Thanks again,
richue :)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.