Virtumonde will not die

[Richue]

Thank you in advance for trying to help me! Spybot detects virtumonde but is unable to remove it. I have tried Malwarebyte and Vundofix to no avail. I am unable to change Kqfpqyei.dll and rtqwryr.dll in any way. When computer boots I get a warning that Autochk.exe file can not be found briefly before logon screen.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:06 AM, on 4/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=presario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: tqqujzct - C:\WINDOWS\SYSTEM32\rtqwryr.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 6245 bytes

 

[peku006]

Hello and welcome to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

• I f you don't know or understand something please don't hesitate to ask
• Please DO NOT run any other tools or scans whilst I am helping you.
• It is important that you reply to this thread. Do not start a new topic.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• Absence of symptoms does not mean that everything is clear.

There is no sign of an antivirus installed on your system. There are several reasons for it. Either you have disabled your antivirus or there's no antivirus installed.

If you have disabled it, please re-enable it. If you have no antivirus installed, please get ONE antivirus and install it. Restart the computer for changes to take effect.

avast! 4 Home Edition
AntiVir Free Edition

1 - Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  
• Double click on ComboFix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006

 

[Richue]

Thank you very much for your time and help. Here is the Combofix log and HijackThis log. I have AVG running now.

ComboFix 09-04-25.A3 - Rob 04/26/2009 10:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.163 [GMT -5:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\PIXANNOT.DLL
c:\windows\system32\PIXAPS.DLL
c:\windows\system32\PIXDFLTN.DLL
c:\windows\system32\PIXDLGN.DLL
c:\windows\system32\PIXJBGN.DLL
c:\windows\system32\PIXJP2K.DLL
c:\windows\system32\PIXLOCN.DLL
c:\windows\system32\PIXLZWN.DLL
c:\windows\system32\PIXMDLGN.DLL
c:\windows\system32\PIXMDLN.DLL
c:\windows\system32\PIXMPN.DLL
c:\windows\system32\PIXNAMEN.DLL
c:\windows\system32\PIXNOTEN.DLL
c:\windows\system32\PIXPANN.DLL
c:\windows\system32\PIXPERMN.DLL
c:\windows\system32\PIXRAMN.DLL
c:\windows\system32\PIXSLN.DLL
c:\windows\system32\PIXTHK32.DLL
c:\windows\system32\PIXTIFFN.DLL
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-26 14:42 . 2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 14:42 . 2009-04-26 14:42 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-26 14:42 . 2009-04-26 14:42 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 14:42 . 2009-04-26 14:48 -------- d-----w c:\documents and settings\Rob\Application Data\AVGTOOLBAR
2009-04-26 14:42 . 2009-04-26 14:46 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-25 01:23 . 2009-04-25 02:33 -------- d-----w C:\VundoFix Backups
2009-04-24 20:29 . 2009-04-24 20:29 -------- d-----w c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj
2009-04-24 20:29 . 2009-04-24 20:29 -------- d-----w c:\documents and settings\Rob\Application Data\tcbjmqlj
2009-04-24 03:56 . 2009-04-24 03:56 -------- d-----w C:\727f743fab11e26b7bbd0a
2009-04-24 03:52 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-24 03:52 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-24 03:52 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-24 03:52 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-24 03:52 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-24 03:52 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-24 03:52 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-24 03:52 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-24 03:52 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-24 03:51 . 2009-03-27 07:09 1193414 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-24 03:51 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-23 15:24 . 2009-04-23 15:24 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj
2009-04-23 15:24 . 2009-04-23 15:24 -------- d-----w c:\documents and settings\NetworkService\Application Data\tcbjmqlj
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\Rob\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 15:10 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 14:04 . 2009-04-23 14:04 140 ----a-w C:\pch.bat
2009-04-22 17:46 . 2009-04-22 17:47 4969 ----a-w c:\windows\pixcache.ini
2009-04-22 17:46 . 2009-04-22 17:47 -------- d-----w c:\documents and settings\Rob\Application Data\Canon Electronics
2009-04-22 17:44 . 2006-05-17 02:23 6416 ----a-w c:\windows\system32\PIXTHK16.DLL
2009-04-22 17:44 . 2006-05-17 02:22 231552 ----a-w c:\windows\system32\PIXDFLT.DLL
2009-04-22 17:44 . 2006-05-17 02:22 23152 ----a-w c:\windows\system32\PIXPERM.DLL
2009-04-22 17:44 . 2006-05-17 02:22 16048 ----a-w c:\windows\system32\PIXLOC.DLL
2009-04-22 17:44 . 2006-05-17 02:19 21008 ----a-w c:\windows\system32\CTL3D.DLL
2009-04-22 17:44 . 2005-02-10 23:17 11968 ----a-w c:\windows\system32\PIXMDLLC.CPL
2009-04-22 17:44 . 2006-05-17 02:19 51959 ----a-w c:\windows\system32\PIXNAME.HLP
2009-04-22 17:44 . 2006-05-17 02:19 327680 ----a-w c:\windows\system32\PIXJP2KI.DLL
2009-04-22 17:43 . 2007-01-29 19:34 61440 ----a-w c:\windows\system32\SuStiUtl.dll
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 17:42 . 2009-04-23 18:26 140 ----a-w c:\windows\SetScan.ini
2009-04-22 17:42 . 2007-03-02 17:40 229376 ----a-w c:\windows\system32\DR2KSVC.dll
2009-04-22 17:42 . 2006-09-11 19:12 45056 ----a-w c:\windows\system32\WNASPI32.DLL
2009-04-22 17:42 . 2006-09-11 19:12 16512 ----a-w c:\windows\system32\drivers\ASPI32.SYS
2009-04-22 17:42 . 2006-08-10 15:36 42536 ----a-w c:\windows\system32\CeiUSB.dll
2009-04-22 17:42 . 2006-09-21 13:44 83496 ----a-w c:\windows\system32\CaDRcpl.dll
2009-04-22 17:42 . 2006-06-13 19:33 157224 ----a-w c:\windows\system32\CeiSCSI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\program files\AVG
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-25 14:32 . 2009-04-25 14:32 -------- d-----w c:\program files\Trend Micro
2009-04-25 14:23 . 2009-04-25 03:49 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 14:20 . 2009-04-25 14:20 -------- d-----w c:\program files\ERUNT
2009-04-25 01:41 . 2009-04-25 01:23 391 ----a-w C:\VundoFix.txt
2009-04-24 23:09 . 2006-08-19 08:16 -------- d-----w c:\program files\Java
2009-04-24 23:04 . 2006-08-19 09:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-24 13:50 . 2006-08-19 09:25 -------- d-----w c:\program files\Hewlett-Packard
2009-04-24 03:59 . 2007-10-24 19:02 -------- d-----w c:\documents and settings\Rob\Application Data\U3
2009-04-24 03:47 . 2007-10-15 01:49 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 03:45 . 2007-10-15 01:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 17:43 . 2009-04-22 17:41 -------- d-----w c:\program files\Canon Electronics
2009-04-22 17:43 . 2006-08-19 08:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 14:18 . 2006-07-05 10:55 986112 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:00 . 2004-08-04 21:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-11-08 03:03 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 21:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 18:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-04-24 14:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 09:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 09:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-10 23:31 . 2009-02-10 23:31 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-04 21:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-08-17 12:28 728576 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 21:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 21:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:32 . 2007-02-28 09:55 2186112 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 10:32 . 2004-08-04 21:00 2186112 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:29 . 2007-02-28 09:53 2142720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:22 . 2004-08-04 21:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 21:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2007-02-28 09:15 2020864 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 09:49 . 2007-02-28 09:15 2062976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 09:49 . 2004-08-04 21:00 2062976 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 2004-08-04 21:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-10-16 22:31 . 2008-10-16 22:17 30 ----a-w c:\documents and settings\Rob\jagex_runescape_preferences.dat
2008-08-14 00:09 . 2008-10-13 00:09 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-02-12 20:53 . 2006-12-15 20:35 67680 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-09 19:09 . 2007-01-26 21:25 13012 ----a-w c:\documents and settings\Rob\Bubblets.dat
2006-12-15 20:37 . 2006-12-15 20:35 126 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\fusioncache.dat
2006-08-19 10:22 . 2009-04-25 03:09 49632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-08-19 09:22 . 2009-04-25 03:09 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2006-12-16 22:52 . 2006-12-16 22:52 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}]
2004-08-04 21:00 104448 ----a-w c:\windows\system32\rtqwryr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
"CANON DR2080C SVC"="DR2KSVC.dll" - c:\windows\system32\DR2KSVC.dll [2007-03-02 229376]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct]
2004-08-04 21:00 104448 ----a-w c:\windows\system32\rtqwryr.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Rob\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vongo Service"=2 (0x2)
"UPS"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

S0 wlubdewd;wlubdewd;c:\windows\system32\drivers\wlubdewd.sys [2004-08-04 23424]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-26 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVG8EMC
*NewlyCreated* - AVG8WD
*NewlyCreated* - AVGLDX86
*NewlyCreated* - AVGMFX86
*NewlyCreated* - AVGTDIX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sibblcbe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a262d412-8263-11dc-b587-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\At1.job
- c:\windows\system32\rtqwryr.dll [2004-08-04 21:00]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 10:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???hX??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\CLBCATQ.DLL
.
Completion time: 2009-04-26 10:06
ComboFix-quarantined-files.txt 2009-04-26 15:05

Pre-Run: 34,779,660,288 bytes free
Post-Run: 35,197,505,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

252


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:15 AM, on 4/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tqqujzct - C:\WINDOWS\SYSTEM32\rtqwryr.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 7127 bytes

 

[peku006]

Hi Richue

AVG is a good choice :yes:

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\pch.bat
c:\windows\system32\rtqwryr.dll
c:\windows\Tasks\At1.job

Folder::
c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj
c:\documents and settings\Rob\Application Data\tcbjmqlj
C:\727f743fab11e26b7bbd0a
c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj
c:\documents and settings\NetworkService\Application Data\tcbjmqlj

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct]

NetSvc::
sibblcbe

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Run Malwarebytes' Anti-Malware

• Open Malwarebytes' Anti-Malware
• Select the Update tab
• Click Check for Updates
• After the update have been completed, Select the Scanner tab.
• Click on Perform full scan, then click on Scan.
• Leave the default options as it is and click on Start Scan.
• When done, you will be prompted. Click OK, then click on Show Results.
• Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.
  
  
  
  
  
• After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log

Thanks peku006

 

[Richue]

Hello Peku006

Here is the combofix log:

ComboFix 09-04-25.A3 - Rob 04/26/2009 14:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.133 [GMT -5:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rob\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\pch.bat
c:\windows\system32\rtqwryr.dll
c:\windows\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\727f743fab11e26b7bbd0a
c:\727f743fab11e26b7bbd0a\$shtdwn$.req
c:\727f743fab11e26b7bbd0a\mrt.exe
c:\727f743fab11e26b7bbd0a\mrtstub.exe
c:\documents and settings\NetworkService\Application Data\tcbjmqlj
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\profiles.ini
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cert8.db
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\key3.db
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\prefs.js
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\secmod.db
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\tcbjmqlj\Profiles\exei5vml.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj
c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\tcbjmqlj\Profiles\exei5vml.default\XPC.mfl
c:\documents and settings\Rob\Application Data\tcbjmqlj
c:\documents and settings\Rob\Application Data\tcbjmqlj\profiles.ini
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cert8.db
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compatibility.ini
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\compreg.dat
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\cookies.sqlite
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\formhistory.sqlite
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\key3.db
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\localstore.rdf
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\permissions.sqlite
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite-journal
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\places.sqlite
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\pluginreg.dat
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\prefs.js
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\secmod.db
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\webappsstore.sqlite
c:\documents and settings\Rob\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\xpti.dat
c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj
c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\urlclassifier3.sqlite
c:\documents and settings\Rob\Local Settings\Application Data\tcbjmqlj\Profiles\4yh5evsl.default\XPC.mfl
C:\pch.bat
c:\windows\Tasks\At1.job
c:\windows\system32\rtqwryr.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-25 14:20 . 2009-04-25 14:20 -------- d-----w c:\program files\ERUNT
2009-04-25 03:49 . 2009-04-25 14:23 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 01:23 . 2009-04-25 02:33 -------- d-----w C:\VundoFix Backups
2009-04-24 03:52 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-24 03:52 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-24 03:52 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-24 03:52 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-24 03:52 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-24 03:52 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-24 03:52 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-24 03:52 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-24 03:52 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-24 03:51 . 2009-03-27 07:09 1193414 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-24 03:51 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\Rob\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 15:10 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 15:10 . 2009-04-23 15:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 17:46 . 2009-04-22 17:47 4969 ----a-w c:\windows\pixcache.ini
2009-04-22 17:46 . 2009-04-22 17:47 -------- d-----w c:\documents and settings\Rob\Application Data\Canon Electronics
2009-04-22 17:44 . 2006-05-17 02:23 6416 ----a-w c:\windows\system32\PIXTHK16.DLL
2009-04-22 17:44 . 2006-05-17 02:22 231552 ----a-w c:\windows\system32\PIXDFLT.DLL
2009-04-22 17:44 . 2006-05-17 02:22 23152 ----a-w c:\windows\system32\PIXPERM.DLL
2009-04-22 17:44 . 2006-05-17 02:22 16048 ----a-w c:\windows\system32\PIXLOC.DLL
2009-04-22 17:44 . 2006-05-17 02:19 21008 ----a-w c:\windows\system32\CTL3D.DLL
2009-04-22 17:44 . 2005-02-10 23:17 11968 ----a-w c:\windows\system32\PIXMDLLC.CPL
2009-04-22 17:44 . 2006-05-17 02:19 51959 ----a-w c:\windows\system32\PIXNAME.HLP
2009-04-22 17:44 . 2006-05-17 02:19 327680 ----a-w c:\windows\system32\PIXJP2KI.DLL
2009-04-22 17:43 . 2007-01-29 19:34 61440 ----a-w c:\windows\system32\SuStiUtl.dll
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 17:42 . 2004-08-04 03:58 15104 ----a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 17:42 . 2009-04-23 18:26 140 ----a-w c:\windows\SetScan.ini
2009-04-22 17:42 . 2007-03-02 17:40 229376 ----a-w c:\windows\system32\DR2KSVC.dll
2009-04-22 17:42 . 2006-09-11 19:12 45056 ----a-w c:\windows\system32\WNASPI32.DLL
2009-04-22 17:42 . 2006-09-11 19:12 16512 ----a-w c:\windows\system32\drivers\ASPI32.SYS
2009-04-22 17:42 . 2006-08-10 15:36 42536 ----a-w c:\windows\system32\CeiUSB.dll
2009-04-22 17:42 . 2006-09-21 13:44 83496 ----a-w c:\windows\system32\CaDRcpl.dll
2009-04-22 17:42 . 2006-06-13 19:33 157224 ----a-w c:\windows\system32\CeiSCSI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 14:48 . 2009-04-26 14:42 -------- d-----w c:\documents and settings\Rob\Application Data\AVGTOOLBAR
2009-04-26 14:42 . 2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 14:42 . 2009-04-26 14:42 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-26 14:42 . 2009-04-26 14:42 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\program files\AVG
2009-04-26 14:42 . 2009-04-26 14:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-25 14:32 . 2009-04-25 14:32 -------- d-----w c:\program files\Trend Micro
2009-04-25 01:41 . 2009-04-25 01:23 391 ----a-w C:\VundoFix.txt
2009-04-24 23:09 . 2006-08-19 08:16 -------- d-----w c:\program files\Java
2009-04-24 23:04 . 2006-08-19 09:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-24 13:50 . 2006-08-19 09:25 -------- d-----w c:\program files\Hewlett-Packard
2009-04-24 03:59 . 2007-10-24 19:02 -------- d-----w c:\documents and settings\Rob\Application Data\U3
2009-04-24 03:47 . 2007-10-15 01:49 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-24 03:45 . 2007-10-15 01:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 17:43 . 2009-04-22 17:41 -------- d-----w c:\program files\Canon Electronics
2009-04-22 17:43 . 2006-08-19 08:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 14:18 . 2006-07-05 10:55 986112 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:00 . 2004-08-04 21:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-11-08 03:03 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 21:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 18:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-04-24 14:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 09:26 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 09:25 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-10 23:31 . 2009-02-10 23:31 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-04 21:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-08-17 12:28 728576 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-04 21:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-04 21:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-04 21:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:32 . 2007-02-28 09:55 2186112 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 10:32 . 2004-08-04 21:00 2186112 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:29 . 2007-02-28 09:53 2142720 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:22 . 2004-08-04 21:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-04 21:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2007-02-28 09:15 2020864 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 09:49 . 2007-02-28 09:15 2062976 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 09:49 . 2004-08-04 21:00 2062976 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 2004-08-04 21:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-10-16 22:31 . 2008-10-16 22:17 30 ----a-w c:\documents and settings\Rob\jagex_runescape_preferences.dat
2008-08-14 00:09 . 2008-10-13 00:09 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-02-12 20:53 . 2006-12-15 20:35 67680 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-09 19:09 . 2007-01-26 21:25 13012 ----a-w c:\documents and settings\Rob\Bubblets.dat
2006-12-15 20:37 . 2006-12-15 20:35 126 ----a-w c:\documents and settings\Rob\Local Settings\Application Data\fusioncache.dat
2006-08-19 10:22 . 2009-04-25 03:09 49632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-08-19 09:22 . 2009-04-25 03:09 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2006-12-16 22:52 . 2006-12-16 22:52 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}]
2004-08-04 21:00 104448 ----a-w c:\windows\system32\rtqwryr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-26 1932568]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
"CANON DR2080C SVC"="DR2KSVC.dll" - c:\windows\system32\DR2KSVC.dll [2007-03-02 229376]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 14:42 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct]
2004-08-04 21:00 104448 ----a-w c:\windows\system32\rtqwryr.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Rob\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Vongo Service"=2 (0x2)
"UPS"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

S0 wlubdewd;wlubdewd;c:\windows\system32\drivers\wlubdewd.sys [2004-08-04 23424]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-26 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-26 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-26 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-26 298264]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a262d412-8263-11dc-b587-0014a5d1302c}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 14:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???hX??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2009-04-26 14:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 19:40
ComboFix2.txt 2009-04-26 15:06

Pre-Run: 35,188,015,104 bytes free
Post-Run: 35,144,679,424 bytes free

265
reo:
and Malwarebyte log:
Malwarebytes' Anti-Malware 1.36
Database version: 2045
Windows 5.1.2600 Service Pack 2

4/26/2009 3:18:41 PM
mbam-log-2009-04-26 (15-18-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 171243
Time elapsed: 31 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bdba0dfb-8b5f-47e2-9d77-cb181749b4de} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tqqujzct (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{bdba0dfb-8b5f-47e2-9d77-cb181749b4de} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\rtqwryr.dll (Trojan.Vundo.H) -> Delete on reboot.

reo:
and finally the latest HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:36 PM, on 4/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tqqujzct - C:\WINDOWS\SYSTEM32\rtqwryr.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 7099 bytes

I did receive a message that "some items could not be removed but would be on reboot" during the Malware scan. I ran Hijack after rebbot.

Thanks

 

[peku006]

Hi Richue

1- Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.

• Double-click OTMoveIt3.exe.
• Copy the lines in the codebox below.

:files
c:\windows\system32\rtqwryr.dll

:Reg
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct]

• Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt3

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with


1. the OTMoveIt3 log
2. a fresh HijackThis log

Thanks peku006

 

[Richue]

As always thanks for your time and patients,
I ran OTMoveIT3.exe, pasted the text from the codebox, clicked Moveit!, then got error message :
The application or DLL c:\windows\system32\uxehitb.dll is not a valid Windows image.Please check this against your installation diskette

OTMoveIt3log:

========== FILES ==========
LoadLibrary failed for c:\windows\system32\rtqwryr.dll
c:\windows\system32\rtqwryr.dll NOT unregistered.
File move failed. c:\windows\system32\rtqwryr.dll scheduled to be moved on reboot.
========== REGISTRY ==========
Unable to delete registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct\\ .

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04272009_070749

I then rebooted and tried again with the same results. Here is the HiijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:42 AM, on 4/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OTMoveIt] C:\Documents and Settings\Rob\Desktop\OTMoveIt3.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tqqujzct - C:\WINDOWS\SYSTEM32\rtqwryr.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 7152 bytes

 

[peku006]

Hi Richue
"strange" error message,let us take a deeper look.

OTScanIt2...by OldTimer.

Please download OTScanIt2 from Geeks to Go by OldTimer. Alternate download site.
Save it to your desktop.

1. Double click on OTScanIt2.exe to run it.
2. Click on Extract. Once done, when prompted. Click OK and click Close.
   This is a self-extracting file...It will create a folder named OTScanIt2 on your desktop.
3. Double click on the OTScanIt2 folder to open... then double click on OTScanIt2.exe to run it.
4. Under Rookit Search, select Yes.
5. Click on Run Scan at the top left hand corner. It may take a few minutes...be patient, let it run.
6. When done, Notepad will open with the log file "OTScanIt.Txt" contents.

Please post the contents of the OTScanIt.Txt Notepad file in your next reply.

Thanks peku006

 

[Richue]

Hello Peku006,

Here is the OTScanIt.txt:

OTScanIt2 logfile created on: 4/27/2009 8:33:33 AM - Run 1
OTScanIt2 by OldTimer - Version 1.0.14.0     Folder = C:\Documents and Settings\Rob\Desktop\OTScanIt2
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
502.05 Mb Total Physical Memory | 126.78 Mb Available Physical Memory | 25.25% Memory free
1.20 Gb Paging File | 0.84 Gb Available in Paging File | 69.98% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 47.74 Gb Total Space | 32.71 Gb Free Space | 68.53% Space Free | Partition Type: NTFS
Drive D: | 8.13 Gb Total Space | 1.03 Gb Free Space | 12.71% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: PC161035812295
Current User Name: Rob
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
 
[Processes - Safe List]
avgcsrvx.exe -> %ProgramFiles%\AVG\AVG8\avgcsrvx.exe -> [2009/04/26 09:42:15 | 00,691,992 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgemc.exe -> %ProgramFiles%\AVG\AVG8\avgemc.exe -> [2009/04/26 09:42:12 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgnsx.exe -> %ProgramFiles%\AVG\AVG8\avgnsx.exe -> [2009/04/26 09:42:15 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgrsx.exe -> %ProgramFiles%\AVG\AVG8\avgrsx.exe -> [2009/04/26 09:42:15 | 00,485,144 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgtray.exe -> %ProgramFiles%\AVG\AVG8\avgtray.exe -> [2009/04/26 09:42:12 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgwdsvc.exe -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/04/26 09:42:11 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
explorer.exe -> %SystemRoot%\Explorer.EXE -> [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation)
hkcmd.exe -> %SystemRoot%\system32\hkcmd.exe -> [2006/03/23 07:13:40 | 00,077,824 | ---- | M] (Intel Corporation)
hp wireless assistant.exe -> %ProgramFiles%\hpq\HP Wireless Assistant\HP Wireless Assistant.exe -> [2006/05/04 00:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.)
hpqtoa~1.exe -> %ProgramFiles%\HPQ\Shared\HpqToaster.exe -> [2005/12/23 23:44:26 | 00,491,606 | ---- | M] ()
hpqwmiex.exe -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> [2006/05/02 17:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.)
iexplore.exe -> %ProgramFiles%\Internet Explorer\iexplore.exe -> [2009/02/27 23:54:41 | 00,636,072 | ---- | M] (Microsoft Corporation)
igfxpers.exe -> %SystemRoot%\system32\igfxpers.exe -> [2006/03/23 07:17:50 | 00,118,784 | ---- | M] (Intel Corporation)
issch.exe -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> [2005/08/11 18:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation)
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe -> [2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/04/11 16:32:52 | 00,494,080 | ---- | M] (OldTimer Tools)
qlbctrl.exe -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe -> [2006/06/02 17:21:42 | 00,135,168 | ---- | M] ( Hewlett-Packard Development Company, L.P.)
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> [2007/09/15 03:27:20 | 01,015,808 | ---- | M] (Synaptics, Inc.)
wdfmgr.exe -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 15:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
wmiprvse.exe -> %SystemRoot%\system32\wbem\wmiprvse.exe -> [2009/02/06 04:41:05 | 00,227,840 | ---- | M] (Microsoft Corporation)
wscntfy.exe -> %SystemRoot%\system32\wscntfy.exe -> [2004/08/04 16:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation)
 
[Win32 Services - Safe List]
(AddFiltr) AddFiltr [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -> [2006/05/08 12:49:02 | 00,098,304 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -> [2004/07/15 11:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation)
(avg8emc) AVG Free8 E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgemc.exe -> [2009/04/26 09:42:12 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.)
(avg8wd) AVG Free8 WatchDog [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/04/26 09:42:11 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
(gusvc) Google Updater Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2007/11/23 22:47:52 | 00,138,168 | ---- | M] (Google)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2004/08/04 16:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation)
(hpqwmiex) hpqwmiex [Win32_Own | Auto | Running] -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> [2006/05/02 17:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> [2005/04/04 02:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation)
(UMWdf) Windows User Mode Driver Framework [Win32_Own | Auto | Running] -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 15:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
(Vongo Service) Vongo Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Vongo\VongoService.exe -> [2006/05/09 16:11:10 | 00,176,128 | ---- | M] (Starz Entertainment Group LLC)
 
[Driver Services - Safe List]
(AliIde) AliIde [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\aliide.sys -> [2001/08/17 23:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.)
(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\amdagp.sys -> [2004/08/04 09:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.)
(asc) asc [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc.sys -> [2001/08/17 23:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.)
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc3550.sys -> [2001/08/17 23:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.)
(Aspi32) Aspi32 [Kernel | Auto | Running] -> %SystemRoot%\System32\drivers\ASPI32.SYS -> [2006/09/11 14:12:26 | 00,016,512 | ---- | M] (Adaptec)
(AvgLdx86) AVG Free AVI Loader Driver x86 [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgldx86.sys -> [2009/04/26 09:42:30 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgMfx86) AVG Free On-access Scanner Minifilter Driver x86 [File_System | System | Running] -> %SystemRoot%\System32\Drivers\avgmfx86.sys -> [2009/04/26 09:42:29 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgTdiX) AVG Free8 Network Redirector [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgtdix.sys -> [2009/04/26 09:42:34 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
(BCM43XX) Broadcom 802.11 Network Adapter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\bcmwl5.sys -> [2006/10/13 00:26:56 | 00,604,928 | ---- | M] (Broadcom Corporation)
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\cmdide.sys -> [2001/08/17 23:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.)
(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\dac2w2k.sys -> [2001/08/17 23:52:16 | 00,179,584 | ---- | M] (Mylex Corporation)
(eabfiltr) eabfiltr [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\eabfiltr.sys -> [2005/09/19 16:23:52 | 00,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(eabusb) eabusb [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\eabusb.sys -> [2005/09/19 16:24:20 | 00,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(HBtnKey) HBtnKey [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\cpqbttn.sys -> [2005/09/19 16:24:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(HdAudAddService) Microsoft UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\CHDAud.sys -> [2007/05/01 02:11:54 | 00,630,272 | ---- | M] (Conexant Systems Inc.)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HDAudBus.sys -> [2005/01/07 19:07:18 | 00,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HSFHWAZL) HSFHWAZL [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSFHWAZL.sys -> [2005/08/21 19:06:16 | 00,201,600 | ---- | M] (Conexant Systems, Inc.)
(HSF_DPV) HSF_DPV [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSF_DPV.sys -> [2005/08/21 19:07:00 | 01,035,008 | ---- | M] (Conexant Systems, Inc.)
(ialm) ialm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ialmnt5.sys -> [2006/03/23 07:47:06 | 01,166,972 | ---- | M] (Intel Corporation)
(iaStor) Intel AHCI Controller [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\iaStor.sys -> [2005/10/13 04:07:12 | 00,874,240 | ---- | M] (Intel Corporation)
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\mdmxsdk.sys -> [2006/02/14 14:57:46 | 00,012,672 | ---- | M] (Conexant)
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\mraid35x.sys -> [2001/08/17 23:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.)
(NwlnkIpx) NWLink IPX/SPX/NetBIOS Compatible Transport Protocol [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnkipx.sys -> [2004/08/04 16:00:00 | 00,088,448 | ---- | M] (Microsoft Corporation)
(NwlnkNb) NWLink NetBIOS [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnknb.sys -> [2004/08/04 16:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation)
(NwlnkSpx) NWLink SPX/SPXII Protocol [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnkspx.sys -> [2004/08/04 16:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ptilink.sys -> [2004/08/04 16:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\PxHelp20.sys -> [2005/06/20 19:05:58 | 00,020,640 | ---- | M] (Sonic Solutions)
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1080.sys -> [2001/08/17 23:52:20 | 00,040,320 | ---- | M] (QLogic Corporation)
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql12160.sys -> [2001/08/17 23:52:20 | 00,045,312 | ---- | M] (QLogic Corporation)
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1280.sys -> [2001/08/17 23:52:18 | 00,049,024 | ---- | M] (QLogic Corporation)
(RTL8023xp) Realtek 10/100/1000 PCI NIC Family NDIS XP Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\Rtnicxp.sys -> [2007/08/22 13:51:38 | 00,097,152 | ---- | M] (Realtek Semiconductor Corporation                           )
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\RTL8139.SYS -> [2004/08/04 01:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\secdrv.sys -> [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sisagp.sys -> [2004/08/04 09:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation)
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sparrow.sys -> [2001/08/18 00:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.)
(symc810) symc810 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc810.sys -> [2001/08/18 00:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.)
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc8xx.sys -> [2001/08/18 00:07:36 | 00,032,640 | ---- | M] (LSI Logic)
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_hi.sys -> [2001/08/18 00:07:40 | 00,028,384 | ---- | M] (LSI Logic)
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_u3.sys -> [2001/08/18 00:07:42 | 00,030,688 | ---- | M] (LSI Logic)
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\SynTP.sys -> [2007/09/15 03:09:44 | 00,213,696 | ---- | M] (Synaptics, Inc.)
(ultra) ultra [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ultra.sys -> [2001/08/17 23:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.)
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSF_CNXT.sys -> [2005/08/21 19:06:10 | 00,718,464 | ---- | M] (Conexant Systems, Inc.)
(wlubdewd) wlubdewd [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\wlubdewd.sys -> [2004/08/04 16:00:00 | 00,023,424 | ---- | M] (S3/Diamond Multimedia Systems)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> Reg Error: Invalid data type. -> 
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons -> 
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
HKEY_LOCAL_MACHINE\: "ProxyEnable" -> 1 -> 
HKEY_LOCAL_MACHINE\: "ProxyOverride" -> *.local;<local> -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_CURRENT_USER\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar] -> File not found
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
HKEY_CURRENT_USER\: "ProxyOverride" -> *.local;<local> -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
< FireFox Extensions [User Folders] > -> 
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/12/18 04:16:42 | 00,059,032 | ---- | M] (Adobe Systems Incorporated)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgssie.dll [AVG Safe Search] -> [2009/04/26 09:42:18 | 01,078,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> [2008/06/10 04:27:02 | 00,509,328 | ---- | M] (Sun Microsystems, Inc.)
{A057A204-BACC-4D26-9990-79A187E2698E} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2009/04/26 09:42:24 | 01,968,920 | ---- | M] ([[[COMPANYNAME]]]----------------------------)
{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} [HKLM] -> %SystemRoot%\system32\rtqwryr.dll [] -> [2004/08/04 16:00:00 | 00,104,448 | ---- | M] ()
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2009/04/26 09:42:24 | 01,968,920 | ---- | M] ([[[COMPANYNAME]]]----------------------------)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2009/04/26 09:42:24 | 01,968,920 | ---- | M] ([[[COMPANYNAME]]]----------------------------)
WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"AVG8_TRAY" -> %ProgramFiles%\AVG\AVG8\avgtray.exe [C:\PROGRA~1\AVG\AVG8\avgtray.exe] -> [2009/04/26 09:42:12 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.)
"CANON DR2080C SVC" -> %SystemRoot%\system32\DR2KSVC.DLL [rundll32.exe DR2KSVC.dll,EntryPointUserMessage] -> [2007/03/02 12:40:36 | 00,229,376 | ---- | M] (Canon Electronics)
"Cpqset" -> %ProgramFiles%\Hewlett-Packard\Default Settings\cpqset.exe [C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe] -> [2006/06/19 12:50:40 | 00,040,960 | ---- | M] ()
"High Definition Audio Property Page Shortcut" -> %SystemRoot%\system32\CHDAudPropShortcut.exe [CHDAudPropShortcut.exe] -> [2006/06/02 10:02:50 | 00,061,952 | ---- | M] (Windows (R) Server 2003 DDK provider)
"hpWirelessAssistant" -> %ProgramFiles%\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe] -> [2006/05/04 00:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.)
"igfxhkcmd" -> %SystemRoot%\system32\hkcmd.exe [C:\WINDOWS\system32\hkcmd.exe] -> [2006/03/23 07:13:40 | 00,077,824 | ---- | M] (Intel Corporation)
"igfxpers" -> %SystemRoot%\system32\igfxpers.exe [C:\WINDOWS\system32\igfxpers.exe] -> [2006/03/23 07:17:50 | 00,118,784 | ---- | M] (Intel Corporation)
"igfxtray" -> %SystemRoot%\system32\igfxtray.exe [C:\WINDOWS\system32\igfxtray.exe] -> [2006/03/23 07:17:04 | 00,094,208 | ---- | M] (Intel Corporation)
"ISUSPM Startup" -> %CommonProgramFiles%\InstallShield\UpdateService\isuspm.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup] -> [2005/08/11 18:30:30 | 00,249,856 | ---- | M] (Macrovision Corporation)
"ISUSScheduler" -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start] -> [2005/08/11 18:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation)
"QlbCtrl" ->  [%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start] -> File not found
"RecGuard" -> %SystemRoot%\SMINST\RecGuard.exe [C:\Windows\SMINST\RecGuard.exe] -> [2005/10/11 12:23:50 | 01,187,840 | ---- | M] ()
"SunJavaUpdateSched" -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"] -> [2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
"SynTPEnh" -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [C:\Program Files\Synaptics\SynTP\SynTPEnh.exe] -> [2007/09/15 03:27:20 | 01,015,808 | ---- | M] (Synaptics, Inc.)
"SynTPStart" -> %ProgramFiles%\Synaptics\SynTP\SynTPStart.exe [C:\Program Files\Synaptics\SynTP\SynTPStart.exe] -> [2007/09/15 03:29:10 | 00,102,400 | ---- | M] (Synaptics, Inc.)
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -> 
"OTMoveIt" -> %UserProfile%\Desktop\OTMoveIt3.exe [C:\Documents and Settings\Rob\Desktop\OTMoveIt3.exe] -> [2009/04/27 06:55:19 | 00,389,632 | ---- | M] (OldTimer Tools)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< Rob Startup Folder > -> C:\Documents and Settings\Rob\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" ->  [1] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" ->  [0] -> File not found
\\"legalnoticecaption" ->  [] -> File not found
\\"legalnoticetext" ->  [] -> File not found
\\"shutdownwithoutlogon" ->  [1] -> File not found
\\"undockwithoutlogon" ->  [1] -> File not found
\\"DisableRegistryTools" ->  [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel -> %ProgramFiles%\Microsoft Office\Office10\EXCEL.EXE [res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000] -> [2001/02/16 02:05:38 | 09,164,192 | R--- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Menu: Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search & Destroy Configuration] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2004/10/13 19:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2004/10/13 19:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] ->  [Reg Error: Key error.] -> File not found
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 19:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5506 domain(s) found. -> 
50 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5501 domain(s) found. -> 
49 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{233C1507-6A77-46A4-9443-F871F945D258} [HKLM] -> http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab [Shockwave ActiveX Control] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C} [HKLM] -> http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232901218718 [WUWebControl Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] -> 
{A90A5822-F108-45AD-8482-9BC8B12DD539} [HKLM] -> http://www.crucial.com/controls/cpcScanner.cab [Crucial cpcScan] -> 
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab [Java Plug-in 1.5.0_06] -> 
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab [Java Plug-in 1.6.0_01] -> 
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab [Java Plug-in 1.6.0_02] -> 
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Java Plug-in 1.6.0_05] -> 
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{4F861CE6-223A-4578-B2A7-69BD3BA7C5EF} ->    (Broadcom 802.11b/g WLAN) -> 
{828F6C98-926B-49AD-AE17-C88EF5588F55} ->    (Realtek RTL8139/810x Family Fast Ethernet NIC) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> %SystemRoot%\Explorer.exe -> [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
avgrsstarter -> %SystemRoot%\system32\avgrsstx.dll -> [2009/04/26 09:42:35 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> [2006/03/23 07:12:42 | 00,139,264 | ---- | M] (Intel Corporation)
tqqujzct -> %SystemRoot%\system32\rtqwryr.dll -> [2004/08/04 16:00:00 | 00,104,448 | ---- | M] ()
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2004/08/04 16:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Program Files\AVG\AVG8\avgemc.exe" -> C:\Program Files\AVG\AVG8\avgemc.exe [C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe] -> [2009/04/26 09:42:12 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" -> C:\Program Files\AVG\AVG8\avgnsx.exe [C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe] -> [2009/04/26 09:42:15 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgupd.exe" -> C:\Program Files\AVG\AVG8\avgupd.exe [C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe] -> [2009/04/26 09:42:12 | 01,057,048 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\WINDOWS\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019] -> [2004/08/04 16:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
"AlternateShell" -> cmd.exe -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2004/08/04 16:00:00 | 00,049,536 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > ->  -> 
D:\AUTOEXEC.BAT [] -> D:\AUTOEXEC.BAT [ FAT32 ] -> [2001/07/27 22:07:38 | 00,000,000 | -HS- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
\F
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell
\F\Shell\\"" ->  [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun
\F\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command
\F\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe -a] -> File not found
\{11653a28-c6ba-11db-b4ed-0014a5d1302c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}\Shell\AutoRun\command
\{11653a28-c6ba-11db-b4ed-0014a5d1302c}\Shell\AutoRun\command\\"" -> F:\setupSNK.exe [F:\setupSNK.exe] -> File not found
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\\"" ->  [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun\command
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe -a] -> File not found
\{a262d412-8263-11dc-b587-0014a5d1302c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell
\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\\"" ->  [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun
\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun\command
\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe] -> File not found
 
 
[Files/Folders - Created Within 30 Days]
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2009/04/27 08:32:50 | 00,000,000 | ---D | C]
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/04/27 08:31:43 | 00,665,196 | ---- | C] ()
RECYCLER -> %SystemDrive%\RECYCLER -> [2009/04/27 07:19:58 | 00,000,000 | -HSD | C]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [2009/04/27 07:07:49 | 00,000,000 | ---D | C]
OTMoveIt3.exe -> %UserProfile%\Desktop\OTMoveIt3.exe -> [2009/04/27 06:55:18 | 00,389,632 | ---- | C] (OldTimer Tools)
temp -> %SystemRoot%\temp -> [2009/04/26 14:40:53 | 00,000,000 | ---D | C]
Boot.bak -> %SystemDrive%\Boot.bak -> [2009/04/26 09:59:24 | 00,000,211 | ---- | C] ()
cmldr -> %SystemDrive%\cmldr -> [2009/04/26 09:59:18 | 00,260,272 | ---- | C] ()
cmdcons -> %SystemDrive%\cmdcons -> [2009/04/26 09:59:13 | 00,000,000 | RHSD | C]
SWXCACLS.exe -> %SystemRoot%\SWXCACLS.exe -> [2009/04/26 09:57:19 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> %SystemRoot%\SWREG.exe -> [2009/04/26 09:57:19 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> %SystemRoot%\SWSC.exe -> [2009/04/26 09:57:19 | 00,136,704 | ---- | C] (SteelWerX)
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/04/26 09:57:19 | 00,111,104 | ---- | C] ()
sed.exe -> %SystemRoot%\sed.exe -> [2009/04/26 09:57:19 | 00,098,816 | ---- | C] ()
grep.exe -> %SystemRoot%\grep.exe -> [2009/04/26 09:57:19 | 00,080,412 | ---- | C] ()
zip.exe -> %SystemRoot%\zip.exe -> [2009/04/26 09:57:19 | 00,068,096 | ---- | C] ()
NIRCMD.exe -> %SystemRoot%\NIRCMD.exe -> [2009/04/26 09:57:19 | 00,029,696 | ---- | C] (NirSoft)
Qoobox -> %SystemDrive%\Qoobox -> [2009/04/26 09:52:14 | 00,000,000 | ---D | C]
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/04/26 09:51:20 | 03,006,230 | R--- | C] ()
avgrsstx.dll -> %SystemRoot%\System32\avgrsstx.dll -> [2009/04/26 09:42:35 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgtdix.sys -> %SystemRoot%\System32\drivers\avgtdix.sys -> [2009/04/26 09:42:34 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys -> [2009/04/26 09:42:30 | 00,325,640 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2009/04/26 09:42:29 | 00,027,656 | ---- | C] (AVG Technologies CZ, s.r.o.)
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [2009/04/26 09:42:25 | 35,477,808 | ---- | C] ()
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [2009/04/26 09:42:25 | 06,061,540 | ---- | C] ()
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [2009/04/26 09:42:25 | 00,434,673 | ---- | C] ()
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [2009/04/26 09:42:25 | 00,032,111 | ---- | C] ()
AVGTOOLBAR -> %AppData%\AVGTOOLBAR -> [2009/04/26 09:42:25 | 00,000,000 | ---D | C]
Avg -> %SystemRoot%\System32\drivers\Avg -> [2009/04/26 09:42:25 | 00,000,000 | ---D | C]
AVG -> %ProgramFiles%\AVG -> [2009/04/26 09:42:11 | 00,000,000 | ---D | C]
avg8 -> %AllUsersProfile%\Application Data\avg8 -> [2009/04/26 09:42:10 | 00,000,000 | ---D | C]
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2009/04/25 09:32:06 | 00,001,734 | ---- | C] ()
Trend Micro -> %ProgramFiles%\Trend Micro -> [2009/04/25 09:32:06 | 00,000,000 | ---D | C]
ERDNT -> %SystemRoot%\ERDNT -> [2009/04/25 09:26:21 | 00,000,000 | ---D | C]
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk -> [2009/04/25 09:20:06 | 00,000,611 | ---- | C] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/04/25 09:20:06 | 00,000,592 | ---- | C] ()
ERUNT -> %ProgramFiles%\ERUNT -> [2009/04/25 09:20:05 | 00,000,000 | ---D | C]
TEMP -> %AllUsersProfile%\Application Data\TEMP -> [2009/04/24 22:49:38 | 00,000,000 | ---D | C]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/04/24 22:29:23 | 52,650,3936 | -HS- | C] ()
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [2009/04/24 20:23:31 | 00,000,000 | ---D | C]
fastprox.dll -> %SystemRoot%\System32\dllcache\fastprox.dll -> [2009/04/23 22:52:08 | 00,473,088 | ---- | C] (Microsoft Corporation)
rpcss.dll -> %SystemRoot%\System32\dllcache\rpcss.dll -> [2009/04/23 22:52:08 | 00,401,408 | ---- | C] (Microsoft Corporation)
pdh.dll -> %SystemRoot%\System32\dllcache\pdh.dll -> [2009/04/23 22:52:08 | 00,284,160 | ---- | C] (Microsoft Corporation)
wmiprvse.exe -> %SystemRoot%\System32\dllcache\wmiprvse.exe -> [2009/04/23 22:52:08 | 00,227,840 | ---- | C] (Microsoft Corporation)
services.exe -> %SystemRoot%\System32\dllcache\services.exe -> [2009/04/23 22:52:08 | 00,110,592 | ---- | C] (Microsoft Corporation)
colbact.dll -> %SystemRoot%\System32\dllcache\colbact.dll -> [2009/04/23 22:52:08 | 00,060,416 | ---- | C] (Microsoft Corporation)
sc.exe -> %SystemRoot%\System32\dllcache\sc.exe -> [2009/04/23 22:52:08 | 00,035,328 | ---- | C] (Microsoft Corporation)
ntdll.dll -> %SystemRoot%\System32\dllcache\ntdll.dll -> [2009/04/23 22:52:07 | 00,715,264 | ---- | C] (Microsoft Corporation)
advapi32.dll -> %SystemRoot%\System32\dllcache\advapi32.dll -> [2009/04/23 22:52:07 | 00,617,984 | ---- | C] (Microsoft Corporation)
sysmain.sdb -> %SystemRoot%\System32\dllcache\sysmain.sdb -> [2009/04/23 22:51:39 | 01,193,414 | ---- | C] ()
wordpad.exe -> %SystemRoot%\System32\dllcache\wordpad.exe -> [2009/04/23 22:51:39 | 00,215,552 | ---- | C] (Microsoft Corporation)
Mozilla -> %AppData%\Mozilla -> [2009/04/23 10:22:29 | 00,000,000 | ---D | C]
Malwarebytes -> %AppData%\Malwarebytes -> [2009/04/23 10:10:31 | 00,000,000 | ---D | C]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/04/23 10:10:29 | 00,015,504 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/04/23 10:10:29 | 00,000,696 | ---- | C] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/04/23 10:10:27 | 00,038,496 | ---- | C] (Malwarebytes Corporation)
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes -> [2009/04/23 10:10:26 | 00,000,000 | ---D | C]
Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware -> [2009/04/23 10:10:25 | 00,000,000 | ---D | C]
Shortcut (2) to All Wells.lnk -> %UserProfile%\Desktop\Shortcut (2) to All Wells.lnk -> [2009/04/22 15:39:36 | 00,000,254 | ---- | C] ()
pixcache.ini -> %SystemRoot%\pixcache.ini -> [2009/04/22 12:46:29 | 00,004,969 | ---- | C] ()
Canon Electronics -> %AppData%\Canon Electronics -> [2009/04/22 12:46:28 | 00,000,000 | ---D | C]
PIXDFLT.DLL -> %SystemRoot%\System32\PIXDFLT.DLL -> [2009/04/22 12:44:04 | 00,231,552 | ---- | C] (EMC Corporation)
PIXPERM.DLL -> %SystemRoot%\System32\PIXPERM.DLL -> [2009/04/22 12:44:04 | 00,023,152 | ---- | C] (EMC Corporation)
CTL3D.DLL -> %SystemRoot%\System32\CTL3D.DLL -> [2009/04/22 12:44:04 | 00,021,008 | ---- | C] (Microsoft Corporation)
PIXLOC.DLL -> %SystemRoot%\System32\PIXLOC.DLL -> [2009/04/22 12:44:04 | 00,016,048 | ---- | C] (EMC Corporation)
PIXMDLLC.CPL -> %SystemRoot%\System32\PIXMDLLC.CPL -> [2009/04/22 12:44:04 | 00,011,968 | ---- | C] (Pixel Translations Incorporated)
PIXTHK16.DLL -> %SystemRoot%\System32\PIXTHK16.DLL -> [2009/04/22 12:44:04 | 00,006,416 | ---- | C] (EMC Corporation)
PIXJP2KI.DLL -> %SystemRoot%\System32\PIXJP2KI.DLL -> [2009/04/22 12:44:03 | 00,327,680 | ---- | C] (The University of New South Wales)
PIXNAME.HLP -> %SystemRoot%\System32\PIXNAME.HLP -> [2009/04/22 12:44:03 | 00,051,959 | ---- | C] ()
SuStiUtl.dll -> %SystemRoot%\System32\SuStiUtl.dll -> [2009/04/22 12:43:59 | 00,061,440 | ---- | C] (Canon Electronics Inc.)
usbscan.sys -> %SystemRoot%\System32\drivers\usbscan.sys -> [2009/04/22 12:42:33 | 00,015,104 | ---- | C] (Microsoft Corporation)
usbscan.sys -> %SystemRoot%\System32\dllcache\usbscan.sys -> [2009/04/22 12:42:33 | 00,015,104 | ---- | C] (Microsoft Corporation)
DR2KSVC.dll -> %SystemRoot%\System32\DR2KSVC.dll -> [2009/04/22 12:42:13 | 00,229,376 | ---- | C] (Canon Electronics)
WNASPI32.DLL -> %SystemRoot%\System32\WNASPI32.DLL -> [2009/04/22 12:42:13 | 00,045,056 | ---- | C] (Adaptec)
CeiUSB.dll -> %SystemRoot%\System32\CeiUSB.dll -> [2009/04/22 12:42:13 | 00,042,536 | ---- | C] (Canon Electronics Inc.)
ASPI32.SYS -> %SystemRoot%\System32\drivers\ASPI32.SYS -> [2009/04/22 12:42:13 | 00,016,512 | ---- | C] (Adaptec)
SetScan.ini -> %SystemRoot%\SetScan.ini -> [2009/04/22 12:42:13 | 00,000,140 | ---- | C] ()
CeiSCSI.dll -> %SystemRoot%\System32\CeiSCSI.dll -> [2009/04/22 12:42:12 | 00,157,224 | ---- | C] (Canon Electronics Inc.)
CaDRcpl.dll -> %SystemRoot%\System32\CaDRcpl.dll -> [2009/04/22 12:42:12 | 00,083,496 | ---- | C] (Canon Electronics Inc.)
qd1.dll -> %SystemRoot%\System32\qd1.dll -> [2009/04/22 12:41:42 | 00,504,080 | ---- | C] (Captiva Software Corp.)
Msvcrtd.dll -> %SystemRoot%\System32\Msvcrtd.dll -> [2009/04/22 12:41:41 | 00,401,484 | ---- | C] (Microsoft Corporation)
Pixdflt.dll -> %SystemRoot%\System\Pixdflt.dll -> [2009/04/22 12:41:41 | 00,231,552 | ---- | C] (Pixel Translations Incorporated)
canoit32.exe -> %SystemRoot%\System32\canoit32.exe -> [2009/04/22 12:41:41 | 00,045,056 | ---- | C] (CANON INC.)
Pixperm.dll -> %SystemRoot%\System\Pixperm.dll -> [2009/04/22 12:41:41 | 00,023,152 | ---- | C] (Pixel Translations Incorporated)
Ctl3d.dll -> %SystemRoot%\System\Ctl3d.dll -> [2009/04/22 12:41:41 | 00,021,008 | ---- | C] (Microsoft Corporation)
Pixloc.dll -> %SystemRoot%\System\Pixloc.dll -> [2009/04/22 12:41:41 | 00,016,064 | ---- | C] (Pixel Translations Incorporated)
twpix32.dll -> %SystemRoot%\System32\twpix32.dll -> [2009/04/22 12:41:40 | 00,184,320 | ---- | C] (Input Software Inc.)
PIXN1120.DLL -> %SystemRoot%\System32\PIXN1120.DLL -> [2009/04/22 12:41:40 | 00,180,224 | ---- | C] (Pegasus Imaging Corp.)
PIXN1520.DLL -> %SystemRoot%\System32\PIXN1520.DLL -> [2009/04/22 12:41:40 | 00,176,128 | ---- | C] (Pegasus Imaging Corp.)
PIXN1020.DLL -> %SystemRoot%\System32\PIXN1020.DLL -> [2009/04/22 12:41:40 | 00,155,648 | ---- | C] (Pegasus Imaging Corp.)
PIXN1320.DLL -> %SystemRoot%\System32\PIXN1320.DLL -> [2009/04/22 12:41:40 | 00,114,688 | ---- | C] (Pegasus Imaging Corp.)
Wiaext32.dll -> %SystemRoot%\System32\Wiaext32.dll -> [2009/04/22 12:41:40 | 00,098,304 | ---- | C] (Cornerstone Imaging, Inc.)
PIXN20.DLL -> %SystemRoot%\System32\PIXN20.DLL -> [2009/04/22 12:41:40 | 00,051,712 | ---- | C] (Pegasus Imaging Corp.)
pixtran -> %SystemRoot%\pixtran -> [2009/04/22 12:41:40 | 00,000,000 | ---D | C]
Canon Electronics -> %ProgramFiles%\Canon Electronics -> [2009/04/22 12:41:38 | 00,000,000 | ---D | C]
All Wells -> %UserProfile%\My Documents\All Wells -> [2009/04/22 11:16:48 | 00,000,000 | ---D | C]
Clay JOA's -> %UserProfile%\My Documents\Clay JOA's -> [2009/04/20 16:59:29 | 00,000,000 | ---D | C]
Shortcut to Clay 11A-1.lnk -> %UserProfile%\Desktop\Shortcut to Clay 11A-1.lnk -> [2009/04/20 16:55:30 | 00,000,257 | ---- | C] ()
projected ira.xls -> %UserProfile%\My Documents\projected ira.xls -> [2009/04/14 15:33:39 | 00,048,640 | ---- | C] ()
Map98.INI -> %SystemRoot%\Map98.INI -> [2008/11/19 17:34:51 | 00,000,349 | ---- | C] ()
vshp1020.dll -> %SystemRoot%\System32\vshp1020.dll -> [2008/11/18 13:19:28 | 00,106,496 | R--- | C] ()
iPlayer.INI -> %SystemRoot%\iPlayer.INI -> [2007/09/08 21:31:34 | 00,000,000 | ---- | C] ()
SmartAudio.INI -> %SystemRoot%\SmartAudio.INI -> [2007/01/06 23:46:24 | 00,000,027 | ---- | C] ()
QUICKEN.INI -> %SystemRoot%\QUICKEN.INI -> [2006/08/19 05:08:37 | 00,000,166 | ---- | C] ()
NSSetDefaultBrowser.ini -> %SystemRoot%\NSSetDefaultBrowser.ini -> [2006/08/19 05:03:23 | 00,000,698 | ---- | C] ()
ODBC.INI -> %SystemRoot%\ODBC.INI -> [2006/08/19 04:48:13 | 00,000,376 | ---- | C] ()
oeminfo.ini -> %SystemRoot%\System32\oeminfo.ini -> [2006/08/19 04:43:52 | 00,028,836 | ---- | C] ()
smscfg.ini -> %SystemRoot%\smscfg.ini -> [2006/05/10 09:23:38 | 00,000,061 | ---- | C] ()
WININIT.INI -> %SystemRoot%\WININIT.INI -> [2006/05/10 08:46:02 | 00,000,257 | ---- | C] ()
orun32.ini -> %SystemRoot%\orun32.ini -> [2006/05/10 08:42:38 | 00,000,780 | ---- | C] ()
win.ini -> %SystemRoot%\win.ini -> [2006/05/10 08:25:36 | 00,000,482 | ---- | C] ()
system.ini -> %SystemRoot%\system.ini -> [2006/05/10 01:16:26 | 00,000,227 | ---- | C] ()
px.ini -> %SystemRoot%\System32\px.ini -> [2005/12/02 13:09:10 | 00,000,000 | ---- | C] ()
qt-mt331.dll -> %SystemRoot%\System32\qt-mt331.dll -> [2004/09/16 15:24:26 | 03,375,104 | ---- | C] ()
kqfpqyei.dll -> %SystemRoot%\System32\kqfpqyei.dll -> [2004/08/04 16:00:00 | 00,143,872 | ---- | C] ()
uxehitb.dll -> %SystemRoot%\System32\uxehitb.dll -> [2004/08/04 16:00:00 | 00,104,448 | ---- | C] ()
rtqwryr.dll -> %SystemRoot%\System32\rtqwryr.dll -> [2004/08/04 16:00:00 | 00,104,448 | ---- | C] ()
 
[Files/Folders - Modified Within 30 Days]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
4 C:\Documents and Settings\Rob\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Rob\Local Settings\Temp\*.tmp -> 
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/04/27 08:31:45 | 00,665,196 | ---- | M] ()
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [2009/04/27 08:31:17 | 35,477,808 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2009/04/27 07:22:50 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2009/04/27 07:22:47 | 00,002,048 | --S- | M] ()
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/04/27 07:22:43 | 52,650,3936 | -HS- | M] ()
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [2009/04/27 07:22:43 | 00,270,984 | ---- | M] ()
NTUSER.DAT -> %UserProfile%\NTUSER.DAT -> [2009/04/27 07:21:32 | 07,340,032 | -H-- | M] ()
ntuser.ini -> %UserProfile%\ntuser.ini -> [2009/04/27 07:21:32 | 00,000,178 | -HS- | M] ()
OTMoveIt3.exe -> %UserProfile%\Desktop\OTMoveIt3.exe -> [2009/04/27 06:55:19 | 00,389,632 | ---- | M] (OldTimer Tools)
Norton PC Checkup Weekend Scanner.job -> %SystemRoot%\tasks\Norton PC Checkup Weekend Scanner.job -> [2009/04/26 15:46:00 | 00,000,342 | ---- | M] ()
system.ini -> %SystemRoot%\system.ini -> [2009/04/26 14:37:01 | 00,000,227 | ---- | M] ()
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [2009/04/26 14:36:30 | 00,000,027 | ---- | M] ()
Perflib_Perfdata__755.dat -> %UserProfile%\Local Settings\Temp\Perflib_Perfdata__755.dat -> [2009/04/26 14:32:53 | 00,060,416 | ---- | M] ()
boot.ini -> %SystemDrive%\boot.ini -> [2009/04/26 09:59:25 | 00,000,281 | RHS- | M] ()
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/04/26 09:51:32 | 03,006,230 | R--- | M] ()
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [2009/04/26 09:46:25 | 00,434,673 | ---- | M] ()
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [2009/04/26 09:46:25 | 00,032,111 | ---- | M] ()
avgrsstx.dll -> %SystemRoot%\System32\avgrsstx.dll -> [2009/04/26 09:42:35 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgtdix.sys -> %SystemRoot%\System32\drivers\avgtdix.sys -> [2009/04/26 09:42:34 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys -> [2009/04/26 09:42:30 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2009/04/26 09:42:29 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.)
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [2009/04/26 09:42:25 | 06,061,540 | ---- | M] ()
WININIT.INI -> %SystemRoot%\WININIT.INI -> [2009/04/25 17:51:26 | 00,000,257 | ---- | M] ()
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/04/25 13:59:03 | 00,111,104 | ---- | M] ()
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2009/04/25 09:32:06 | 00,001,734 | ---- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2009/04/25 09:27:56 | 00,439,376 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2009/04/25 09:27:56 | 00,380,918 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2009/04/25 09:27:56 | 00,053,166 | ---- | M] ()
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk -> [2009/04/25 09:20:06 | 00,000,611 | ---- | M] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/04/25 09:20:06 | 00,000,592 | ---- | M] ()
win.ini -> %SystemRoot%\win.ini -> [2009/04/24 18:30:21 | 00,000,482 | ---- | M] ()
Boot.bak -> %SystemDrive%\Boot.bak -> [2009/04/24 18:30:21 | 00,000,211 | ---- | M] ()
qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/04/24 18:02:55 | 00,004,232 | ---- | M] ()
qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/04/24 18:02:53 | 00,005,338 | ---- | M] ()
imsins.BAK -> %SystemRoot%\imsins.BAK -> [2009/04/23 22:55:56 | 00,001,374 | ---- | M] ()
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2009/04/23 22:50:50 | 00,001,158 | ---- | M] ()
spider.sav -> %UserProfile%\My Documents\spider.sav -> [2009/04/23 16:55:40 | 00,000,532 | ---- | M] ()
SetScan.ini -> %SystemRoot%\SetScan.ini -> [2009/04/23 13:26:35 | 00,000,140 | ---- | M] ()
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/04/23 10:10:29 | 00,000,696 | ---- | M] ()
Shortcut (2) to All Wells.lnk -> %UserProfile%\Desktop\Shortcut (2) to All Wells.lnk -> [2009/04/22 15:39:36 | 00,000,254 | ---- | M] ()
pixcache.ini -> %SystemRoot%\pixcache.ini -> [2009/04/22 12:47:17 | 00,004,969 | ---- | M] ()
Shortcut to Clay 11A-1.lnk -> %UserProfile%\Desktop\Shortcut to Clay 11A-1.lnk -> [2009/04/20 16:55:30 | 00,000,257 | ---- | M] ()
projected ira.xls -> %UserProfile%\My Documents\projected ira.xls -> [2009/04/14 15:33:39 | 00,048,640 | ---- | M] ()
DRU Sec._12-3N-6W__Lots[1].doc -> %UserProfile%\Desktop\DRU Sec._12-3N-6W__Lots[1].doc -> [2009/04/07 09:46:16 | 02,120,192 | ---- | M] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation)
MRT.exe -> %SystemRoot%\System32\MRT.exe -> [2009/04/06 07:57:26 | 24,921,544 | ---- | M] (Microsoft Corporation)
data.dat -> %AllUsersProfile%\Application Data\Microsoft\Office\Data\data.dat -> [2006/12/16 18:56:01 | 00,001,372 | ---- | M] ()
[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000001b
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
< Document and Settings folder & sub folders >
scanning hidden files ...
C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD 101 bytes
C:\Documents and Settings\Rob\Favorites\Driving Directions from 8505 Sw 36th St, Oklahoma City, OK to Buffalo, OK.url:favicon 1406 bytes
C:\Documents and Settings\Rob\Favorites\amazon.com Used and New PELICAN ACCESSORIES PL-2050 Xbox Edge Wireless Controller.url:favicon 1406 bytes
C:\Documents and Settings\Rob\Favorites\corporate name changes index.url:favicon 1406 bytes
C:\Documents and Settings\Rob\Favorites\County Clerk Public Records - various counties.url:favicon 2806 bytes
C:\Documents and Settings\Rob\Favorites\MSN.com.url:favicon 3638 bytes
C:\Documents and Settings\Rob\Favorites\Quick Sand  1000+ Free Flash Games  Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Quick Sand Pyro  1000+ Free Flash Games  Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Square Feet to Acres conversion calculator - Area conversions.url:favicon 3638 bytes
C:\Documents and Settings\Rob\Favorites\Super Crazy Guitar 2  1000+ Free Flash Games  Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Treasure of Cutlass Reef  1000+ Free Flash Games  Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Game Giveaway of the Day.url:favicon 2038 bytes
C:\Documents and Settings\Rob\Favorites\Grow Island  1000+ Free Flash Games  Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\http--www.playlist.com-.url:favicon 1150 bytes
C:\Documents and Settings\Rob\Favorites\Land to Acre Conversion Calculator.url:favicon 822 bytes
scan completed successfully
hidden files: 67
 
 
[Alternate Data Streams]
@Alternate Data Stream - 101 bytes -> %AllUsersProfile%\Application Data\TEMP:7E95B6FD
< End of report >

 

[Richue]

I hope it is okay with you, I have reposted the above info minus "code" in order to make it easier to read.

OTScanIt2 logfile created on: 4/27/2009 8:33:33 AM - Run 1
OTScanIt2 by OldTimer - Version 1.0.14.0 Folder = C:\Documents and Settings\Rob\Desktop\OTScanIt2
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.05 Mb Total Physical Memory | 126.78 Mb Available Physical Memory | 25.25% Memory free
1.20 Gb Paging File | 0.84 Gb Available in Paging File | 69.98% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 47.74 Gb Total Space | 32.71 Gb Free Space | 68.53% Space Free | Partition Type: NTFS
Drive D: | 8.13 Gb Total Space | 1.03 Gb Free Space | 12.71% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC161035812295
Current User Name: Rob
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

[Processes - Safe List]
avgcsrvx.exe -> %ProgramFiles%\AVG\AVG8\avgcsrvx.exe -> [2009/04/26 09:42:15 | 00,691,992 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgemc.exe -> %ProgramFiles%\AVG\AVG8\avgemc.exe -> [2009/04/26 09:42:12 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgnsx.exe -> %ProgramFiles%\AVG\AVG8\avgnsx.exe -> [2009/04/26 09:42:15 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgrsx.exe -> %ProgramFiles%\AVG\AVG8\avgrsx.exe -> [2009/04/26 09:42:15 | 00,485,144 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgtray.exe -> %ProgramFiles%\AVG\AVG8\avgtray.exe -> [2009/04/26 09:42:12 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgwdsvc.exe -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/04/26 09:42:11 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
explorer.exe -> %SystemRoot%\Explorer.EXE -> [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation)
hkcmd.exe -> %SystemRoot%\system32\hkcmd.exe -> [2006/03/23 07:13:40 | 00,077,824 | ---- | M] (Intel Corporation)
hp wireless assistant.exe -> %ProgramFiles%\hpq\HP Wireless Assistant\HP Wireless Assistant.exe -> [2006/05/04 00:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.)
hpqtoa~1.exe -> %ProgramFiles%\HPQ\Shared\HpqToaster.exe -> [2005/12/23 23:44:26 | 00,491,606 | ---- | M] ()
hpqwmiex.exe -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> [2006/05/02 17:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.)
iexplore.exe -> %ProgramFiles%\Internet Explorer\iexplore.exe -> [2009/02/27 23:54:41 | 00,636,072 | ---- | M] (Microsoft Corporation)
igfxpers.exe -> %SystemRoot%\system32\igfxpers.exe -> [2006/03/23 07:17:50 | 00,118,784 | ---- | M] (Intel Corporation)
issch.exe -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> [2005/08/11 18:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation)
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe -> [2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/04/11 16:32:52 | 00,494,080 | ---- | M] (OldTimer Tools)
qlbctrl.exe -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe -> [2006/06/02 17:21:42 | 00,135,168 | ---- | M] ( Hewlett-Packard Development Company, L.P.)
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> [2007/09/15 03:27:20 | 01,015,808 | ---- | M] (Synaptics, Inc.)
wdfmgr.exe -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 15:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
wmiprvse.exe -> %SystemRoot%\system32\wbem\wmiprvse.exe -> [2009/02/06 04:41:05 | 00,227,840 | ---- | M] (Microsoft Corporation)
wscntfy.exe -> %SystemRoot%\system32\wscntfy.exe -> [2004/08/04 16:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation)

[Win32 Services - Safe List]
(AddFiltr) AddFiltr [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -> [2006/05/08 12:49:02 | 00,098,304 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -> [2004/07/15 11:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation)
(avg8emc) AVG Free8 E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgemc.exe -> [2009/04/26 09:42:12 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.)
(avg8wd) AVG Free8 WatchDog [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/04/26 09:42:11 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
(gusvc) Google Updater Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2007/11/23 22:47:52 | 00,138,168 | ---- | M] (Google)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2004/08/04 16:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation)
(hpqwmiex) hpqwmiex [Win32_Own | Auto | Running] -> %ProgramFiles%\Hewlett-Packard\Shared\hpqwmiex.exe -> [2006/05/02 17:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> [2005/04/04 02:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation)
(UMWdf) Windows User Mode Driver Framework [Win32_Own | Auto | Running] -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 15:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
(Vongo Service) Vongo Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Vongo\VongoService.exe -> [2006/05/09 16:11:10 | 00,176,128 | ---- | M] (Starz Entertainment Group LLC)

[Driver Services - Safe List]
(AliIde) AliIde [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\aliide.sys -> [2001/08/17 23:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.)
(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\amdagp.sys -> [2004/08/04 09:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.)
(asc) asc [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc.sys -> [2001/08/17 23:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.)
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc3550.sys -> [2001/08/17 23:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.)
(Aspi32) Aspi32 [Kernel | Auto | Running] -> %SystemRoot%\System32\drivers\ASPI32.SYS -> [2006/09/11 14:12:26 | 00,016,512 | ---- | M] (Adaptec)
(AvgLdx86) AVG Free AVI Loader Driver x86 [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgldx86.sys -> [2009/04/26 09:42:30 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgMfx86) AVG Free On-access Scanner Minifilter Driver x86 [File_System | System | Running] -> %SystemRoot%\System32\Drivers\avgmfx86.sys -> [2009/04/26 09:42:29 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgTdiX) AVG Free8 Network Redirector [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgtdix.sys -> [2009/04/26 09:42:34 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
(BCM43XX) Broadcom 802.11 Network Adapter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\bcmwl5.sys -> [2006/10/13 00:26:56 | 00,604,928 | ---- | M] (Broadcom Corporation)
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\cmdide.sys -> [2001/08/17 23:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.)
(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\dac2w2k.sys -> [2001/08/17 23:52:16 | 00,179,584 | ---- | M] (Mylex Corporation)
(eabfiltr) eabfiltr [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\eabfiltr.sys -> [2005/09/19 16:23:52 | 00,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(eabusb) eabusb [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\eabusb.sys -> [2005/09/19 16:24:20 | 00,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(HBtnKey) HBtnKey [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\cpqbttn.sys -> [2005/09/19 16:24:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.)
(HdAudAddService) Microsoft UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\CHDAud.sys -> [2007/05/01 02:11:54 | 00,630,272 | ---- | M] (Conexant Systems Inc.)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HDAudBus.sys -> [2005/01/07 19:07:18 | 00,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HSFHWAZL) HSFHWAZL [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSFHWAZL.sys -> [2005/08/21 19:06:16 | 00,201,600 | ---- | M] (Conexant Systems, Inc.)
(HSF_DPV) HSF_DPV [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSF_DPV.sys -> [2005/08/21 19:07:00 | 01,035,008 | ---- | M] (Conexant Systems, Inc.)
(ialm) ialm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ialmnt5.sys -> [2006/03/23 07:47:06 | 01,166,972 | ---- | M] (Intel Corporation)
(iaStor) Intel AHCI Controller [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\iaStor.sys -> [2005/10/13 04:07:12 | 00,874,240 | ---- | M] (Intel Corporation)
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\mdmxsdk.sys -> [2006/02/14 14:57:46 | 00,012,672 | ---- | M] (Conexant)
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\mraid35x.sys -> [2001/08/17 23:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.)
(NwlnkIpx) NWLink IPX/SPX/NetBIOS Compatible Transport Protocol [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnkipx.sys -> [2004/08/04 16:00:00 | 00,088,448 | ---- | M] (Microsoft Corporation)
(NwlnkNb) NWLink NetBIOS [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnknb.sys -> [2004/08/04 16:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation)
(NwlnkSpx) NWLink SPX/SPXII Protocol [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnkspx.sys -> [2004/08/04 16:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ptilink.sys -> [2004/08/04 16:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\PxHelp20.sys -> [2005/06/20 19:05:58 | 00,020,640 | ---- | M] (Sonic Solutions)
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1080.sys -> [2001/08/17 23:52:20 | 00,040,320 | ---- | M] (QLogic Corporation)
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql12160.sys -> [2001/08/17 23:52:20 | 00,045,312 | ---- | M] (QLogic Corporation)
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1280.sys -> [2001/08/17 23:52:18 | 00,049,024 | ---- | M] (QLogic Corporation)
(RTL8023xp) Realtek 10/100/1000 PCI NIC Family NDIS XP Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\Rtnicxp.sys -> [2007/08/22 13:51:38 | 00,097,152 | ---- | M] (Realtek Semiconductor Corporation )
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\RTL8139.SYS -> [2004/08/04 01:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\secdrv.sys -> [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sisagp.sys -> [2004/08/04 09:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation)
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sparrow.sys -> [2001/08/18 00:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.)
(symc810) symc810 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc810.sys -> [2001/08/18 00:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.)
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc8xx.sys -> [2001/08/18 00:07:36 | 00,032,640 | ---- | M] (LSI Logic)
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_hi.sys -> [2001/08/18 00:07:40 | 00,028,384 | ---- | M] (LSI Logic)
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_u3.sys -> [2001/08/18 00:07:42 | 00,030,688 | ---- | M] (LSI Logic)
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\SynTP.sys -> [2007/09/15 03:09:44 | 00,213,696 | ---- | M] (Synaptics, Inc.)
(ultra) ultra [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ultra.sys -> [2001/08/17 23:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.)
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSF_CNXT.sys -> [2005/08/21 19:06:10 | 00,718,464 | ---- | M] (Conexant Systems, Inc.)
(wlubdewd) wlubdewd [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\wlubdewd.sys -> [2004/08/04 16:00:00 | 00,023,424 | ---- | M] (S3/Diamond Multimedia Systems)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> Reg Error: Invalid data type. ->
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKEY_LOCAL_MACHINE\: "ProxyEnable" -> 1 ->
HKEY_LOCAL_MACHINE\: "ProxyOverride" -> *.local;<local> ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_CURRENT_USER\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar] -> File not found
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
HKEY_CURRENT_USER\: "ProxyOverride" -> *.local;<local> ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions -> ->
< FireFox Extensions [User Folders] > ->
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
Reset Hosts
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/12/18 04:16:42 | 00,059,032 | ---- | M] (Adobe Systems Incorporated)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgssie.dll [AVG Safe Search] -> [2009/04/26 09:42:18 | 01,078,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> [2008/06/10 04:27:02 | 00,509,328 | ---- | M] (Sun Microsystems, Inc.)
{A057A204-BACC-4D26-9990-79A187E2698E} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2009/04/26 09:42:24 | 01,968,920 | ---- | M] ([[[COMPANYNAME]]]----------------------------)
{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} [HKLM] -> %SystemRoot%\system32\rtqwryr.dll [] -> [2004/08/04 16:00:00 | 00,104,448 | ---- | M] ()
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2009/04/26 09:42:24 | 01,968,920 | ---- | M] ([[[COMPANYNAME]]]----------------------------)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> %ProgramFiles%\AVG\AVG8\avgtoolbar.dll [AVG Security Toolbar] -> [2009/04/26 09:42:24 | 01,968,920 | ---- | M] ([[[COMPANYNAME]]]----------------------------)
WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AVG8_TRAY" -> %ProgramFiles%\AVG\AVG8\avgtray.exe [C:\PROGRA~1\AVG\AVG8\avgtray.exe] -> [2009/04/26 09:42:12 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.)
"CANON DR2080C SVC" -> %SystemRoot%\system32\DR2KSVC.DLL [rundll32.exe DR2KSVC.dll,EntryPointUserMessage] -> [2007/03/02 12:40:36 | 00,229,376 | ---- | M] (Canon Electronics)
"Cpqset" -> %ProgramFiles%\Hewlett-Packard\Default Settings\cpqset.exe [C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe] -> [2006/06/19 12:50:40 | 00,040,960 | ---- | M] ()
"High Definition Audio Property Page Shortcut" -> %SystemRoot%\system32\CHDAudPropShortcut.exe [CHDAudPropShortcut.exe] -> [2006/06/02 10:02:50 | 00,061,952 | ---- | M] (Windows (R) Server 2003 DDK provider)
"hpWirelessAssistant" -> %ProgramFiles%\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe] -> [2006/05/04 00:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.)
"igfxhkcmd" -> %SystemRoot%\system32\hkcmd.exe [C:\WINDOWS\system32\hkcmd.exe] -> [2006/03/23 07:13:40 | 00,077,824 | ---- | M] (Intel Corporation)
"igfxpers" -> %SystemRoot%\system32\igfxpers.exe [C:\WINDOWS\system32\igfxpers.exe] -> [2006/03/23 07:17:50 | 00,118,784 | ---- | M] (Intel Corporation)
"igfxtray" -> %SystemRoot%\system32\igfxtray.exe [C:\WINDOWS\system32\igfxtray.exe] -> [2006/03/23 07:17:04 | 00,094,208 | ---- | M] (Intel Corporation)
"ISUSPM Startup" -> %CommonProgramFiles%\InstallShield\UpdateService\isuspm.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup] -> [2005/08/11 18:30:30 | 00,249,856 | ---- | M] (Macrovision Corporation)
"ISUSScheduler" -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start] -> [2005/08/11 18:30:30 | 00,081,920 | ---- | M] (Macrovision Corporation)
"QlbCtrl" -> [%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start] -> File not found
"RecGuard" -> %SystemRoot%\SMINST\RecGuard.exe [C:\Windows\SMINST\RecGuard.exe] -> [2005/10/11 12:23:50 | 01,187,840 | ---- | M] ()
"SunJavaUpdateSched" -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"] -> [2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
"SynTPEnh" -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [C:\Program Files\Synaptics\SynTP\SynTPEnh.exe] -> [2007/09/15 03:27:20 | 01,015,808 | ---- | M] (Synaptics, Inc.)
"SynTPStart" -> %ProgramFiles%\Synaptics\SynTP\SynTPStart.exe [C:\Program Files\Synaptics\SynTP\SynTPStart.exe] -> [2007/09/15 03:29:10 | 00,102,400 | ---- | M] (Synaptics, Inc.)
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ->
"OTMoveIt" -> %UserProfile%\Desktop\OTMoveIt3.exe [C:\Documents and Settings\Rob\Desktop\OTMoveIt3.exe] -> [2009/04/27 06:55:19 | 00,389,632 | ---- | M] (OldTimer Tools)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Rob Startup Folder > -> C:\Documents and Settings\Rob\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" -> [1] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" -> [0] -> File not found
\\"legalnoticecaption" -> [] -> File not found
\\"legalnoticetext" -> [] -> File not found
\\"shutdownwithoutlogon" -> [1] -> File not found
\\"undockwithoutlogon" -> [1] -> File not found
\\"DisableRegistryTools" -> [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> %ProgramFiles%\Microsoft Office\Office10\EXCEL.EXE [res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000] -> [2001/02/16 02:05:38 | 09,164,192 | R--- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Menu: Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search & Destroy Configuration] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2006/10/10 07:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2004/10/13 19:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2004/10/13 19:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.] -> File not found
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 19:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 5506 domain(s) found. ->
50 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 77 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 5501 domain(s) found. ->
49 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 77 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{233C1507-6A77-46A4-9443-F871F945D258} [HKLM] -> http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab [Shockwave ActiveX Control] ->
{6414512B-B978-451D-A0D8-FCFDF33E833C} [HKLM] -> http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1232901218718 [WUWebControl Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] ->
{A90A5822-F108-45AD-8482-9BC8B12DD539} [HKLM] -> http://www.crucial.com/controls/cpcScanner.cab [Crucial cpcScan] ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab [Java Plug-in 1.5.0_06] ->
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab [Java Plug-in 1.6.0_01] ->
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab [Java Plug-in 1.6.0_02] ->
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Java Plug-in 1.6.0_05] ->
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{4F861CE6-223A-4578-B2A7-69BD3BA7C5EF} -> (Broadcom 802.11b/g WLAN) ->
{828F6C98-926B-49AD-AE17-C88EF5588F55} -> (Realtek RTL8139/810x Family Fast Ethernet NIC) ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\Explorer.exe -> [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
avgrsstarter -> %SystemRoot%\system32\avgrsstx.dll -> [2009/04/26 09:42:35 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> [2006/03/23 07:12:42 | 00,139,264 | ---- | M] (Intel Corporation)
tqqujzct -> %SystemRoot%\system32\rtqwryr.dll -> [2004/08/04 16:00:00 | 00,104,448 | ---- | M] ()
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019] -> [2004/08/04 16:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"C:\Program Files\AVG\AVG8\avgemc.exe" -> C:\Program Files\AVG\AVG8\avgemc.exe [C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe] -> [2009/04/26 09:42:12 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" -> C:\Program Files\AVG\AVG8\avgnsx.exe [C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe] -> [2009/04/26 09:42:15 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgupd.exe" -> C:\Program Files\AVG\AVG8\avgupd.exe [C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe] -> [2009/04/26 09:42:12 | 01,057,048 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\WINDOWS\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [C:\WINDOWS\system32\sessmgr.exe:*isabledxpsp2res.dll,-22019] -> [2004/08/04 16:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
"AlternateShell" -> cmd.exe ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2004/08/04 16:00:00 | 00,049,536 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > -> ->
D:\AUTOEXEC.BAT [] -> D:\AUTOEXEC.BAT [ FAT32 ] -> [2001/07/27 22:07:38 | 00,000,000 | -HS- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
\F
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell
\F\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun
\F\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command
\F\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe -a] -> File not found
\{11653a28-c6ba-11db-b4ed-0014a5d1302c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11653a28-c6ba-11db-b4ed-0014a5d1302c}\Shell\AutoRun\command
\{11653a28-c6ba-11db-b4ed-0014a5d1302c}\Shell\AutoRun\command\\"" -> F:\setupSNK.exe [F:\setupSNK.exe] -> File not found
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun\command
\{1dfc639f-ae50-11dc-b595-0014a5d1302c}\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe -a] -> File not found
\{a262d412-8263-11dc-b587-0014a5d1302c}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell
\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\\"" -> [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun
\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun\\"" -> [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun\command
\{a262d412-8263-11dc-b587-0014a5d1302c}\Shell\AutoRun\command\\"" -> F:\LaunchU3.exe [F:\LaunchU3.exe] -> File not found


[Files/Folders - Created Within 30 Days]
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2009/04/27 08:32:50 | 00,000,000 | ---D | C]
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/04/27 08:31:43 | 00,665,196 | ---- | C] ()
RECYCLER -> %SystemDrive%\RECYCLER -> [2009/04/27 07:19:58 | 00,000,000 | -HSD | C]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [2009/04/27 07:07:49 | 00,000,000 | ---D | C]
OTMoveIt3.exe -> %UserProfile%\Desktop\OTMoveIt3.exe -> [2009/04/27 06:55:18 | 00,389,632 | ---- | C] (OldTimer Tools)
temp -> %SystemRoot%\temp -> [2009/04/26 14:40:53 | 00,000,000 | ---D | C]
Boot.bak -> %SystemDrive%\Boot.bak -> [2009/04/26 09:59:24 | 00,000,211 | ---- | C] ()
cmldr -> %SystemDrive%\cmldr -> [2009/04/26 09:59:18 | 00,260,272 | ---- | C] ()
cmdcons -> %SystemDrive%\cmdcons -> [2009/04/26 09:59:13 | 00,000,000 | RHSD | C]
SWXCACLS.exe -> %SystemRoot%\SWXCACLS.exe -> [2009/04/26 09:57:19 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> %SystemRoot%\SWREG.exe -> [2009/04/26 09:57:19 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> %SystemRoot%\SWSC.exe -> [2009/04/26 09:57:19 | 00,136,704 | ---- | C] (SteelWerX)
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/04/26 09:57:19 | 00,111,104 | ---- | C] ()
sed.exe -> %SystemRoot%\sed.exe -> [2009/04/26 09:57:19 | 00,098,816 | ---- | C] ()
grep.exe -> %SystemRoot%\grep.exe -> [2009/04/26 09:57:19 | 00,080,412 | ---- | C] ()
zip.exe -> %SystemRoot%\zip.exe -> [2009/04/26 09:57:19 | 00,068,096 | ---- | C] ()
NIRCMD.exe -> %SystemRoot%\NIRCMD.exe -> [2009/04/26 09:57:19 | 00,029,696 | ---- | C] (NirSoft)
Qoobox -> %SystemDrive%\Qoobox -> [2009/04/26 09:52:14 | 00,000,000 | ---D | C]
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/04/26 09:51:20 | 03,006,230 | R--- | C] ()
avgrsstx.dll -> %SystemRoot%\System32\avgrsstx.dll -> [2009/04/26 09:42:35 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgtdix.sys -> %SystemRoot%\System32\drivers\avgtdix.sys -> [2009/04/26 09:42:34 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys -> [2009/04/26 09:42:30 | 00,325,640 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2009/04/26 09:42:29 | 00,027,656 | ---- | C] (AVG Technologies CZ, s.r.o.)
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [2009/04/26 09:42:25 | 35,477,808 | ---- | C] ()
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [2009/04/26 09:42:25 | 06,061,540 | ---- | C] ()
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [2009/04/26 09:42:25 | 00,434,673 | ---- | C] ()
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [2009/04/26 09:42:25 | 00,032,111 | ---- | C] ()
AVGTOOLBAR -> %AppData%\AVGTOOLBAR -> [2009/04/26 09:42:25 | 00,000,000 | ---D | C]
Avg -> %SystemRoot%\System32\drivers\Avg -> [2009/04/26 09:42:25 | 00,000,000 | ---D | C]
AVG -> %ProgramFiles%\AVG -> [2009/04/26 09:42:11 | 00,000,000 | ---D | C]
avg8 -> %AllUsersProfile%\Application Data\avg8 -> [2009/04/26 09:42:10 | 00,000,000 | ---D | C]
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2009/04/25 09:32:06 | 00,001,734 | ---- | C] ()
Trend Micro -> %ProgramFiles%\Trend Micro -> [2009/04/25 09:32:06 | 00,000,000 | ---D | C]
ERDNT -> %SystemRoot%\ERDNT -> [2009/04/25 09:26:21 | 00,000,000 | ---D | C]
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk -> [2009/04/25 09:20:06 | 00,000,611 | ---- | C] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/04/25 09:20:06 | 00,000,592 | ---- | C] ()
ERUNT -> %ProgramFiles%\ERUNT -> [2009/04/25 09:20:05 | 00,000,000 | ---D | C]
TEMP -> %AllUsersProfile%\Application Data\TEMP -> [2009/04/24 22:49:38 | 00,000,000 | ---D | C]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/04/24 22:29:23 | 52,650,3936 | -HS- | C] ()
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [2009/04/24 20:23:31 | 00,000,000 | ---D | C]
fastprox.dll -> %SystemRoot%\System32\dllcache\fastprox.dll -> [2009/04/23 22:52:08 | 00,473,088 | ---- | C] (Microsoft Corporation)
rpcss.dll -> %SystemRoot%\System32\dllcache\rpcss.dll -> [2009/04/23 22:52:08 | 00,401,408 | ---- | C] (Microsoft Corporation)
pdh.dll -> %SystemRoot%\System32\dllcache\pdh.dll -> [2009/04/23 22:52:08 | 00,284,160 | ---- | C] (Microsoft Corporation)
wmiprvse.exe -> %SystemRoot%\System32\dllcache\wmiprvse.exe -> [2009/04/23 22:52:08 | 00,227,840 | ---- | C] (Microsoft Corporation)
services.exe -> %SystemRoot%\System32\dllcache\services.exe -> [2009/04/23 22:52:08 | 00,110,592 | ---- | C] (Microsoft Corporation)
colbact.dll -> %SystemRoot%\System32\dllcache\colbact.dll -> [2009/04/23 22:52:08 | 00,060,416 | ---- | C] (Microsoft Corporation)
sc.exe -> %SystemRoot%\System32\dllcache\sc.exe -> [2009/04/23 22:52:08 | 00,035,328 | ---- | C] (Microsoft Corporation)
ntdll.dll -> %SystemRoot%\System32\dllcache\ntdll.dll -> [2009/04/23 22:52:07 | 00,715,264 | ---- | C] (Microsoft Corporation)
advapi32.dll -> %SystemRoot%\System32\dllcache\advapi32.dll -> [2009/04/23 22:52:07 | 00,617,984 | ---- | C] (Microsoft Corporation)
sysmain.sdb -> %SystemRoot%\System32\dllcache\sysmain.sdb -> [2009/04/23 22:51:39 | 01,193,414 | ---- | C] ()
wordpad.exe -> %SystemRoot%\System32\dllcache\wordpad.exe -> [2009/04/23 22:51:39 | 00,215,552 | ---- | C] (Microsoft Corporation)
Mozilla -> %AppData%\Mozilla -> [2009/04/23 10:22:29 | 00,000,000 | ---D | C]
Malwarebytes -> %AppData%\Malwarebytes -> [2009/04/23 10:10:31 | 00,000,000 | ---D | C]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/04/23 10:10:29 | 00,015,504 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/04/23 10:10:29 | 00,000,696 | ---- | C] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/04/23 10:10:27 | 00,038,496 | ---- | C] (Malwarebytes Corporation)
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes -> [2009/04/23 10:10:26 | 00,000,000 | ---D | C]
Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware -> [2009/04/23 10:10:25 | 00,000,000 | ---D | C]
Shortcut (2) to All Wells.lnk -> %UserProfile%\Desktop\Shortcut (2) to All Wells.lnk -> [2009/04/22 15:39:36 | 00,000,254 | ---- | C] ()
pixcache.ini -> %SystemRoot%\pixcache.ini -> [2009/04/22 12:46:29 | 00,004,969 | ---- | C] ()
Canon Electronics -> %AppData%\Canon Electronics -> [2009/04/22 12:46:28 | 00,000,000 | ---D | C]
PIXDFLT.DLL -> %SystemRoot%\System32\PIXDFLT.DLL -> [2009/04/22 12:44:04 | 00,231,552 | ---- | C] (EMC Corporation)
PIXPERM.DLL -> %SystemRoot%\System32\PIXPERM.DLL -> [2009/04/22 12:44:04 | 00,023,152 | ---- | C] (EMC Corporation)
CTL3D.DLL -> %SystemRoot%\System32\CTL3D.DLL -> [2009/04/22 12:44:04 | 00,021,008 | ---- | C] (Microsoft Corporation)
PIXLOC.DLL -> %SystemRoot%\System32\PIXLOC.DLL -> [2009/04/22 12:44:04 | 00,016,048 | ---- | C] (EMC Corporation)
PIXMDLLC.CPL -> %SystemRoot%\System32\PIXMDLLC.CPL -> [2009/04/22 12:44:04 | 00,011,968 | ---- | C] (Pixel Translations Incorporated)
PIXTHK16.DLL -> %SystemRoot%\System32\PIXTHK16.DLL -> [2009/04/22 12:44:04 | 00,006,416 | ---- | C] (EMC Corporation)
PIXJP2KI.DLL -> %SystemRoot%\System32\PIXJP2KI.DLL -> [2009/04/22 12:44:03 | 00,327,680 | ---- | C] (The University of New South Wales)
PIXNAME.HLP -> %SystemRoot%\System32\PIXNAME.HLP -> [2009/04/22 12:44:03 | 00,051,959 | ---- | C] ()
SuStiUtl.dll -> %SystemRoot%\System32\SuStiUtl.dll -> [2009/04/22 12:43:59 | 00,061,440 | ---- | C] (Canon Electronics Inc.)
usbscan.sys -> %SystemRoot%\System32\drivers\usbscan.sys -> [2009/04/22 12:42:33 | 00,015,104 | ---- | C] (Microsoft Corporation)
usbscan.sys -> %SystemRoot%\System32\dllcache\usbscan.sys -> [2009/04/22 12:42:33 | 00,015,104 | ---- | C] (Microsoft Corporation)
DR2KSVC.dll -> %SystemRoot%\System32\DR2KSVC.dll -> [2009/04/22 12:42:13 | 00,229,376 | ---- | C] (Canon Electronics)
WNASPI32.DLL -> %SystemRoot%\System32\WNASPI32.DLL -> [2009/04/22 12:42:13 | 00,045,056 | ---- | C] (Adaptec)
CeiUSB.dll -> %SystemRoot%\System32\CeiUSB.dll -> [2009/04/22 12:42:13 | 00,042,536 | ---- | C] (Canon Electronics Inc.)
ASPI32.SYS -> %SystemRoot%\System32\drivers\ASPI32.SYS -> [2009/04/22 12:42:13 | 00,016,512 | ---- | C] (Adaptec)
SetScan.ini -> %SystemRoot%\SetScan.ini -> [2009/04/22 12:42:13 | 00,000,140 | ---- | C] ()
CeiSCSI.dll -> %SystemRoot%\System32\CeiSCSI.dll -> [2009/04/22 12:42:12 | 00,157,224 | ---- | C] (Canon Electronics Inc.)
CaDRcpl.dll -> %SystemRoot%\System32\CaDRcpl.dll -> [2009/04/22 12:42:12 | 00,083,496 | ---- | C] (Canon Electronics Inc.)
qd1.dll -> %SystemRoot%\System32\qd1.dll -> [2009/04/22 12:41:42 | 00,504,080 | ---- | C] (Captiva Software Corp.)
Msvcrtd.dll -> %SystemRoot%\System32\Msvcrtd.dll -> [2009/04/22 12:41:41 | 00,401,484 | ---- | C] (Microsoft Corporation)
Pixdflt.dll -> %SystemRoot%\System\Pixdflt.dll -> [2009/04/22 12:41:41 | 00,231,552 | ---- | C] (Pixel Translations Incorporated)
canoit32.exe -> %SystemRoot%\System32\canoit32.exe -> [2009/04/22 12:41:41 | 00,045,056 | ---- | C] (CANON INC.)
Pixperm.dll -> %SystemRoot%\System\Pixperm.dll -> [2009/04/22 12:41:41 | 00,023,152 | ---- | C] (Pixel Translations Incorporated)
Ctl3d.dll -> %SystemRoot%\System\Ctl3d.dll -> [2009/04/22 12:41:41 | 00,021,008 | ---- | C] (Microsoft Corporation)
Pixloc.dll -> %SystemRoot%\System\Pixloc.dll -> [2009/04/22 12:41:41 | 00,016,064 | ---- | C] (Pixel Translations Incorporated)
twpix32.dll -> %SystemRoot%\System32\twpix32.dll -> [2009/04/22 12:41:40 | 00,184,320 | ---- | C] (Input Software Inc.)
PIXN1120.DLL -> %SystemRoot%\System32\PIXN1120.DLL -> [2009/04/22 12:41:40 | 00,180,224 | ---- | C] (Pegasus Imaging Corp.)
PIXN1520.DLL -> %SystemRoot%\System32\PIXN1520.DLL -> [2009/04/22 12:41:40 | 00,176,128 | ---- | C] (Pegasus Imaging Corp.)
PIXN1020.DLL -> %SystemRoot%\System32\PIXN1020.DLL -> [2009/04/22 12:41:40 | 00,155,648 | ---- | C] (Pegasus Imaging Corp.)
PIXN1320.DLL -> %SystemRoot%\System32\PIXN1320.DLL -> [2009/04/22 12:41:40 | 00,114,688 | ---- | C] (Pegasus Imaging Corp.)
Wiaext32.dll -> %SystemRoot%\System32\Wiaext32.dll -> [2009/04/22 12:41:40 | 00,098,304 | ---- | C] (Cornerstone Imaging, Inc.)
PIXN20.DLL -> %SystemRoot%\System32\PIXN20.DLL -> [2009/04/22 12:41:40 | 00,051,712 | ---- | C] (Pegasus Imaging Corp.)
pixtran -> %SystemRoot%\pixtran -> [2009/04/22 12:41:40 | 00,000,000 | ---D | C]
Canon Electronics -> %ProgramFiles%\Canon Electronics -> [2009/04/22 12:41:38 | 00,000,000 | ---D | C]
All Wells -> %UserProfile%\My Documents\All Wells -> [2009/04/22 11:16:48 | 00,000,000 | ---D | C]
Clay JOA's -> %UserProfile%\My Documents\Clay JOA's -> [2009/04/20 16:59:29 | 00,000,000 | ---D | C]
Shortcut to Clay 11A-1.lnk -> %UserProfile%\Desktop\Shortcut to Clay 11A-1.lnk -> [2009/04/20 16:55:30 | 00,000,257 | ---- | C] ()
projected ira.xls -> %UserProfile%\My Documents\projected ira.xls -> [2009/04/14 15:33:39 | 00,048,640 | ---- | C] ()
Map98.INI -> %SystemRoot%\Map98.INI -> [2008/11/19 17:34:51 | 00,000,349 | ---- | C] ()
vshp1020.dll -> %SystemRoot%\System32\vshp1020.dll -> [2008/11/18 13:19:28 | 00,106,496 | R--- | C] ()
iPlayer.INI -> %SystemRoot%\iPlayer.INI -> [2007/09/08 21:31:34 | 00,000,000 | ---- | C] ()
SmartAudio.INI -> %SystemRoot%\SmartAudio.INI -> [2007/01/06 23:46:24 | 00,000,027 | ---- | C] ()
QUICKEN.INI -> %SystemRoot%\QUICKEN.INI -> [2006/08/19 05:08:37 | 00,000,166 | ---- | C] ()
NSSetDefaultBrowser.ini -> %SystemRoot%\NSSetDefaultBrowser.ini -> [2006/08/19 05:03:23 | 00,000,698 | ---- | C] ()
ODBC.INI -> %SystemRoot%\ODBC.INI -> [2006/08/19 04:48:13 | 00,000,376 | ---- | C] ()
oeminfo.ini -> %SystemRoot%\System32\oeminfo.ini -> [2006/08/19 04:43:52 | 00,028,836 | ---- | C] ()
smscfg.ini -> %SystemRoot%\smscfg.ini -> [2006/05/10 09:23:38 | 00,000,061 | ---- | C] ()
WININIT.INI -> %SystemRoot%\WININIT.INI -> [2006/05/10 08:46:02 | 00,000,257 | ---- | C] ()
orun32.ini -> %SystemRoot%\orun32.ini -> [2006/05/10 08:42:38 | 00,000,780 | ---- | C] ()
win.ini -> %SystemRoot%\win.ini -> [2006/05/10 08:25:36 | 00,000,482 | ---- | C] ()
system.ini -> %SystemRoot%\system.ini -> [2006/05/10 01:16:26 | 00,000,227 | ---- | C] ()
px.ini -> %SystemRoot%\System32\px.ini -> [2005/12/02 13:09:10 | 00,000,000 | ---- | C] ()
qt-mt331.dll -> %SystemRoot%\System32\qt-mt331.dll -> [2004/09/16 15:24:26 | 03,375,104 | ---- | C] ()
kqfpqyei.dll -> %SystemRoot%\System32\kqfpqyei.dll -> [2004/08/04 16:00:00 | 00,143,872 | ---- | C] ()
uxehitb.dll -> %SystemRoot%\System32\uxehitb.dll -> [2004/08/04 16:00:00 | 00,104,448 | ---- | C] ()
rtqwryr.dll -> %SystemRoot%\System32\rtqwryr.dll -> [2004/08/04 16:00:00 | 00,104,448 | ---- | C] ()

[Files/Folders - Modified Within 30 Days]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
4 C:\Documents and Settings\Rob\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Rob\Local Settings\Temp\*.tmp ->
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/04/27 08:31:45 | 00,665,196 | ---- | M] ()
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [2009/04/27 08:31:17 | 35,477,808 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2009/04/27 07:22:50 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2009/04/27 07:22:47 | 00,002,048 | --S- | M] ()
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/04/27 07:22:43 | 52,650,3936 | -HS- | M] ()
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [2009/04/27 07:22:43 | 00,270,984 | ---- | M] ()
NTUSER.DAT -> %UserProfile%\NTUSER.DAT -> [2009/04/27 07:21:32 | 07,340,032 | -H-- | M] ()
ntuser.ini -> %UserProfile%\ntuser.ini -> [2009/04/27 07:21:32 | 00,000,178 | -HS- | M] ()
OTMoveIt3.exe -> %UserProfile%\Desktop\OTMoveIt3.exe -> [2009/04/27 06:55:19 | 00,389,632 | ---- | M] (OldTimer Tools)
Norton PC Checkup Weekend Scanner.job -> %SystemRoot%\tasks\Norton PC Checkup Weekend Scanner.job -> [2009/04/26 15:46:00 | 00,000,342 | ---- | M] ()
system.ini -> %SystemRoot%\system.ini -> [2009/04/26 14:37:01 | 00,000,227 | ---- | M] ()
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [2009/04/26 14:36:30 | 00,000,027 | ---- | M] ()
Perflib_Perfdata__755.dat -> %UserProfile%\Local Settings\Temp\Perflib_Perfdata__755.dat -> [2009/04/26 14:32:53 | 00,060,416 | ---- | M] ()
boot.ini -> %SystemDrive%\boot.ini -> [2009/04/26 09:59:25 | 00,000,281 | RHS- | M] ()
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/04/26 09:51:32 | 03,006,230 | R--- | M] ()
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [2009/04/26 09:46:25 | 00,434,673 | ---- | M] ()
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [2009/04/26 09:46:25 | 00,032,111 | ---- | M] ()
avgrsstx.dll -> %SystemRoot%\System32\avgrsstx.dll -> [2009/04/26 09:42:35 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgtdix.sys -> %SystemRoot%\System32\drivers\avgtdix.sys -> [2009/04/26 09:42:34 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys -> [2009/04/26 09:42:30 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2009/04/26 09:42:29 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.)
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [2009/04/26 09:42:25 | 06,061,540 | ---- | M] ()
WININIT.INI -> %SystemRoot%\WININIT.INI -> [2009/04/25 17:51:26 | 00,000,257 | ---- | M] ()
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/04/25 13:59:03 | 00,111,104 | ---- | M] ()
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2009/04/25 09:32:06 | 00,001,734 | ---- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2009/04/25 09:27:56 | 00,439,376 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2009/04/25 09:27:56 | 00,380,918 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2009/04/25 09:27:56 | 00,053,166 | ---- | M] ()
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk -> [2009/04/25 09:20:06 | 00,000,611 | ---- | M] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/04/25 09:20:06 | 00,000,592 | ---- | M] ()
win.ini -> %SystemRoot%\win.ini -> [2009/04/24 18:30:21 | 00,000,482 | ---- | M] ()
Boot.bak -> %SystemDrive%\Boot.bak -> [2009/04/24 18:30:21 | 00,000,211 | ---- | M] ()
qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/04/24 18:02:55 | 00,004,232 | ---- | M] ()
qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/04/24 18:02:53 | 00,005,338 | ---- | M] ()
imsins.BAK -> %SystemRoot%\imsins.BAK -> [2009/04/23 22:55:56 | 00,001,374 | ---- | M] ()
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2009/04/23 22:50:50 | 00,001,158 | ---- | M] ()
spider.sav -> %UserProfile%\My Documents\spider.sav -> [2009/04/23 16:55:40 | 00,000,532 | ---- | M] ()
SetScan.ini -> %SystemRoot%\SetScan.ini -> [2009/04/23 13:26:35 | 00,000,140 | ---- | M] ()
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/04/23 10:10:29 | 00,000,696 | ---- | M] ()
Shortcut (2) to All Wells.lnk -> %UserProfile%\Desktop\Shortcut (2) to All Wells.lnk -> [2009/04/22 15:39:36 | 00,000,254 | ---- | M] ()
pixcache.ini -> %SystemRoot%\pixcache.ini -> [2009/04/22 12:47:17 | 00,004,969 | ---- | M] ()
Shortcut to Clay 11A-1.lnk -> %UserProfile%\Desktop\Shortcut to Clay 11A-1.lnk -> [2009/04/20 16:55:30 | 00,000,257 | ---- | M] ()
projected ira.xls -> %UserProfile%\My Documents\projected ira.xls -> [2009/04/14 15:33:39 | 00,048,640 | ---- | M] ()
DRU Sec._12-3N-6W__Lots[1].doc -> %UserProfile%\Desktop\DRU Sec._12-3N-6W__Lots[1].doc -> [2009/04/07 09:46:16 | 02,120,192 | ---- | M] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation)
MRT.exe -> %SystemRoot%\System32\MRT.exe -> [2009/04/06 07:57:26 | 24,921,544 | ---- | M] (Microsoft Corporation)
data.dat -> %AllUsersProfile%\Application Data\Microsoft\Office\Data\data.dat -> [2006/12/16 18:56:01 | 00,001,372 | ---- | M] ()
[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000001b
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
< Document and Settings folder & sub folders >
scanning hidden files ...
C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD 101 bytes
C:\Documents and Settings\Rob\Favorites\Driving Directions from 8505 Sw 36th St, Oklahoma City, OK to Buffalo, OK.url:favicon 1406 bytes
C:\Documents and Settings\Rob\Favorites\amazon.com Used and New PELICAN ACCESSORIES PL-2050 Xbox Edge Wireless Controller.url:favicon 1406 bytes
C:\Documents and Settings\Rob\Favorites\corporate name changes index.url:favicon 1406 bytes
C:\Documents and Settings\Rob\Favorites\County Clerk Public Records - various counties.url:favicon 2806 bytes
C:\Documents and Settings\Rob\Favorites\MSN.com.url:favicon 3638 bytes
C:\Documents and Settings\Rob\Favorites\Quick Sand 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Quick Sand Pyro 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Square Feet to Acres conversion calculator - Area conversions.url:favicon 3638 bytes
C:\Documents and Settings\Rob\Favorites\Super Crazy Guitar 2 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Treasure of Cutlass Reef 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\Game Giveaway of the Day.url:favicon 2038 bytes
C:\Documents and Settings\Rob\Favorites\Grow Island 1000+ Free Flash Games Andkon Arcade.url:favicon 318 bytes
C:\Documents and Settings\Rob\Favorites\http--www.playlist.com-.url:favicon 1150 bytes
C:\Documents and Settings\Rob\Favorites\Land to Acre Conversion Calculator.url:favicon 822 bytes
scan completed successfully
hidden files: 67


[Alternate Data Streams]
@Alternate Data Stream - 101 bytes -> %AllUsersProfile%\Application Data\TEMP:7E95B6FD
< End of report >

 

[peku006]

Hi Richue

1 - Run OTScanIt2

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} [HKLM] -> %SystemRoot%\system32\rtqwryr.dll []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> tqqujzct -> %SystemRoot%\system32\rtqwryr.dll
[Files/Folders - Created Within 30 Days]
NY -> kqfpqyei.dll -> %SystemRoot%\System32\kqfpqyei.dll
NY -> uxehitb.dll -> %SystemRoot%\System32\uxehitb.dll
NY -> rtqwryr.dll -> %SystemRoot%\System32\rtqwryr.dll
[Files/Folders - Modified Within 30 Days]
NY -> qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat
[Alternate Data Streams]
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersProfile%\Application Data\TEMP:7E95B6FD

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back with a fresh HiJackThis log

Thanks peku006

 

[peku006]

typo :sad:

 

[Richue]

Greetings Peku006

I pasted the code into OTSanIt2, clicked Run fix. Got message that reboot was needed. Rebooted and got error message again: "The application or DLL c:\windows\system32\uxehitb.dll is not a valid Windows image.Please check this against your installation diskette".
It seems OTMoveIt3 was running again.Notepad opened with:04272009_072654.log

========== FILES ==========
LoadLibrary failed for c:\windows\system32\rtqwryr.dll
c:\windows\system32\rtqwryr.dll NOT unregistered.
File move failed. c:\windows\system32\rtqwryr.dll scheduled to be moved on reboot.
========== REGISTRY ==========
Unable to delete registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct\\ .

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04272009_072654

Files moved on Reboot...
LoadLibrary failed for c:\windows\system32\rtqwryr.dll
c:\windows\system32\rtqwryr.dll NOT unregistered.
File move failed. c:\windows\system32\rtqwryr.dll scheduled to be moved on reboot.
Then notepad oopened 04272009_134729.log
[Registry - Safe List]
Registry delete failed. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}\ scheduled to be deleted on reboot.
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}\ .
File move failed. C:\WINDOWS\system32\rtqwryr.dll scheduled to be moved on reboot.
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tqqujzct\ scheduled to be deleted on reboot.
File move failed. C:\WINDOWS\system32\rtqwryr.dll scheduled to be moved on reboot.
[Files/Folders - Created Within 30 Days]
File move failed. C:\WINDOWS\System32\kqfpqyei.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\uxehitb.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\rtqwryr.dll scheduled to be moved on reboot.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
[Alternate Data Streams]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD deleted successfully.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.14.0 fix logfile created on 04272009_134729

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\rtqwryr.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\kqfpqyei.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\uxehitb.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}\ scheduled to be deleted on reboot.
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}\ .
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tqqujzct\ scheduled to be deleted on reboot.
Here is the latest HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:33 PM, on 4/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OTScanIt] "C:\Documents and Settings\Rob\Desktop\OTScanIt2\OTScanIt2.exe"
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tqqujzct - C:\WINDOWS\SYSTEM32\rtqwryr.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 7213 bytes

Thanks again, I am not sure what you mean by page 2 does not show, do I need to repost something?

 

[peku006]

HiRichue

I am not sure what you mean by page 2 does not show, do I need to repost something?

it is not for you, I had to write one more message since my last message was not visible

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.

• Please download erunt-setup.exe to your desktop.
• Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
• Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished, you may, remove ERUNT using Add/Remove Programs.

Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.

• Right click avenger.zip and extract the contents to your desktop
• Start the Avenger.exe.
• Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
  

  Registry keys to delete:
  HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct
  
  Files to delete:
  c:\windows\system32\rtqwryr.dll

• Click
  
  to paste the script from the clipboard.
• Click the Execute button
• Answer Yes twice when prompted.

The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:

1. It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
2. On reboot, it will briefly open a black command window on your desktop, this is normal.
3. After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt .
4. Post back with it in your next reply, with a fresh HiJackThis log

Thanks peku006

 

[Richue]

Hi Peku006

I already had Erunt installed.I had it create a fresh reg backup then ran Avenger with code supplied. Upon reboot OTScanIt2 opened up and nothing would happen until I closed it. (On a side note it seems I am having to right click where I would usually use a left click while some os these programs are running) When I closed it the log opened:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "c:\windows\system32\rtqwryr.dll"
Deletion of file "c:\windows\system32\rtqwryr.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

Here is the latest HiJackThis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:00 PM, on 4/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BDBA0DFB-8B5F-47E2-9D77-CB181749B4DE} - c:\windows\system32\rtqwryr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1232901218718
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tqqujzct - C:\WINDOWS\SYSTEM32\rtqwryr.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 7066 bytes

As always, Thank you for your time.

 

[peku006]

Hi Richue

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :file
  c:\windows\system32\rtqwryr.dll
  
  :reg
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

Thanks peku006

 

[Richue]

Hello Peku006

Here is the log as requested:

SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 07:22 on 28/04/2009 by Rob (Administrator - Elevation successful)

========== file ==========

c:\windows\system32\rtqwryr.dll - File found and opened.
MD5: E7C653D660393316877F11C109D39908
Created at 21:00 on 04/08/2004
Modified at 21:00 on 04/08/2004
Size: 104448 bytes
Attributes: --a---
No version information available.

========== reg ==========

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tqqujzct]
"Asynchronous"= 0x00000000 (0)
"DLLName"="rtqwryr.dll"
"Impersonate"= 0x00000000 (0)
"Logoff"="WLEventLogoff"
"Logon"="WLEventLogon"


-=End Of File=-


Many thanks, richue

 

[peku006]

Hi Richue

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :regfind
  kqfpqyei.dll 
  uxehitb.dll 
  rtqwryr.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

Thanks peku006

 

[Richue]

Hello Peku006,
I did as instructed however I kept getting a Microsoft error " Sytem Querying Tool has encountered a problem and needs to close..."
I tried inserting each dll individually but got the same results.
I tried a registry search for kqfpqyei.dll via regedit and it did find it.

Thanks richue

 

[peku006]

Hi Richue
Let´s try this......

Please download GMER by GMER. An alternate download site.

1. Unzip it to a folder on your desktop.
2. Double click on gmer.exe to execute.
   If asked, allow the gmer.sys driver load.
3. If you get a warning prompt about rootkit activity ... asking if you want to run Scan, click OK.
4. If you don't get a warning then...
   • Click the Rootkit/Malware tab at the top of the GMER window.
   • Click the Scan button.
5. Once the scan has finished... click Copy. ... Do not close the GMER window yet...
6. Open Notepad and paste what you copied. Ctrl+V
7. Select "Save As" in Notepad...saving the file to your desktop as "gmerroot.txt"... then close Notepad.
   
   In the GMER window...
8. Click on the >>> tab at the top of the GMER window.
   This displays the rest of the "selection" tabs for you.
9. Click on the Autostart tab.
10. Click on Scan button.
11. Once the scan has finished... click Copy.
12. Open Notepad (again) and paste what you copied. Ctrl+V
13. Select "Save As" in Notepad...saving the file to your desktop as "gmerauto.txt"
14. Copy and paste the contents of the files gmerroot.txt and gmerauto.txt in you next reply.

Thanks peku006