Solved: Need help with Virus Removal!

rdizy · 04-Sep-2010, 07:18 PM #1

My machine is in bad shape. I think I've been infected by muliple viruses (including Alureon, AntiSpySafeGuard, and AntiMalware Doctor). It seems Microsoft Security Essentials has been taken over? I'm unable to use my User Account since its blocked by AntiSpy SafeGuard. I used another account to run HiJackThis and DDS. I could not run EMER (the system keeps restarting when I launched the exe.

I can't use regedit as it now says the Administrator has blocked that function (even though user is an admin).

Here's what I have. I hope you can help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:36 PM, on 9/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login...a.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Rick\Application Data\sdra64.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: C:\WINDOWS\system32\r1lw9g.dll - {B1BA40A2-75F2-51BD-F413-04B13A2C8953} - C:\WINDOWS\system32\r1lw9g.dll
O4 - HKLM\..\Run: [HNUiOXRqtpc] C:\DOCUME~1\Rick\LOCALS~1\Temp\ojyocijmf.exe
O4 - HKLM\..\Run: [HNUiOXRo_P] C:\DOCUME~1\Rick\LOCALS~1\Temp\h90b11.exe
O4 - HKLM\..\Run: [HNUiOXRrq+] C:\DOCUME~1\Rick\LOCALS~1\Temp\slxaf17d.exe
O4 - HKLM\..\Run: [Acronis Toolbar Helper] rundll32.exe "C:\Documents and Settings\Rick\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll", StartProt
O4 - HKLM\..\Run: [HNUiOXRquBc] C:\DOCUME~1\Rick\LOCALS~1\Temp\rqnlo65i1.exe
O4 - HKLM\..\Run: [HNUiOXRrdbc] C:\DOCUME~1\Rick\LOCALS~1\Temp\t3azgkc8g.exe
O4 - HKLM\..\Run: [HNUiOXRrxc] C:\DOCUME~1\Rick\LOCALS~1\Temp\uxmhx.exe
O4 - HKLM\..\Run: [HNUiOXRqtc] C:\DOCUME~1\Rick\LOCALS~1\Temp\qjfsqh.exe
O4 - HKLM\..\Run: [HNUiOXRneL] C:\DOCUME~1\Rick\LOCALS~1\Temp\d4gtlb9.exe
O4 - HKLM\..\Run: [mlkjkhaudio] rundll32.exe "rqpnlj.dll",s
O4 - HKLM\..\Run: [rqpomlsys] rundll32.exe "tustut.dll",s
O4 - HKLM\..\Run: [HNUiOXRrvc] C:\DOCUME~1\Rick\LOCALS~1\Temp\setup.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [MKcrc] C:\WINDOWS\login.exe
O4 - HKLM\..\Run: [HNUiOXRrg] C:\DOCUME~1\Rick\LOCALS~1\Temp\smss.exe
O4 - HKLM\..\Run: [MKexe] C:\WINDOWS\system.exe
O4 - HKLM\..\Run: [MKbMc] C:\WINDOWS\gdi32.exe
O4 - HKLM\..\Run: [MKcuc] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [HNUiOXRsre] C:\DOCUME~1\Rick\LOCALS~1\Temp\wininst.exe
O4 - HKLM\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
O4 - HKLM\..\Run: [MKee] C:\WINDOWS\user.exe
O4 - HKLM\..\Run: [HNUiOXRsPc] C:\DOCUME~1\Rick\LOCALS~1\Temp\win16.exe
O4 - HKLM\..\Run: [HNUiOXRota] C:\DOCUME~1\Rick\LOCALS~1\Temp\install.exe
O4 - HKLM\..\Run: [HNUiOXRruf] C:\DOCUME~1\Rick\LOCALS~1\Temp\spoolsv.exe
O4 - HKLM\..\Run: [MKayc] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [MKfre] C:\WINDOWS\wininst.exe
O4 - HKLM\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
O4 - HKLM\..\Run: [MKeta] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [MKese] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [MKeuf] C:\WINDOWS\spoolsv.exe
O4 - HKLM\..\Run: [HNUiOXRssc] C:\DOCUME~1\Rick\LOCALS~1\Temp\winlogon.exe
O4 - HKLM\..\Run: [HNUiOXRrse] C:\DOCUME~1\Rick\LOCALS~1\Temp\svchost.exe
O4 - HKLM\..\Run: [MKbuqc] C:\WINDOWS\iexplarer.exe
O4 - HKLM\..\Run: [HNUiOXRrta] C:\DOCUME~1\Rick\LOCALS~1\Temp\services.exe
O4 - HKLM\..\Run: [MKfa] C:\WINDOWS\win.exe
O4 - HKLM\..\Run: [HNUiOXRotc] C:\DOCUME~1\Rick\LOCALS~1\Temp\hexdump.exe
O4 - HKLM\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKLM\..\Run: [MKbta] C:\WINDOWS\install.exe
O4 - HKLM\..\Run: [MKasc] C:\WINDOWS\drweb.exe
O4 - HKLM\..\Run: [MKfsc] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [HNUiOXRpw+] C:\DOCUME~1\Rick\LOCALS~1\Temp\nvsvc32.exe
O4 - HKLM\..\Run: [HNUiOXRoMc] C:\DOCUME~1\Rick\LOCALS~1\Temp\gdi32.exe
O4 - HKLM\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [HNUiOXRquBc] C:\DOCUME~1\Rick\LOCALS~1\Temp\rqnlo65i1.exe
O4 - HKCU\..\Run: [HNUiOXRrdbc] C:\DOCUME~1\Rick\LOCALS~1\Temp\t3azgkc8g.exe
O4 - HKCU\..\Run: [HNUiOXRqtc] C:\DOCUME~1\Rick\LOCALS~1\Temp\qjfsqh.exe
O4 - HKCU\..\Run: [HNUiOXRrxc] C:\DOCUME~1\Rick\LOCALS~1\Temp\uxmhx.exe
O4 - HKCU\..\Run: [HNUiOXRqtpc] C:\DOCUME~1\Rick\LOCALS~1\Temp\ojyocijmf.exe
O4 - HKCU\..\Run: [HNUiOXRo_P] C:\DOCUME~1\Rick\LOCALS~1\Temp\h90b11.exe
O4 - HKCU\..\Run: [HNUiOXRrq+] C:\DOCUME~1\Rick\LOCALS~1\Temp\slxaf17d.exe
O4 - HKCU\..\Run: [HNUiOXRneL] C:\DOCUME~1\Rick\LOCALS~1\Temp\d4gtlb9.exe
O4 - HKCU\..\Run: [ddawuuaudio] rundll32.exe "rqpnlj.dll",s
O4 - HKCU\..\Run: [HNUiOXRrvc] C:\DOCUME~1\Rick\LOCALS~1\Temp\setup.exe
O4 - HKCU\..\Run: [MKcrc] C:\WINDOWS\login.exe
O4 - HKCU\..\Run: [HNUiOXRrg] C:\DOCUME~1\Rick\LOCALS~1\Temp\smss.exe
O4 - HKCU\..\Run: [MKexe] C:\WINDOWS\system.exe
O4 - HKCU\..\Run: [MKbMc] C:\WINDOWS\gdi32.exe
O4 - HKCU\..\Run: [HNUiOXRsre] C:\DOCUME~1\Rick\LOCALS~1\Temp\wininst.exe
O4 - HKCU\..\Run: [MKcuc] C:\WINDOWS\lsass.exe
O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKCU\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
O4 - HKCU\..\Run: [MKee] C:\WINDOWS\user.exe
O4 - HKCU\..\Run: [HNUiOXRsPc] C:\DOCUME~1\Rick\LOCALS~1\Temp\win16.exe
O4 - HKCU\..\Run: [HNUiOXRota] C:\DOCUME~1\Rick\LOCALS~1\Temp\install.exe
O4 - HKCU\..\Run: [HNUiOXRruf] C:\DOCUME~1\Rick\LOCALS~1\Temp\spoolsv.exe
O4 - HKCU\..\Run: [MKayc] C:\WINDOWS\csrss.exe
O4 - HKCU\..\Run: [MKfre] C:\WINDOWS\wininst.exe
O4 - HKCU\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
O4 - HKCU\..\Run: [MKese] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [MKeta] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [MKeuf] C:\WINDOWS\spoolsv.exe
O4 - HKCU\..\Run: [HNUiOXRssc] C:\DOCUME~1\Rick\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [HNUiOXRrse] C:\DOCUME~1\Rick\LOCALS~1\Temp\svchost.exe
O4 - HKCU\..\Run: [MKbuqc] C:\WINDOWS\iexplarer.exe
O4 - HKCU\..\Run: [HNUiOXRrta] C:\DOCUME~1\Rick\LOCALS~1\Temp\services.exe
O4 - HKCU\..\Run: [MKfa] C:\WINDOWS\win.exe
O4 - HKCU\..\Run: [HNUiOXRotc] C:\DOCUME~1\Rick\LOCALS~1\Temp\hexdump.exe
O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKCU\..\Run: [MKbta] C:\WINDOWS\install.exe
O4 - HKCU\..\Run: [MKasc] C:\WINDOWS\drweb.exe
O4 - HKCU\..\Run: [MKfsc] C:\WINDOWS\winlogon.exe
O4 - HKCU\..\Run: [HNUiOXRpw+] C:\DOCUME~1\Rick\LOCALS~1\Temp\nvsvc32.exe
O4 - HKCU\..\Run: [HNUiOXRoMc] C:\DOCUME~1\Rick\LOCALS~1\Temp\gdi32.exe
O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [mediafix70700en02.exe] C:\Documents and Settings\Rick\Application Data\FA9143CF4CEECA871857A5FC7581E098\mediafix70700en02.exe
O4 - HKUS\S-1-5-18\..\Run: [ssroljaudio] rundll32.exe "rqpnlj.dll",s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [byyyyvsys] rundll32.exe "tustut.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ssroljaudio] rundll32.exe "rqpnlj.dll",s (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://securedoc.saskpower.com/qp2.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179431535093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1180668558656
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://www.walmartphotocentre.ca/upl...eX_Control.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://www.walmartphotocentre.ca/upl...pv2.0.0.12.cab?
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.126,93.188.161.216
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll (file missing)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O18 - Protocol: intu-qt2009 - {03947252-2355-4E9B-B446-8CCC75C43370} - C:\Program Files\QuickTax 2009\ic2009pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\winamnc.dll,C:\Documents and Settings\Rick\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll
O22 - SharedTaskScheduler: hasf87hdfuidhfiudfhdiu - {B1BA40A2-75F2-51BD-F413-04B13A2C8953} - C:\WINDOWS\system32\r1lw9g.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Halt - - c:\program files\soccerwinners\halt\halt.exe
O23 - Service: HaltMonitor - - c:\program files\soccerwinners\halt\haltmonitor.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 11378 bytes

DDS (Ver_10-03-17.01) - NTFSx86
Run by Michelle at 15:50:54.43 on Sat 09/04/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1017 [GMT -6:00]
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
c:\program files\soccerwinners\halt\halt.exe
c:\program files\soccerwinners\halt\haltmonitor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\ojyocijmf.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\h90b11.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\slxaf17d.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\rqnlo65i1.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\t3azgkc8g.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\uxmhx.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\qjfsqh.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\d4gtlb9.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\setup.exe
C:\WINDOWS\login.exe
C:\WINDOWS\system.exe
C:\WINDOWS\gdi32.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\wininst.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\sysedit.exe
C:\WINDOWS\user.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\win16.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\install.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\spoolsv.exe
C:\WINDOWS\wininst.exe
C:\WINDOWS\nvsvc32.exe
"C:\WINDOWS\svchost.exe"
C:\WINDOWS\spoolsv.exe
"C:\DOCUME~1\Rick\LOCALS~1\Temp\svchost.exe"
C:\WINDOWS\iexplarer.exe
C:\WINDOWS\win.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\hexdump.exe
C:\WINDOWS\setup.exe
C:\WINDOWS\install.exe
C:\WINDOWS\drweb.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\nvsvc32.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\gdi32.exe
C:\WINDOWS\win32.exe
C:\Documents and Settings\Michelle\Desktop\Studio\BIN\SFlyStudio.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe
C:\Documents and Settings\Michelle\Application Data\Smilebox\SmileboxTray.exe
C:\Garmin\gStart.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\t3azgkc8g.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\rqnlo65i1.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\uxmhx.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\qjfsqh.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\d4gtlb9.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\setup.exe
C:\WINDOWS\login.exe
C:\WINDOWS\avp.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\wininst.exe
C:\WINDOWS\system.exe
C:\WINDOWS\gdi32.exe
C:\WINDOWS\sysedit.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\win16.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\install.exe
C:\WINDOWS\user.exe
C:\DOCUME~1\Rick\LOCALS~1\Temp\spoolsv.exe
C:\WINDOWS\nvsvc32.exe
C:\WINDOWS\wininst.exe
C:\WINDOWS\spoolsv.exe
"C:\DOCUME~1\Rick\LOCALS~1\Temp\svchost.exe"
"C:\WINDOWS\svchost.exe"
C:\WINDOWS\iexplarer.exe
C:\WINDOWS\win.exe
C:\WINDOWS\setup.exe
C:\WINDOWS\drweb.exe
C:\WINDOWS\install.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOCUME~1\Michelle\LOCALS~1\Temp\iexplorer.exe
C:\WINDOWS\taskmgr.exe
C:\DOCUME~1\Michelle\LOCALS~1\Temp\taskmgr.exe
C:\DOCUME~1\Michelle\LOCALS~1\Temp\wininst.exe
C:\WINDOWS\debug.exe
C:\Documents and Settings\Michelle\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = localhost
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\rick\application data\sdra64.exe,c:\windows\system32\sdra64.exe,
BHO: c:\windows\system32\r1lw9g.dll: {b1ba40a2-75f2-51bd-f413-04b13a2c8953} - c:\windows\system32\r1lw9g.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {CA4EEDB3-5719-4E27-A478-8D13F761C28D} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ShutterflyStudio] c:\documents and settings\michelle\desktop\studio\bin\SFlyStudio.exe /trayonly
uRun: [HNUiOXRneL] c:\docume~1\rick\locals~1\temp\d4gtlb9.exe
uRun: [HNUiOXRrxc] c:\docume~1\rick\locals~1\temp\uxmhx.exe
uRun: [HNUiOXRquBc] c:\docume~1\rick\locals~1\temp\rqnlo65i1.exe
uRun: [HNUiOXRrdbc] c:\docume~1\rick\locals~1\temp\t3azgkc8g.exe
uRun: [HNUiOXRqtc] c:\docume~1\rick\locals~1\temp\qjfsqh.exe
uRun: [bywwwwaudio] rundll32.exe "rqpnlj.dll",s
uRun: [HNUiOXRotc] c:\docume~1\rick\locals~1\temp\hexdump.exe
uRun: [HNUiOXRrg] c:\docume~1\rick\locals~1\temp\smss.exe
uRun: [MKcuc] c:\windows\lsass.exe
uRun: [MKcrc] c:\windows\login.exe
uRun: [MKZe] c:\windows\avp.exe
uRun: [HNUiOXRsre] c:\docume~1\rick\locals~1\temp\wininst.exe
uRun: [MKbMc] c:\windows\gdi32.exe
uRun: [MKexe] c:\windows\system.exe
uRun: [MKetc] c:\windows\sysedit.exe
uRun: [HNUiOXRsPc] c:\docume~1\rick\locals~1\temp\win16.exe
uRun: [HNUiOXRota] c:\docume~1\rick\locals~1\temp\install.exe
uRun: [MKee] c:\windows\user.exe
uRun: [HNUiOXRruf] c:\docume~1\rick\locals~1\temp\spoolsv.exe
uRun: [MKayc] c:\windows\csrss.exe
uRun: [MKdw+] c:\windows\nvsvc32.exe
uRun: [MKfre] c:\windows\wininst.exe
uRun: [MKeuf] c:\windows\spoolsv.exe
uRun: [HNUiOXRrse] c:\docume~1\rick\locals~1\temp\svchost.exe
uRun: [HNUiOXRssc] c:\docume~1\rick\locals~1\temp\winlogon.exe
uRun: [MKese] c:\windows\svchost.exe
uRun: [MKeta] c:\windows\services.exe
uRun: [MKbuqc] c:\windows\iexplarer.exe
uRun: [HNUiOXRrta] c:\docume~1\rick\locals~1\temp\services.exe
uRun: [MKfa] c:\windows\win.exe
uRun: [MKevc] c:\windows\setup.exe
uRun: [MKfsc] c:\windows\winlogon.exe
uRun: [MKasc] c:\windows\drweb.exe
uRun: [MKbta] c:\windows\install.exe
uRun: [HNUiOXRpw+] c:\docume~1\rick\locals~1\temp\nvsvc32.exe
uRun: [HNUiOXRoMc] c:\docume~1\rick\locals~1\temp\gdi32.exe
uRun: [MKfPc] c:\windows\win32.exe
uRun: [HNUiOXRrvc] c:\docume~1\rick\locals~1\temp\setup.exe
uRun: [HNUiOXRqtpc] c:\docume~1\rick\locals~1\temp\ojyocijmf.exe
uRun: [HNUiOXRrq+] c:\docume~1\rick\locals~1\temp\slxaf17d.exe
uRun: [HNUiOXRo_P] c:\docume~1\rick\locals~1\temp\h90b11.exe
uRun: [MKerb] c:\windows\taskmgr.exe
uRun: [HNUgoOXRrrb] c:\docume~1\michelle\locals~1\temp\taskmgr.exe
uRun: [HNUgoOXRsre] c:\docume~1\michelle\locals~1\temp\wininst.exe
uRun: [MKaoc] c:\windows\debug.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [HNUiOXRrxc] c:\docume~1\rick\locals~1\temp\uxmhx.exe
mRun: [HNUiOXRquBc] c:\docume~1\rick\locals~1\temp\rqnlo65i1.exe
mRun: [HNUiOXRrdbc] c:\docume~1\rick\locals~1\temp\t3azgkc8g.exe
mRun: [HNUiOXRqtc] c:\docume~1\rick\locals~1\temp\qjfsqh.exe
mRun: [HNUiOXRneL] c:\docume~1\rick\locals~1\temp\d4gtlb9.exe
mRun: [xxyyyxaudio] rundll32.exe "rqpnlj.dll",s
mRun: [Acronis Toolbar Helper] rundll32.exe "c:\documents and settings\rick\local settings\application data\desktop cleanup wizard\dskclnwiz.dll", StartProt
mRun: [dddddasys] rundll32.exe "tustut.dll",s
mRun: [HNUiOXRotc] c:\docume~1\rick\locals~1\temp\hexdump.exe
mRun: [HNUiOXRrg] c:\docume~1\rick\locals~1\temp\smss.exe
mRun: [MKcuc] c:\windows\lsass.exe
mRun: [MKcrc] c:\windows\login.exe
mRun: [MKZe] c:\windows\avp.exe
mRun: [HNUiOXRsre] c:\docume~1\rick\locals~1\temp\wininst.exe
mRun: [MKbMc] c:\windows\gdi32.exe
mRun: [MKexe] c:\windows\system.exe
mRun: [MKetc] c:\windows\sysedit.exe
mRun: [HNUiOXRota] c:\docume~1\rick\locals~1\temp\install.exe
mRun: [HNUiOXRsPc] c:\docume~1\rick\locals~1\temp\win16.exe
mRun: [MKee] c:\windows\user.exe
mRun: [HNUiOXRruf] c:\docume~1\rick\locals~1\temp\spoolsv.exe
mRun: [MKayc] c:\windows\csrss.exe
mRun: [MKdw+] c:\windows\nvsvc32.exe
mRun: [MKfre] c:\windows\wininst.exe
mRun: [MKeuf] c:\windows\spoolsv.exe
mRun: [HNUiOXRssc] c:\docume~1\rick\locals~1\temp\winlogon.exe
mRun: [HNUiOXRrse] c:\docume~1\rick\locals~1\temp\svchost.exe
mRun: [MKeta] c:\windows\services.exe
mRun: [MKbuqc] c:\windows\iexplarer.exe
mRun: [MKese] c:\windows\svchost.exe
mRun: [HNUiOXRrta] c:\docume~1\rick\locals~1\temp\services.exe
mRun: [MKfa] c:\windows\win.exe
mRun: [MKfsc] c:\windows\winlogon.exe
mRun: [MKevc] c:\windows\setup.exe
mRun: [MKbta] c:\windows\install.exe
mRun: [MKasc] c:\windows\drweb.exe
mRun: [HNUiOXRpw+] c:\docume~1\rick\locals~1\temp\nvsvc32.exe
mRun: [HNUiOXRoMc] c:\docume~1\rick\locals~1\temp\gdi32.exe
mRun: [MKfPc] c:\windows\win32.exe
mRun: [HNUiOXRrvc] c:\docume~1\rick\locals~1\temp\setup.exe
mRun: [HNUiOXRqtpc] c:\docume~1\rick\locals~1\temp\ojyocijmf.exe
mRun: [HNUiOXRrq+] c:\docume~1\rick\locals~1\temp\slxaf17d.exe
mRun: [HNUiOXRo_P] c:\docume~1\rick\locals~1\temp\h90b11.exe
mRun: [MKerb] c:\windows\taskmgr.exe
mRun: [HNUgoOXRrrb] c:\docume~1\michelle\locals~1\temp\taskmgr.exe
mRun: [HNUgoOXRsre] c:\docume~1\michelle\locals~1\temp\wininst.exe
mRun: [MKaoc] c:\windows\debug.exe
dRun: [ssroljaudio] rundll32.exe "rqpnlj.dll",s
dRun: [byyyyvsys] rundll32.exe "tustut.dll",s
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://securedoc.saskpower.com/qp2.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179431535093
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180668558656
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://www.walmartphotocentre.ca/upload/activex/v2_0_0_12/PCAXSetupv2.0.0.12.cab?
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\system32\winamnc.dll,c:\documents and settings\rick\local settings\application data\desktop cleanup wizard\dskclnwiz.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\r1lw9g.dll: {b1ba40a2-75f2-51bd-f413-04b13a2c8953} - c:\windows\system32\r1lw9g.dll
LSA: Authentication Packages = msv1_0 tustut.dll
============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

==================== Find3M ====================
2008-08-24 04:44:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat
2010-04-08 10:43:41 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-04-08 10:43:41 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-04-08 10:43:41 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
============= FINISH: 15:52:38.21 ===============

Rorschach112 · 05-Sep-2010, 08:43 AM #2

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
```
:Processes

:Services

:Reg

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]
```
Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

Click me
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

rdizy · 05-Sep-2010, 04:05 PM #3

Thanks for your help. I really appreciate it!
I wasn't able to create an OTM file. I tried twice but the system kept restarting as soon as OTM starting running. It created the folder(s) but there are no files in them.

ComboFix seemed somewhat more promising. Here is the results:

ComboFix 10-09-04.06 - Michelle 09/05/2010 12:29:32.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.957 [GMT -6:00]
Running from: c:\documents and settings\Michelle\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Michelle\LOCALS~1\Temp\1916461442.exe
c:\docume~1\Michelle\LOCALS~1\Temp\1923518949.exe
c:\docume~1\Michelle\LOCALS~1\Temp\2285847336.exe
c:\docume~1\Michelle\LOCALS~1\Temp\2286062547.exe
c:\docume~1\Michelle\LOCALS~1\Temp\2358267388.exe
c:\docume~1\Michelle\LOCALS~1\Temp\278289198.exe
c:\docume~1\Michelle\LOCALS~1\Temp\avp.exe
c:\docume~1\Michelle\LOCALS~1\Temp\cmd.exe
c:\docume~1\Michelle\LOCALS~1\Temp\csrss.exe
c:\docume~1\Michelle\LOCALS~1\Temp\debug.exe
c:\docume~1\Michelle\LOCALS~1\Temp\drweb.exe
c:\docume~1\Michelle\LOCALS~1\Temp\gdi32.exe
c:\docume~1\Michelle\LOCALS~1\Temp\hexdump.exe
c:\docume~1\Michelle\LOCALS~1\Temp\iexplarer.exe
c:\docume~1\Michelle\LOCALS~1\Temp\install.exe
c:\docume~1\Michelle\LOCALS~1\Temp\login.exe
c:\docume~1\Michelle\LOCALS~1\Temp\lsass.exe
c:\docume~1\Michelle\LOCALS~1\Temp\mdm.exe
c:\docume~1\Michelle\LOCALS~1\Temp\nvsvc32.exe
c:\docume~1\Michelle\LOCALS~1\Temp\services.exe
c:\docume~1\Michelle\LOCALS~1\Temp\setup.exe
c:\docume~1\Michelle\LOCALS~1\Temp\smss.exe
c:\docume~1\Michelle\LOCALS~1\Temp\spoolsv.exe
c:\docume~1\Michelle\LOCALS~1\Temp\svchost.exe
c:\docume~1\Michelle\LOCALS~1\Temp\sysedit.exe
c:\docume~1\Michelle\LOCALS~1\Temp\system.exe
c:\docume~1\Michelle\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\Michelle\LOCALS~1\Temp\user.exe
c:\docume~1\Michelle\LOCALS~1\Temp\win.exe
c:\docume~1\Michelle\LOCALS~1\Temp\win16.exe
c:\docume~1\Michelle\LOCALS~1\Temp\winamp.exe
c:\docume~1\Michelle\LOCALS~1\Temp\wininst.exe
c:\docume~1\Michelle\LOCALS~1\Temp\winlogon.exe
c:\docume~1\Rick\LOCALS~1\Temp\d4gtlb9.exe
c:\docume~1\Rick\LOCALS~1\Temp\gdi32.exe
c:\docume~1\Rick\LOCALS~1\Temp\h90b11.exe
c:\docume~1\Rick\LOCALS~1\Temp\hexdump.exe
c:\docume~1\Rick\LOCALS~1\Temp\Hqk.exe
c:\docume~1\Rick\LOCALS~1\Temp\install.exe
c:\docume~1\Rick\LOCALS~1\Temp\nvsvc32.exe
c:\docume~1\Rick\LOCALS~1\Temp\ojyocijmf.exe
c:\docume~1\Rick\LOCALS~1\Temp\qjfsqh.exe
c:\docume~1\Rick\LOCALS~1\Temp\rqnlo65i1.exe
c:\docume~1\Rick\LOCALS~1\Temp\services.exe
c:\docume~1\Rick\LOCALS~1\Temp\setup.exe
c:\docume~1\Rick\LOCALS~1\Temp\slxaf17d.exe
c:\docume~1\Rick\LOCALS~1\Temp\smss.exe
c:\docume~1\Rick\LOCALS~1\Temp\spoolsv.exe
c:\docume~1\Rick\LOCALS~1\Temp\svchost.exe
c:\docume~1\Rick\LOCALS~1\Temp\t3azgkc8g.exe
c:\docume~1\Rick\LOCALS~1\Temp\uxmhx.exe
c:\docume~1\Rick\LOCALS~1\Temp\win16.exe
c:\docume~1\Rick\LOCALS~1\Temp\wininst.exe
c:\docume~1\Rick\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\Rick\.COMMgr
c:\documents and settings\Rick\.COMMgr\complmgr.exe
c:\documents and settings\Rick\Application Data\antispy.exe
c:\documents and settings\Rick\Application Data\FA9143CF4CEECA871857A5FC7581E098
c:\documents and settings\Rick\Application Data\FA9143CF4CEECA871857A5FC7581E098\enemies-names.txt
c:\documents and settings\Rick\Application Data\FA9143CF4CEECA871857A5FC7581E098\local.ini
c:\documents and settings\Rick\Application Data\FA9143CF4CEECA871857A5FC7581E098\lsrslt.ini
c:\documents and settings\Rick\Application Data\FA9143CF4CEECA871857A5FC7581E098\mediafix70700en02.exe
c:\documents and settings\Rick\Application Data\sdra64.exe
c:\documents and settings\Rick\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll
c:\documents and settings\Rick\Local Settings\Application Data\Windows Server
c:\documents and settings\Rick\Local Settings\Application Data\Windows Server\admin.txt
c:\documents and settings\Rick\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Rick\Templates\memory.tmp
c:\windows\avp.exe
c:\windows\avp32.exe
c:\windows\cmd.exe
c:\windows\csrss.exe
c:\windows\debug.exe
c:\windows\drweb.exe
c:\windows\gdi32.exe
c:\windows\hexdump.exe
c:\windows\Hjyhua.exe
c:\windows\Hjyhub.exe
c:\windows\iexplarer.exe
c:\windows\install.exe
c:\windows\login.exe
c:\windows\lsass.exe
c:\windows\mdm.exe
c:\windows\nvsvc32.exe
c:\windows\services.exe
c:\windows\setup.exe
c:\windows\smss.exe
c:\windows\spoolsv.exe
c:\windows\svchost.exe
c:\windows\sysedit.exe
c:\windows\system.exe
c:\windows\system32\bhhgwr.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\r1LW9g.dll
c:\windows\system32\rqpnlj.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\tustut.dll
c:\windows\system32\xsryf.dll
c:\windows\taskmgr.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\user.exe
c:\windows\win.exe
c:\windows\win16.exe
c:\windows\win32.exe
c:\windows\winamp.exe
c:\windows\wininst.exe
c:\windows\winlogon.exe
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_USNJSVC
-------\Service_usnjsvc

((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))
.
2010-09-05 18:01 . 2010-09-05 18:01 -------- d-----w- C:\_OTM
2010-09-04 20:58 . 2010-09-04 20:58 -------- d-----w- c:\documents and settings\Rick\Application Data\PIV
2010-09-04 20:35 . 2010-09-04 20:35 -------- d-----w- c:\windows\HNTY4AFKQW28DINT
2010-09-04 20:32 . 2010-09-04 20:32 -------- d-----w- c:\windows\FLQW28EJPV16BHNT
2010-09-04 20:31 . 2010-09-04 20:31 -------- d-----w- c:\windows\PW28DIOUZ4AGMSY4
2010-09-04 20:31 . 2010-09-04 20:31 -------- d-----w- c:\windows\MTZ5AFKQW27CIOU0
2010-09-04 20:17 . 2010-09-04 20:17 42112 ----a-w- c:\windows\system32\drivers\IMAPI.SYS
2010-09-04 17:24 . 2010-09-04 17:24 512 ----a-w- c:\windows\delFF.bat
2010-09-04 16:54 . 2010-09-04 16:53 789504 ----a-w- c:\windows\system32\drivers\ac97intc.sys
2010-09-04 16:54 . 2010-09-04 18:25 789504 ----a-w- c:\windows\system32\drivers\ufucpay.sys
2010-09-04 16:53 . 2010-09-04 16:53 140288 ----a-w- c:\windows\system32\pcre3.dll
2010-09-04 16:53 . 2010-09-04 16:53 39936 ----a-w- c:\windows\system32\winamnc_backup.dll
2010-09-04 16:53 . 2010-09-05 18:41 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Desktop Cleanup Wizard
2010-09-04 16:53 . 2010-09-04 16:53 12288 ----a-w- c:\windows\system32\winbudump.exe
2010-09-04 16:53 . 2010-09-04 16:53 39936 ----a-w- c:\windows\system32\winamnc.dll
2010-09-04 16:52 . 2010-09-04 16:52 71680 ---ha-w- c:\windows\system32\cbxyab.dll
2010-09-04 16:52 . 2010-09-04 16:52 71680 ---ha-w- c:\windows\system32\opqnlj.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-04 16:55 . 2007-09-16 03:46 -------- d-----w- c:\documents and settings\Rick\Application Data\uTorrent
2010-09-04 16:53 . 2010-09-04 16:54 789504 ----a-w- c:\windows\system32\drivers\OLD84.tmp
2010-09-03 04:00 . 2007-12-22 22:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-01 23:38 . 2010-03-17 23:11 -------- d-----w- c:\documents and settings\Michelle\Application Data\Smilebox
2010-08-11 03:32 . 2007-12-12 03:52 -------- d-----w- c:\program files\Google
2010-08-10 18:01 . 2010-08-10 18:01 229376 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxPhoto.exe
2010-08-10 18:01 . 2010-02-18 00:50 415040 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxStarter.exe
2010-08-10 18:01 . 2010-02-18 00:10 169280 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxBrowserEngine.dll
2010-08-10 18:01 . 2010-02-17 23:05 304448 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxTray.exe
2010-08-10 18:01 . 2010-02-17 23:05 234816 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxDvd.exe
2010-08-10 17:37 . 2010-08-10 17:37 1647936 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxClient.exe
2010-08-10 16:48 . 2010-08-10 16:48 365888 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxDvdEngine.dll
2010-08-10 16:48 . 2010-08-10 16:48 140608 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxUpdater.exe
2010-07-15 04:28 . 2010-07-15 04:28 225336 ----a-w- c:\documents and settings\Rick\Application Data\OpenDNS Updater\OpenDNS-Updater-2.2.1.exe
2010-07-15 04:28 . 2010-01-25 02:04 -------- d-----w- c:\documents and settings\Rick\Application Data\OpenDNS Updater
2010-06-30 12:31 . 2002-08-29 10:41 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2006-06-23 17:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2001-08-18 05:36 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2002-08-29 09:14 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2001-08-18 05:24 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 15:26 . 2007-09-17 01:07 59 ----a-w- c:\windows\wpd99.drv
2010-06-17 14:03 . 2001-08-18 05:36 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2002-08-29 10:41 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:41 . 2006-09-13 05:09 1172480 ----a-w- c:\windows\system32\msxml3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShutterflyStudio"="c:\documents and settings\Michelle\Desktop\Studio\BIN\SFlyStudio.exe" [2008-05-07 2500096]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-12 155648]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSv c]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 23:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
2008-08-13 20:34 1891416 ----a-w- c:\garmin\gStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 17:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 20:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-06-08 21:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-06-08 21:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-07-19 23:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 16:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-10-18 17:34 5724184 ----a-w- c:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-06-01 20:53 1093208 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpenDNS Updater]
2009-11-16 19:58 839168 ----a-w- c:\program files\OpenDNS Updater\OpenDNSUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-07-12 04:46 155648 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2010-08-10 18:01 304448 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-19 01:59 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gupdate1c95c931cacec94"=2 (0x2)
"MsMpSvc"=2 (0x2)
"MDM"=2 (0x2)
"LeapFrog Connect Device Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
R2 Halt;Halt;c:\program files\Soccerwinners\Halt\Halt.exe [10/1/2007 3:39 PM 45056]
R2 HaltMonitor;HaltMonitor;c:\program files\Soccerwinners\Halt\HaltMonitor.exe [10/1/2007 3:39 PM 20480]
S2 RGFILERW;RGFILERW;\??\c:\windows\system32\Drivers\RGFILERW.SYS --> c:\windows\system32\Drivers\RGFILERW.SYS [?]
S4 gupdate1c95c931cacec94;Google Update Service (gupdate1c95c931cacec94);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 1:52 PM 133104]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\Rick\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 5:10 PM 32768]
.
Contents of the 'Scheduled Tasks' folder
2010-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
2010-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
2010-09-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]
2010-09-04 c:\windows\Tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{ca4eedb3-5719-4e27-a478-8d13f761c28d} - (no file)
WebBrowser-{CA4EEDB3-5719-4E27-A478-8D13F761C28D} - (no file)
HKCU-Run-HNUiOXRneL - c:\docume~1\Rick\LOCALS~1\Temp\d4gtlb9.exe
HKCU-Run-HNUiOXRrxc - c:\docume~1\Rick\LOCALS~1\Temp\uxmhx.exe
HKCU-Run-HNUiOXRquBc - c:\docume~1\Rick\LOCALS~1\Temp\rqnlo65i1.exe
HKCU-Run-HNUiOXRrdbc - c:\docume~1\Rick\LOCALS~1\Temp\t3azgkc8g.exe
HKCU-Run-HNUiOXRqtc - c:\docume~1\Rick\LOCALS~1\Temp\qjfsqh.exe
HKCU-Run-bywwwwaudio - rqpnlj.dll
HKCU-Run-HNUiOXRotc - c:\docume~1\Rick\LOCALS~1\Temp\hexdump.exe
HKCU-Run-HNUiOXRrg - c:\docume~1\Rick\LOCALS~1\Temp\smss.exe
HKCU-Run-MKcuc - c:\windows\lsass.exe
HKCU-Run-MKcrc - c:\windows\login.exe
HKCU-Run-MKZe - c:\windows\avp.exe
HKCU-Run-HNUiOXRsre - c:\docume~1\Rick\LOCALS~1\Temp\wininst.exe
HKCU-Run-MKbMc - c:\windows\gdi32.exe
HKCU-Run-MKexe - c:\windows\system.exe
HKCU-Run-MKetc - c:\windows\sysedit.exe
HKCU-Run-HNUiOXRsPc - c:\docume~1\Rick\LOCALS~1\Temp\win16.exe
HKCU-Run-HNUiOXRota - c:\docume~1\Rick\LOCALS~1\Temp\install.exe
HKCU-Run-MKee - c:\windows\user.exe
HKCU-Run-HNUiOXRruf - c:\docume~1\Rick\LOCALS~1\Temp\spoolsv.exe
HKCU-Run-MKayc - c:\windows\csrss.exe
HKCU-Run-MKdw+ - c:\windows\nvsvc32.exe
HKCU-Run-MKfre - c:\windows\wininst.exe
HKCU-Run-MKeuf - c:\windows\spoolsv.exe
HKCU-Run-HNUiOXRrse - c:\docume~1\Rick\LOCALS~1\Temp\svchost.exe
HKCU-Run-HNUiOXRssc - c:\docume~1\Rick\LOCALS~1\Temp\winlogon.exe
HKCU-Run-MKese - c:\windows\svchost.exe
HKCU-Run-MKeta - c:\windows\services.exe
HKCU-Run-MKbuqc - c:\windows\iexplarer.exe
HKCU-Run-HNUiOXRrta - c:\docume~1\Rick\LOCALS~1\Temp\services.exe
HKCU-Run-MKfa - c:\windows\win.exe
HKCU-Run-MKevc - c:\windows\setup.exe
HKCU-Run-MKfsc - c:\windows\winlogon.exe
HKCU-Run-MKasc - c:\windows\drweb.exe
HKCU-Run-MKbta - c:\windows\install.exe
HKCU-Run-HNUiOXRpw+ - c:\docume~1\Rick\LOCALS~1\Temp\nvsvc32.exe
HKCU-Run-HNUiOXRoMc - c:\docume~1\Rick\LOCALS~1\Temp\gdi32.exe
HKCU-Run-MKfPc - c:\windows\win16.exe
HKCU-Run-HNUiOXRrvc - c:\docume~1\Rick\LOCALS~1\Temp\setup.exe
HKCU-Run-HNUiOXRqtpc - c:\docume~1\Rick\LOCALS~1\Temp\ojyocijmf.exe
HKCU-Run-HNUiOXRrq+ - c:\docume~1\Rick\LOCALS~1\Temp\slxaf17d.exe
HKCU-Run-HNUiOXRo_P - c:\docume~1\Rick\LOCALS~1\Temp\h90b11.exe
HKCU-Run-MKerb - c:\windows\taskmgr.exe
HKCU-Run-MKaoc - c:\windows\debug.exe
HKCU-Run-MKeg - c:\windows\smss.exe
HKCU-Run-MKfpe - c:\windows\winamp.exe
HKCU-Run-MKcZ - c:\windows\mdm.exe
HKCU-Run-HNUgoOXRa00QMichelle\LOCALS~1\Temp\2286062547.exe - c:\docume~1\Michelle\LOCALS~1\Temp\2286062547.exe
HKCU-Run-HNUgoOXRa01RMichelle\LOCALS~1\Temp\1923518949.exe - c:\docume~1\Michelle\LOCALS~1\Temp\1923518949.exe
HKCU-Run-MKZSc - c:\windows\avp32.exe
HKCU-Run-MKbtc - c:\windows\hexdump.exe
HKCU-Run-HNUgoOXRa02QMichelle\LOCALS~1\Temp\2358267388.exe - c:\docume~1\Michelle\LOCALS~1\Temp\2358267388.exe
HKCU-Run-HNUgoOXRa10QMichelle\LOCALS~1\Temp\2285847336.exe - c:\docume~1\Michelle\LOCALS~1\Temp\2285847336.exe
HKCU-Run-HNUgoOXRa22cMichelle\LOCALS~1\Temp\278289198.exe - c:\docume~1\Michelle\LOCALS~1\Temp\278289198.exe
HKCU-Run-MKaZ - c:\windows\cmd.exe
HKCU-Run-HNUgoOXRa1zPMichelle\LOCALS~1\Temp\1916461442.exe - c:\docume~1\Michelle\LOCALS~1\Temp\1916461442.exe
HKLM-Run-HNUiOXRrxc - c:\docume~1\Rick\LOCALS~1\Temp\uxmhx.exe
HKLM-Run-HNUiOXRquBc - c:\docume~1\Rick\LOCALS~1\Temp\rqnlo65i1.exe
HKLM-Run-HNUiOXRrdbc - c:\docume~1\Rick\LOCALS~1\Temp\t3azgkc8g.exe
HKLM-Run-HNUiOXRqtc - c:\docume~1\Rick\LOCALS~1\Temp\qjfsqh.exe
HKLM-Run-HNUiOXRneL - c:\docume~1\Rick\LOCALS~1\Temp\d4gtlb9.exe
HKLM-Run-xxyyyxaudio - rqpnlj.dll
HKLM-Run-Acronis Toolbar Helper - c:\documents and settings\Rick\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll
HKLM-Run-dddddasys - tustut.dll
HKLM-Run-HNUiOXRotc - c:\docume~1\Rick\LOCALS~1\Temp\hexdump.exe
HKLM-Run-HNUiOXRrg - c:\docume~1\Rick\LOCALS~1\Temp\smss.exe
HKLM-Run-MKcuc - c:\windows\lsass.exe
HKLM-Run-MKcrc - c:\windows\login.exe
HKLM-Run-MKZe - c:\windows\avp.exe
HKLM-Run-HNUiOXRsre - c:\docume~1\Rick\LOCALS~1\Temp\wininst.exe
HKLM-Run-MKbMc - c:\windows\gdi32.exe
HKLM-Run-MKexe - c:\windows\system.exe
HKLM-Run-MKetc - c:\windows\sysedit.exe
HKLM-Run-HNUiOXRota - c:\docume~1\Rick\LOCALS~1\Temp\install.exe
HKLM-Run-HNUiOXRsPc - c:\docume~1\Rick\LOCALS~1\Temp\win16.exe
HKLM-Run-MKee - c:\windows\user.exe
HKLM-Run-HNUiOXRruf - c:\docume~1\Rick\LOCALS~1\Temp\spoolsv.exe
HKLM-Run-MKayc - c:\windows\csrss.exe
HKLM-Run-MKdw+ - c:\windows\nvsvc32.exe
HKLM-Run-MKfre - c:\windows\wininst.exe
HKLM-Run-MKeuf - c:\windows\spoolsv.exe
HKLM-Run-HNUiOXRssc - c:\docume~1\Rick\LOCALS~1\Temp\winlogon.exe
HKLM-Run-HNUiOXRrse - c:\docume~1\Rick\LOCALS~1\Temp\svchost.exe
HKLM-Run-MKeta - c:\windows\services.exe
HKLM-Run-MKbuqc - c:\windows\iexplarer.exe
HKLM-Run-MKese - c:\windows\svchost.exe
HKLM-Run-HNUiOXRrta - c:\docume~1\Rick\LOCALS~1\Temp\services.exe
HKLM-Run-MKfa - c:\windows\win.exe
HKLM-Run-MKfsc - c:\windows\winlogon.exe
HKLM-Run-MKevc - c:\windows\setup.exe
HKLM-Run-MKbta - c:\windows\install.exe
HKLM-Run-MKasc - c:\windows\drweb.exe
HKLM-Run-HNUiOXRpw+ - c:\docume~1\Rick\LOCALS~1\Temp\nvsvc32.exe
HKLM-Run-HNUiOXRoMc - c:\docume~1\Rick\LOCALS~1\Temp\gdi32.exe
HKLM-Run-MKfPc - c:\windows\win16.exe
HKLM-Run-HNUiOXRrvc - c:\docume~1\Rick\LOCALS~1\Temp\setup.exe
HKLM-Run-HNUiOXRqtpc - c:\docume~1\Rick\LOCALS~1\Temp\ojyocijmf.exe
HKLM-Run-HNUiOXRrq+ - c:\docume~1\Rick\LOCALS~1\Temp\slxaf17d.exe
HKLM-Run-HNUiOXRo_P - c:\docume~1\Rick\LOCALS~1\Temp\h90b11.exe
HKLM-Run-MKerb - c:\windows\taskmgr.exe
HKLM-Run-MKaoc - c:\windows\debug.exe
HKLM-Run-MKeg - c:\windows\smss.exe
HKLM-Run-MKfpe - c:\windows\winamp.exe
HKLM-Run-MKcZ - c:\windows\mdm.exe
HKLM-Run-HNUgoOXRa00QMichelle\LOCALS~1\Temp\2286062547.exe - c:\docume~1\Michelle\LOCALS~1\Temp\2286062547.exe
HKLM-Run-HNUgoOXRa01RMichelle\LOCALS~1\Temp\1923518949.exe - c:\docume~1\Michelle\LOCALS~1\Temp\1923518949.exe
HKLM-Run-MKZSc - c:\windows\avp32.exe
HKLM-Run-MKbtc - c:\windows\hexdump.exe
HKLM-Run-HNUgoOXRa02QMichelle\LOCALS~1\Temp\2358267388.exe - c:\docume~1\Michelle\LOCALS~1\Temp\2358267388.exe
HKLM-Run-HNUgoOXRa10QMichelle\LOCALS~1\Temp\2285847336.exe - c:\docume~1\Michelle\LOCALS~1\Temp\2285847336.exe
HKLM-Run-HNUgoOXRa22cMichelle\LOCALS~1\Temp\278289198.exe - c:\docume~1\Michelle\LOCALS~1\Temp\278289198.exe
HKLM-Run-MKaZ - c:\windows\cmd.exe
HKLM-Run-HNUgoOXRa1zPMichelle\LOCALS~1\Temp\1916461442.exe - c:\docume~1\Michelle\LOCALS~1\Temp\1916461442.exe
HKU-Default-Run-ssroljaudio - rqpnlj.dll
HKU-Default-Run-byyyyvsys - tustut.dll
MSConfigStartUp-Acronis Toolbar Helper - c:\documents and settings\Rick\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll
MSConfigStartUp-COM+ Manager - c:\documents and settings\Rick\.COMMgr\complmgr.exe
MSConfigStartUp-Desktop Cleanup Wizard - c:\documents and settings\Rick\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll
MSConfigStartUp-fcbbabaudio - rqpnlj.dll
MSConfigStartUp-fcbbxvsys - tustut.dll
MSConfigStartUp-HNUiOXRneL - c:\docume~1\Rick\LOCALS~1\Temp\d4gtlb9.exe
MSConfigStartUp-HNUiOXRnXe - c:\docume~1\Rick\LOCALS~1\Temp\facc8ojr.exe
MSConfigStartUp-HNUiOXRoMc - c:\docume~1\Rick\LOCALS~1\Temp\gdi32.exe
MSConfigStartUp-HNUiOXRota - c:\docume~1\Rick\LOCALS~1\Temp\install.exe
MSConfigStartUp-HNUiOXRotc - c:\docume~1\Rick\LOCALS~1\Temp\hexdump.exe
MSConfigStartUp-HNUiOXRo_P - c:\docume~1\Rick\LOCALS~1\Temp\h90b11.exe
MSConfigStartUp-HNUiOXRpw+ - c:\docume~1\Rick\LOCALS~1\Temp\nvsvc32.exe
MSConfigStartUp-HNUiOXRqtc - c:\docume~1\Rick\LOCALS~1\Temp\qjfsqh.exe
MSConfigStartUp-HNUiOXRqtpc - c:\docume~1\Rick\LOCALS~1\Temp\ojyocijmf.exe
MSConfigStartUp-HNUiOXRquBc - c:\docume~1\Rick\LOCALS~1\Temp\rqnlo65i1.exe
MSConfigStartUp-HNUiOXRrdbc - c:\docume~1\Rick\LOCALS~1\Temp\t3azgkc8g.exe
MSConfigStartUp-HNUiOXRrg - c:\docume~1\Rick\LOCALS~1\Temp\smss.exe
MSConfigStartUp-HNUiOXRrq+ - c:\docume~1\Rick\LOCALS~1\Temp\slxaf17d.exe
MSConfigStartUp-HNUiOXRrse - c:\docume~1\Rick\LOCALS~1\Temp\svchost.exe
MSConfigStartUp-HNUiOXRrta - c:\docume~1\Rick\LOCALS~1\Temp\services.exe
MSConfigStartUp-HNUiOXRruf - c:\docume~1\Rick\LOCALS~1\Temp\spoolsv.exe
MSConfigStartUp-HNUiOXRrvc - c:\docume~1\Rick\LOCALS~1\Temp\setup.exe
MSConfigStartUp-HNUiOXRrxc - c:\docume~1\Rick\LOCALS~1\Temp\uxmhx.exe
MSConfigStartUp-HNUiOXRsPc - c:\docume~1\Rick\LOCALS~1\Temp\win16.exe
MSConfigStartUp-HNUiOXRsre - c:\docume~1\Rick\LOCALS~1\Temp\wininst.exe
MSConfigStartUp-HNUiOXRssc - c:\docume~1\Rick\LOCALS~1\Temp\winlogon.exe
MSConfigStartUp-jkkihgsys - tustut.dll
MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-mediafix70700en02 - c:\documents and settings\Rick\Application Data\FA9143CF4CEECA871857A5FC7581E098\mediafix70700en02.exe
MSConfigStartUp-MKasc - c:\windows\drweb.exe
MSConfigStartUp-MKayc - c:\windows\csrss.exe
MSConfigStartUp-MKbMc - c:\windows\gdi32.exe
MSConfigStartUp-MKbta - c:\windows\install.exe
MSConfigStartUp-MKbuqc - c:\windows\iexplarer.exe
MSConfigStartUp-MKcrc - c:\windows\login.exe
MSConfigStartUp-MKcuc - c:\windows\lsass.exe
MSConfigStartUp-MKdw+ - c:\windows\nvsvc32.exe
MSConfigStartUp-MKee - c:\windows\user.exe
MSConfigStartUp-MKese - c:\windows\svchost.exe
MSConfigStartUp-MKeta - c:\windows\services.exe
MSConfigStartUp-MKetc - c:\windows\sysedit.exe
MSConfigStartUp-MKeuf - c:\windows\spoolsv.exe
MSConfigStartUp-MKevc - c:\windows\setup.exe
MSConfigStartUp-MKexe - c:\windows\system.exe
MSConfigStartUp-MKfa - c:\windows\win.exe
MSConfigStartUp-MKfPc - c:\windows\win32.exe
MSConfigStartUp-MKfre - c:\windows\wininst.exe
MSConfigStartUp-MKfsc - c:\windows\winlogon.exe
MSConfigStartUp-MKZe - c:\windows\avp.exe
MSConfigStartUp-mlkjkhaudio - rqpnlj.dll
MSConfigStartUp-rqpomlsys - tustut.dll
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-urpommaudio - rqpnlj.dll
MSConfigStartUp-urrpnnaudio - rqpnlj.dll
MSConfigStartUp-XBV6RD5SZF - c:\docume~1\Rick\LOCALS~1\Temp\Hqk.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-05 12:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ShutterflyStudio = c:\documents and settings\Michelle\Desktop\Studio\BIN\SFlyStudio.exe /trayonly?log??????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????E??????????? ????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1252)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-05 12:56:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-05 18:56
Pre-Run: 15,317,475,328 bytes free
Post-Run: 17,116,172,288 bytes free
- - End Of File - - B96B40BDE7FA8D1C6BB2051D56EECFD6

Rorschach112 · 05-Sep-2010, 05:22 PM #4

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://forums.techguy.org/virus-other-malware-removal/947870-need-help-virus-removal.html

Collect::
c:\windows\delFF.bat
c:\windows\system32\drivers\ufucpay.sys
c:\windows\system32\pcre3.dll
c:\windows\system32\winamnc_backup.dll
c:\windows\system32\winbudump.exe
c:\windows\system32\winamnc.dll
c:\windows\system32\cbxyab.dll
c:\windows\system32\opqnlj.dll
c:\windows\system32\drivers\ac97intc.sys
c:\windows\system32\drivers\OLD84.tmp

Folder::
c:\windows\HNTY4AFKQW28DINT
c:\windows\FLQW28EJPV16BHNT
c:\windows\PW28DIOUZ4AGMSY4
c:\windows\MTZ5AFKQW27CIOU0
c:\documents and settings\Rick\Local Settings\Application Data\Desktop Cleanup Wizard

DirLook::
c:\documents and settings\Rick\Application Data\PIV

File::

Suspect::

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

rdizy · 05-Sep-2010, 09:05 PM #5

This is the log file (I didn't get prompted with a message box...)

ComboFix 10-09-04.06 - Michelle 09/05/2010 17:45:42.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.919 [GMT -6:00]
Running from: c:\documents and settings\Michelle\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michelle\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
file zipped: c:\windows\delFF.bat
file zipped: c:\windows\system32\cbxyab.dll
file zipped: c:\windows\system32\drivers\ac97intc.sys
file zipped: c:\windows\system32\drivers\OLD84.tmp
file zipped: c:\windows\system32\drivers\ufucpay.sys
file zipped: c:\windows\system32\opqnlj.dll
file zipped: c:\windows\system32\pcre3.dll
file zipped: c:\windows\system32\winamnc.dll
file zipped: c:\windows\system32\winamnc_backup.dll
file zipped: c:\windows\system32\winbudump.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Rick\Local Settings\Application Data\Desktop Cleanup Wizard
c:\windows\delFF.bat
c:\windows\FLQW28EJPV16BHNT
c:\windows\HNTY4AFKQW28DINT
c:\windows\MTZ5AFKQW27CIOU0
c:\windows\PW28DIOUZ4AGMSY4
c:\windows\system32\cbxyab.dll
c:\windows\system32\drivers\ac97intc.sys
c:\windows\system32\drivers\OLD84.tmp
c:\windows\system32\drivers\ufucpay.sys
c:\windows\system32\opqnlj.dll
c:\windows\system32\pcre3.dll
c:\windows\system32\winamnc.dll
c:\windows\system32\winamnc_backup.dll
c:\windows\system32\winbudump.exe
.
((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))
.
2010-09-05 23:08 . 2010-09-05 23:10 -------- d-----w- c:\documents and settings\Michelle\Local Settings\Application Data\PhotoChannel
2010-09-05 18:01 . 2010-09-05 18:01 -------- d-----w- C:\_OTM
2010-09-04 20:58 . 2010-09-04 20:58 -------- d-----w- c:\documents and settings\Rick\Application Data\PIV
2010-09-04 20:17 . 2010-09-04 20:17 42112 ----a-w- c:\windows\system32\drivers\IMAPI.SYS
2010-09-04 16:54 . 2001-08-17 18:20 96256 ----a-w- c:\windows\system32\dllcache\ac97intc.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 22:48 . 2010-03-17 23:11 -------- d-----w- c:\documents and settings\Michelle\Application Data\Smilebox
2010-09-04 16:55 . 2007-09-16 03:46 -------- d-----w- c:\documents and settings\Rick\Application Data\uTorrent
2010-09-03 04:00 . 2007-12-22 22:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-11 03:32 . 2007-12-12 03:52 -------- d-----w- c:\program files\Google
2010-08-10 18:01 . 2010-08-10 18:01 229376 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxPhoto.exe
2010-08-10 18:01 . 2010-02-18 00:50 415040 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxStarter.exe
2010-08-10 18:01 . 2010-02-18 00:10 169280 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxBrowserEngine.dll
2010-08-10 18:01 . 2010-02-17 23:05 304448 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxTray.exe
2010-08-10 18:01 . 2010-02-17 23:05 234816 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxDvd.exe
2010-08-10 17:37 . 2010-08-10 17:37 1647936 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxClient.exe
2010-08-10 16:48 . 2010-08-10 16:48 365888 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxDvdEngine.dll
2010-08-10 16:48 . 2010-08-10 16:48 140608 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxUpdater.exe
2010-07-15 04:28 . 2010-07-15 04:28 225336 ----a-w- c:\documents and settings\Rick\Application Data\OpenDNS Updater\OpenDNS-Updater-2.2.1.exe
2010-07-15 04:28 . 2010-01-25 02:04 -------- d-----w- c:\documents and settings\Rick\Application Data\OpenDNS Updater
2010-06-30 12:31 . 2002-08-29 10:41 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2006-06-23 17:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2001-08-18 05:36 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2002-08-29 09:14 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2001-08-18 05:24 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 15:26 . 2007-09-17 01:07 59 ----a-w- c:\windows\wpd99.drv
2010-06-17 14:03 . 2001-08-18 05:36 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41 . 2006-09-13 05:09 1172480 ----a-w- c:\windows\system32\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Rick\Application Data\PIV ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShutterflyStudio"="c:\documents and settings\Michelle\Desktop\Studio\BIN\SFlyStudio.exe" [2008-05-07 2500096]
"SmileboxTray"="c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxTray.exe" [2010-08-10 304448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-12 155648]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSv c]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 23:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
2008-08-13 20:34 1891416 ----a-w- c:\garmin\gStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 17:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 20:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-06-08 21:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-06-08 21:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-07-19 23:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 16:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-10-18 17:34 5724184 ----a-w- c:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-06-01 20:53 1093208 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpenDNS Updater]
2009-11-16 19:58 839168 ----a-w- c:\program files\OpenDNS Updater\OpenDNSUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-07-12 04:46 155648 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2010-08-10 18:01 304448 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-19 01:59 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gupdate1c95c931cacec94"=2 (0x2)
"MsMpSvc"=2 (0x2)
"MDM"=2 (0x2)
"LeapFrog Connect Device Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
R2 Halt;Halt;c:\program files\Soccerwinners\Halt\Halt.exe [10/1/2007 3:39 PM 45056]
R2 HaltMonitor;HaltMonitor;c:\program files\Soccerwinners\Halt\HaltMonitor.exe [10/1/2007 3:39 PM 20480]
S2 RGFILERW;RGFILERW;\??\c:\windows\system32\Drivers\RGFILERW.SYS --> c:\windows\system32\Drivers\RGFILERW.SYS [?]
S4 gupdate1c95c931cacec94;Google Update Service (gupdate1c95c931cacec94);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 1:52 PM 133104]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\Rick\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 5:10 PM 32768]
.
Contents of the 'Scheduled Tasks' folder
2010-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
2010-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
2010-09-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]
2010-09-04 c:\windows\Tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-05 17:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ShutterflyStudio = c:\documents and settings\Michelle\Desktop\Studio\BIN\SFlyStudio.exe /trayonly?log??????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????E??????????? ????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3276)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-05 18:01:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-06 00:01
ComboFix2.txt 2010-09-05 18:56
Pre-Run: 16,834,838,528 bytes free
Post-Run: 16,913,338,368 bytes free
- - End Of File - - C32E847AB0C69F039D415F1C1046A137

Rorschach112 · 06-Sep-2010, 10:10 AM #6

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes

:Services

:Reg

:Files
ipconfig /flushdns /c
c:\documents and settings\Rick\Application Data\PIV
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

rdizy · 06-Sep-2010, 04:50 PM #7

OTM Results:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Michelle\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Michelle\Desktop\cmd.txt deleted successfully.
c:\documents and settings\Rick\Application Data\PIV folder moved successfully.
========== COMMANDS ==========
C:\Documents and Settings\Michelle\My Documents\Tаsks\Tаsks folder moved successfully.
C:\Documents and Settings\Michelle\My Documents\Tаsks folder moved successfully.
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: Matthew and Caleb
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Flash cache emptied: 18762 bytes

User: Michelle
->Temp folder emptied: 1144 bytes
->Temporary Internet Files folder emptied: 100867465 bytes
->Java cache emptied: 64956334 bytes
->Flash cache emptied: 2007375 bytes

User: NetworkService
->Temp folder emptied: 4008 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 996 bytes

User: Rick
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 61426973 bytes
->Google Chrome cache emptied: 8867976 bytes
->Flash cache emptied: 2222 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 11887 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 227.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.15.0 log created on 09062010_093416
Files moved on Reboot...
Registry entries deleted on Reboot...

Malware Bytes Results:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4554
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11
9/6/2010 9:58:38 AM
mbam-log-2010-09-06 (09-58-38).txt
Scan type: Quick scan
Objects scanned: 162899
Time elapsed: 6 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd4f 7a6d-0107-4bdf-b72b-021b717b06ce} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{191 27ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{344 6af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43b f8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{477 6c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494 e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Amnesiac (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Kaspersky Results:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, September 6, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 06, 2010 11:06:03
Records in database: 4196714
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Objects scanned: 109516
Threats found: 7
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 03:04:38

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Rick\.COMMgr\complmgr.exe.vir Infected: Trojan.Win32.Scar.crkt 1
C:\Qoobox\Quarantine\C\Documents and Settings\Rick\Application Data\antispy.exe.vir Infected: Trojan.Win32.FakeAV.esd 1
C:\Qoobox\Quarantine\C\Documents and Settings\Rick\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll.vir Infected: not-a-virus:FraudTool.Win32.DiskCleanup.c 1
C:\Qoobox\Quarantine\C\Documents and Settings\Rick\Templates\memory.tmp.vir Infected: Trojan.Win32.Oficla.gh 1
C:\Qoobox\Quarantine\C\DOCUME~1\Rick\LOCALS~1\temp\Hqk.exe.vir Infected: Trojan-Downloader.Win32.CodecPack.mlv 1
C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Infected: Trojan.Win32.Patched.kl 1
C:\Qoobox\Quarantine\C\WINDOWS\Hjyhua.exe.vir Infected: Trojan-Downloader.Win32.CodecPack.mlw 1
C:\Qoobox\Quarantine\C\WINDOWS\Hjyhub.exe.vir Infected: Trojan-Downloader.Win32.CodecPack.mlw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Infected: Trojan.Win32.Patched.kl 1
C:\Qoobox\Quarantine\[4]-Submit_2010-09-05_17.45.21.zip Infected: not-a-virus:FraudTool.Win32.DiskCleanup.c 2
Selected area has been scanned.

Rorschach112 · 06-Sep-2010, 04:59 PM #8

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
Please follow the prompts to uninstall Combofix.
You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

rdizy · 06-Sep-2010, 09:26 PM #9

Thanks for your help. I will remove ComboFix and check out your guide.
When logging in as another user, I get "Error Loading rqpnlj.dll", but everything still seems to work. I think I can use msconfig to remove that from the startup? When I use msconfig, there is still a lot of junk (selected) in the StartUp. I can disable everything and just add back stuff as required... is this a good approach or is there a better way to remove these items all together.

Rorschach112 · 07-Sep-2010, 10:59 AM **#10**

post me a new HJT log

rdizy · 08-Sep-2010, 12:07 AM **#11**

New HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:15 PM, on 9/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
c:\program files\soccerwinners\halt\halt.exe
c:\program files\soccerwinners\halt\haltmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login...a.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [HNUiOXRrvc0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3] C:\DOCUME~1\Rick\LOCALS~1\Temp\setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [HNUiOXRquBc] C:\DOCUME~1\Rick\LOCALS~1\Temp\rqnlo65i1.exe
O4 - HKCU\..\Run: [HNUiOXRrdbc] C:\DOCUME~1\Rick\LOCALS~1\Temp\t3azgkc8g.exe
O4 - HKCU\..\Run: [HNUiOXRqtc] C:\DOCUME~1\Rick\LOCALS~1\Temp\qjfsqh.exe
O4 - HKCU\..\Run: [HNUiOXRrxc] C:\DOCUME~1\Rick\LOCALS~1\Temp\uxmhx.exe
O4 - HKCU\..\Run: [HNUiOXRqtpc] C:\DOCUME~1\Rick\LOCALS~1\Temp\ojyocijmf.exe
O4 - HKCU\..\Run: [HNUiOXRo_P] C:\DOCUME~1\Rick\LOCALS~1\Temp\h90b11.exe
O4 - HKCU\..\Run: [HNUiOXRrq+] C:\DOCUME~1\Rick\LOCALS~1\Temp\slxaf17d.exe
O4 - HKCU\..\Run: [HNUiOXRneL] C:\DOCUME~1\Rick\LOCALS~1\Temp\d4gtlb9.exe
O4 - HKCU\..\Run: [ddawuuaudio] rundll32.exe "rqpnlj.dll",s
O4 - HKCU\..\Run: [HNUiOXRrvc] C:\DOCUME~1\Rick\LOCALS~1\Temp\setup.exe
O4 - HKCU\..\Run: [MKcrc] C:\WINDOWS\login.exe
O4 - HKCU\..\Run: [HNUiOXRrg] C:\DOCUME~1\Rick\LOCALS~1\Temp\smss.exe
O4 - HKCU\..\Run: [MKexe] C:\WINDOWS\system.exe
O4 - HKCU\..\Run: [MKbMc] C:\WINDOWS\gdi32.exe
O4 - HKCU\..\Run: [HNUiOXRsre] C:\DOCUME~1\Rick\LOCALS~1\Temp\wininst.exe
O4 - HKCU\..\Run: [MKcuc] C:\WINDOWS\lsass.exe
O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKCU\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
O4 - HKCU\..\Run: [MKee] C:\WINDOWS\user.exe
O4 - HKCU\..\Run: [HNUiOXRsPc] C:\DOCUME~1\Rick\LOCALS~1\Temp\win16.exe
O4 - HKCU\..\Run: [HNUiOXRota] C:\DOCUME~1\Rick\LOCALS~1\Temp\install.exe
O4 - HKCU\..\Run: [HNUiOXRruf] C:\DOCUME~1\Rick\LOCALS~1\Temp\spoolsv.exe
O4 - HKCU\..\Run: [MKayc] C:\WINDOWS\csrss.exe
O4 - HKCU\..\Run: [MKfre] C:\WINDOWS\wininst.exe
O4 - HKCU\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
O4 - HKCU\..\Run: [MKese] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [MKeta] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [MKeuf] C:\WINDOWS\spoolsv.exe
O4 - HKCU\..\Run: [HNUiOXRssc] C:\DOCUME~1\Rick\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [HNUiOXRrse] C:\DOCUME~1\Rick\LOCALS~1\Temp\svchost.exe
O4 - HKCU\..\Run: [MKbuqc] C:\WINDOWS\iexplarer.exe
O4 - HKCU\..\Run: [HNUiOXRrta] C:\DOCUME~1\Rick\LOCALS~1\Temp\services.exe
O4 - HKCU\..\Run: [MKfa] C:\WINDOWS\win.exe
O4 - HKCU\..\Run: [HNUiOXRotc] C:\DOCUME~1\Rick\LOCALS~1\Temp\hexdump.exe
O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKCU\..\Run: [MKbta] C:\WINDOWS\install.exe
O4 - HKCU\..\Run: [MKasc] C:\WINDOWS\drweb.exe
O4 - HKCU\..\Run: [MKfsc] C:\WINDOWS\winlogon.exe
O4 - HKCU\..\Run: [HNUiOXRpw+] C:\DOCUME~1\Rick\LOCALS~1\Temp\nvsvc32.exe
O4 - HKCU\..\Run: [HNUiOXRoMc] C:\DOCUME~1\Rick\LOCALS~1\Temp\gdi32.exe
O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [mediafix70700en02.exe] C:\Documents and Settings\Rick\Application Data\FA9143CF4CEECA871857A5FC7581E098\mediafix70700en02.exe
O4 - HKCU\..\Run: [XBV6RD5SZF] C:\DOCUME~1\Rick\LOCALS~1\Temp\Hqk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2527309032-1139936588-3641913080-1007\..\Run: [ShutterflyStudio] C:\Documents and Settings\Michelle\Desktop\Studio\BIN\SFlyStudio.exe /trayonly (User 'Michelle')
O4 - HKUS\S-1-5-21-2527309032-1139936588-3641913080-1007\..\Run: [HNUiOXRrvc0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3] C:\DOCUME~1\Rick\LOCALS~1\Temp\setup.exe (User 'Michelle')
O4 - HKUS\S-1-5-21-2527309032-1139936588-3641913080-1007\..\Run: [SmileboxTray] "C:\Documents and Settings\Michelle\Application Data\Smilebox\SmileboxTray.exe" (User 'Michelle')
O4 - HKUS\S-1-5-21-2527309032-1139936588-3641913080-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Michelle')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://securedoc.saskpower.com/qp2.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179431535093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1180668558656
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://www.walmartphotocentre.ca/upl...eX_Control.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://www.walmartphotocentre.ca/upl...pv2.0.0.12.cab?
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll (file missing)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O18 - Protocol: intu-qt2009 - {03947252-2355-4E9B-B446-8CCC75C43370} - C:\Program Files\QuickTax 2009\ic2009pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Halt - - c:\program files\soccerwinners\halt\halt.exe
O23 - Service: HaltMonitor - - c:\program files\soccerwinners\halt\haltmonitor.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 9043 bytes

Rorschach112 · 08-Sep-2010, 10:03 AM **#12**

fix these with hjt

O4 - HKLM\..\Run: [HNUiOXRrvc0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3] C:\DOCUME~1\Rick\LOCALS~1\Temp\setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [HNUiOXRquBc] C:\DOCUME~1\Rick\LOCALS~1\Temp\rqnlo65i1.exe
O4 - HKCU\..\Run: [HNUiOXRrdbc] C:\DOCUME~1\Rick\LOCALS~1\Temp\t3azgkc8g.exe
O4 - HKCU\..\Run: [HNUiOXRqtc] C:\DOCUME~1\Rick\LOCALS~1\Temp\qjfsqh.exe
O4 - HKCU\..\Run: [HNUiOXRrxc] C:\DOCUME~1\Rick\LOCALS~1\Temp\uxmhx.exe
O4 - HKCU\..\Run: [HNUiOXRqtpc] C:\DOCUME~1\Rick\LOCALS~1\Temp\ojyocijmf.exe
O4 - HKCU\..\Run: [HNUiOXRo_P] C:\DOCUME~1\Rick\LOCALS~1\Temp\h90b11.exe
O4 - HKCU\..\Run: [HNUiOXRrq+] C:\DOCUME~1\Rick\LOCALS~1\Temp\slxaf17d.exe
O4 - HKCU\..\Run: [HNUiOXRneL] C:\DOCUME~1\Rick\LOCALS~1\Temp\d4gtlb9.exe
O4 - HKCU\..\Run: [ddawuuaudio] rundll32.exe "rqpnlj.dll",s
O4 - HKCU\..\Run: [HNUiOXRrvc] C:\DOCUME~1\Rick\LOCALS~1\Temp\setup.exe
O4 - HKCU\..\Run: [MKcrc] C:\WINDOWS\login.exe
O4 - HKCU\..\Run: [HNUiOXRrg] C:\DOCUME~1\Rick\LOCALS~1\Temp\smss.exe
O4 - HKCU\..\Run: [MKexe] C:\WINDOWS\system.exe
O4 - HKCU\..\Run: [MKbMc] C:\WINDOWS\gdi32.exe
O4 - HKCU\..\Run: [HNUiOXRsre] C:\DOCUME~1\Rick\LOCALS~1\Temp\wininst.exe
O4 - HKCU\..\Run: [MKcuc] C:\WINDOWS\lsass.exe
O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKCU\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
O4 - HKCU\..\Run: [MKee] C:\WINDOWS\user.exe
O4 - HKCU\..\Run: [HNUiOXRsPc] C:\DOCUME~1\Rick\LOCALS~1\Temp\win16.exe
O4 - HKCU\..\Run: [HNUiOXRota] C:\DOCUME~1\Rick\LOCALS~1\Temp\install.exe
O4 - HKCU\..\Run: [HNUiOXRruf] C:\DOCUME~1\Rick\LOCALS~1\Temp\spoolsv.exe
O4 - HKCU\..\Run: [MKayc] C:\WINDOWS\csrss.exe
O4 - HKCU\..\Run: [MKfre] C:\WINDOWS\wininst.exe
O4 - HKCU\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
O4 - HKCU\..\Run: [MKese] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [MKeta] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [MKeuf] C:\WINDOWS\spoolsv.exe
O4 - HKCU\..\Run: [HNUiOXRssc] C:\DOCUME~1\Rick\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [HNUiOXRrse] C:\DOCUME~1\Rick\LOCALS~1\Temp\svchost.exe
O4 - HKCU\..\Run: [MKbuqc] C:\WINDOWS\iexplarer.exe
O4 - HKCU\..\Run: [HNUiOXRrta] C:\DOCUME~1\Rick\LOCALS~1\Temp\services.exe
O4 - HKCU\..\Run: [MKfa] C:\WINDOWS\win.exe
O4 - HKCU\..\Run: [HNUiOXRotc] C:\DOCUME~1\Rick\LOCALS~1\Temp\hexdump.exe
O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKCU\..\Run: [MKbta] C:\WINDOWS\install.exe
O4 - HKCU\..\Run: [MKasc] C:\WINDOWS\drweb.exe
O4 - HKCU\..\Run: [MKfsc] C:\WINDOWS\winlogon.exe
O4 - HKCU\..\Run: [HNUiOXRpw+] C:\DOCUME~1\Rick\LOCALS~1\Temp\nvsvc32.exe
O4 - HKCU\..\Run: [HNUiOXRoMc] C:\DOCUME~1\Rick\LOCALS~1\Temp\gdi32.exe
O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [mediafix70700en02.exe] C:\Documents and Settings\Rick\Application Data\FA9143CF4CEECA871857A5FC7581E098\mediafix70700en02.exe
O4 - HKCU\..\Run: [XBV6RD5SZF] C:\DOCUME~1\Rick\LOCALS~1\Temp\Hqk.exe
O4 - HKUS\S-1-5-21-2527309032-1139936588-3641913080-1007\..\Run: [HNUiOXRrvc0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3] C:\DOCUME~1\Rick\LOCALS~1\Temp\setup.exe (User 'Michelle')

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click on Minimal Output at the top
Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
Double click inside the Custom Scan box at the bottom
A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
Select scan.txt and click Open. Writing will now appear under the Custom Scan box
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

rdizy · 08-Sep-2010, 10:52 PM **#13**

I fixed the entries using HJT and ran OTL with scan.txt

One file was created called Otl.txt (I didn't see Extras.txt)

OTL logfile created on: 9/8/2010 7:48:49 PM - Run 4
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Rick\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 15.19 Gb Free Space | 20.38% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 37.26 Gb Total Space | 8.06 Gb Free Space | 21.65% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOMEPC3
Current User Name: Rick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Rick\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Michelle\Application Data\Smilebox\SmileboxTray.exe (Smilebox, Inc.)
PRC - C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Michelle\Desktop\Studio\Bin\SFlyStudio.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - c:\Program Files\Soccerwinners\Halt\Halt.exe ( )
PRC - c:\Program Files\Soccerwinners\Halt\HaltMonitor.exe ( )
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\WINDOWS\system32\LVCOMSX.EXE (Logitech Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Rick\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV - (LeapFrog Connect Device Service) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe (LeapFrog Enterprises, Inc.)
SRV - (getPlus(R) Helper) getPlus(R) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (NOS Microsystems Ltd.)
SRV - (WLSetupSvc) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (Halt) -- c:\Program Files\Soccerwinners\Halt\Halt.exe ( )
SRV - (HaltMonitor) -- c:\Program Files\Soccerwinners\Halt\HaltMonitor.exe ( )
SRV - (LkWebLink) -- C:\Documents and Settings\Rick\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe (Inter-Tel (Delaware), Inc)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)

========== Driver Services (SafeList) ==========

DRV - (RGFILERW) -- C:\WINDOWS\System32\Drivers\RGFILERW.SYS File not found
DRV - (iAimTV2) -- C:\WINDOWS\System32\DRIVERS\wATV03nt.sys File not found
DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
DRV - (ac97intc) Intel(r) 82801 Audio Driver Install Service (WDM) -- C:\WINDOWS\System32\drivers\ac97intc.sys File not found
DRV - (MpFilter) -- C:\WINDOWS\system32\drivers\MpFilter.sys (Microsoft Corporation)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (SCDEmu) -- C:\WINDOWS\System32\drivers\scdemu.sys (PowerISO Computing, Inc.)
DRV - (PID_08A0) QuickCam IM(PID_08A0) -- C:\WINDOWS\system32\drivers\LV302AV.SYS (Logitech Inc.)
DRV - (pepifilter) -- C:\WINDOWS\system32\drivers\lv302af.sys (Logitech Inc.)
DRV - (LVUSBSta) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys (Logitech Inc.)
DRV - (iAimFP4) -- C:\WINDOWS\system32\drivers\wvchntxx.sys (Intel(R) Corporation)
DRV - (iAimFP3) -- C:\WINDOWS\system32\drivers\wsiintxx.sys (Intel(R) Corporation)
DRV - (iAimTV4) -- C:\WINDOWS\system32\drivers\wch7xxnt.sys (Intel(R) Corporation)
DRV - (iAimTV3) -- C:\WINDOWS\system32\drivers\watv04nt.sys (Intel(R) Corporation)
DRV - (iAimTV1) -- C:\WINDOWS\system32\drivers\watv02nt.sys (Intel(R) Corporation)
DRV - (iAimTV0) -- C:\WINDOWS\system32\drivers\watv01nt.sys (Intel(R) Corporation)
DRV - (iAimFP0) -- C:\WINDOWS\system32\drivers\wadv01nt.sys (Intel(R) Corporation)
DRV - (iAimFP1) -- C:\WINDOWS\system32\drivers\wadv02nt.sys (Intel(R) Corporation)
DRV - (iAimFP2) -- C:\WINDOWS\system32\drivers\wadv05nt.sys (Intel(R) Corporation)
DRV - (i81x) -- C:\WINDOWS\system32\drivers\i81xnt5.sys (Intel(R) Corporation)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (adpu320) -- C:\WINDOWS\System32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (Symmpi) -- C:\WINDOWS\System32\DRIVERS\symmpi.sys (LSI Logic)
DRV - (sym_u3) -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\System32\DRIVERS\symc810.sys (Symbios Logic Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login...a.my.yahoo.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

O1 HOSTS File: ([2010/09/06 09:34:17 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} https://securedoc.saskpower.com/qp2.cab (QuickPlace Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/...oUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/s...irector/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} http://download.microsoft.com/downlo...0/pmupd806.exe (MSN Money Charting)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/...toUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsu...?1179431535093 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/micr...?1180668558656 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/...Uploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterfly.com/downloads/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://www.walmartphotocentre.ca/upl...eX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/...ndows-i586.cab (Java Plug-in 1.4.1_02)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub...sh/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} http://www.walmartphotocentre.ca/upl...pv2.0.0.12.cab? (Photo Upload Plugin Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220 65.87.230.4
O18 - Protocol\Handler\intu-qt2007 {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll File not found
O18 - Protocol\Handler\intu-qt2008 {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-qt2009 {03947252-2355-4e9b-B446-8CCC75C43370} - C:\Program Files\QuickTax 2009\ic2009pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/12/21 06:18:12 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\lvcodec2.dll (Logitech Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/09/08 19:24:00 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
[2010/09/06 09:49:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/06 09:49:55 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/06 09:49:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/06 09:35:38 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/09/05 18:01:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/09/05 12:13:05 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/05 12:01:57 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/09/04 11:05:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/09/04 11:05:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

========== Files - Modified Within 90 Days ==========

[2010/09/08 19:26:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/08 19:24:04 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
[2010/09/07 21:01:33 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/07 19:26:11 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job
[2010/09/07 06:59:52 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/09/07 06:54:29 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/07 06:54:22 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/07 06:54:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/07 06:54:16 | 1601,753,088 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/06 21:46:19 | 007,077,888 | -H-- | M] () -- C:\Documents and Settings\Rick\NTUSER.DAT
[2010/09/06 21:46:19 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Rick\ntuser.ini
[2010/09/06 21:46:11 | 004,845,254 | -H-- | M] () -- C:\Documents and Settings\Rick\Local Settings\Application Data\IconCache.db
[2010/09/06 09:49:58 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/06 09:34:17 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/09/05 17:52:43 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/04 15:58:18 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/09/04 15:58:17 | 000,000,946 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/09/04 15:13:19 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Rick\Desktop\HijackThis.lnk
[2010/09/04 14:50:41 | 000,001,664 | ---- | M] () -- C:\WINDOWS\lsrslt.ini
[2010/08/25 22:27:25 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/08/14 11:23:50 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2010/08/13 13:28:06 | 000,468,244 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/13 13:28:06 | 000,078,668 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/13 13:28:03 | 000,554,062 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/12 22:46:55 | 000,346,608 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/12 22:25:43 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/21 21:21:52 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2010/07/21 21:21:52 | 000,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
[2010/06/20 21:54:23 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2010/06/20 21:54:23 | 000,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[2010/06/18 09:26:05 | 000,000,059 | ---- | M] () -- C:\WINDOWS\wpd99.drv
[2010/06/12 20:08:26 | 000,217,600 | ---- | M] () -- C:\Documents and Settings\Rick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2010/09/06 09:49:58 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/04 16:12:52 | 1601,753,088 | -HS- | C] () -- C:\hiberfil.sys
[2010/09/04 15:13:19 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Rick\Desktop\HijackThis.lnk
[2010/09/04 14:50:41 | 000,001,664 | ---- | C] () -- C:\WINDOWS\lsrslt.ini
[2010/07/21 21:21:52 | 000,000,244 | -H-- | C] () -- C:\sqmnoopt14.sqm
[2010/07/21 21:21:52 | 000,000,232 | -H-- | C] () -- C:\sqmdata13.sqm
[2010/06/29 07:37:38 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/06/20 21:54:23 | 000,000,244 | -H-- | C] () -- C:\sqmnoopt13.sqm
[2010/06/20 21:54:23 | 000,000,232 | -H-- | C] () -- C:\sqmdata12.sqm
[2010/04/07 16:49:45 | 000,000,110 | ---- | C] () -- C:\WINDOWS\{7E7D778E-121D-4BBD-BA29-FAA81B9FBD8C}_WiseFW.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/10/17 08:43:06 | 000,000,240 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/10/17 08:42:59 | 000,000,047 | ---- | C] () -- C:\WINDOWS\PWP.INI
[2008/08/23 21:21:07 | 000,000,442 | ---- | C] () -- C:\WINDOWS\REGENUNINS.INI
[2008/08/23 21:20:51 | 000,003,702 | ---- | C] () -- C:\WINDOWS\REGENCALL.INI
[2008/06/20 08:28:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2008/02/29 13:08:17 | 000,000,801 | ---- | C] () -- C:\WINDOWS\disney.ini
[2007/12/10 20:56:34 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007/09/16 19:08:18 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2007/09/16 19:07:28 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2007/09/16 19:07:27 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2007/08/31 19:44:18 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/08/07 20:55:55 | 000,000,229 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/07/09 18:12:58 | 000,009,255 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2007/07/09 18:02:25 | 000,033,794 | ---- | C] () -- C:\WINDOWS\System32\lltainh.dll
[2007/07/09 18:02:25 | 000,030,723 | ---- | C] () -- C:\WINDOWS\System32\ofhhuni.dll
[2007/07/02 20:44:52 | 000,000,028 | ---- | C] () -- C:\WINDOWS\QFNOA.INI
[2007/07/02 20:43:31 | 000,306,688 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL
[2007/07/02 20:43:31 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2007/07/02 20:43:02 | 000,007,008 | ---- | C] () -- C:\WINDOWS\System32\SETUPKIT.DLL
[2007/07/02 20:43:02 | 000,000,101 | ---- | C] () -- C:\WINDOWS\ttinstal.ini
[2007/07/02 20:42:50 | 000,030,722 | ---- | C] () -- C:\WINDOWS\System32\32of32i.dll
[2007/07/02 20:42:49 | 000,318,976 | ---- | C] () -- C:\WINDOWS\System32\Peer.dll
[2007/07/02 20:42:49 | 000,045,952 | ---- | C] () -- C:\WINDOWS\System32\LTVDD62W.DRV
[2007/07/02 20:42:49 | 000,030,720 | ---- | C] () -- C:\WINDOWS\System32\Peer_Res.dll
[2007/07/02 20:42:49 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\LTTWN62N.DLL
[2007/07/02 20:42:49 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\LFPCX62N.DLL
[2007/07/02 20:42:49 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\LFPCT62N.DLL
[2007/07/02 20:42:49 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\LFWMF62N.DLL
[2007/07/02 20:42:49 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\LFTGA62N.DLL
[2007/07/02 20:42:49 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\LFWPG62N.DLL
[2007/07/02 20:42:49 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\LFPCD62N.DLL
[2007/07/02 20:42:49 | 000,003,200 | ---- | C] () -- C:\WINDOWS\System32\LTTHK62W.DLL
[2007/07/02 20:42:42 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\LFFAX62N.DLL
[2007/07/02 20:42:42 | 000,158,720 | ---- | C] () -- C:\WINDOWS\System32\LFCMP62N.DLL
[2007/07/02 20:42:42 | 000,047,616 | ---- | C] () -- C:\WINDOWS\System32\LFTIF62N.DLL
[2007/07/02 20:42:42 | 000,043,008 | ---- | C] () -- C:\WINDOWS\System32\LTFIL62N.DLL
[2007/07/02 20:42:42 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\LFBMP62N.DLL
[2007/07/02 20:42:23 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\ftpclient.dll
[2007/06/24 19:01:04 | 000,000,489 | ---- | C] () -- C:\WINDOWS\demo.INI
[2007/06/24 18:46:27 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/06/24 18:46:25 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/06/24 18:07:55 | 000,217,600 | ---- | C] () -- C:\Documents and Settings\Rick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/06/24 18:00:09 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7K.DLL
[2007/06/08 21:31:13 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Rick\Local Settings\Application Data\fusioncache.dat
[2007/05/23 09:14:39 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/17 13:09:55 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/05/17 13:01:04 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2007/05/13 19:58:44 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\resourceGeneric.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== LOP Check ==========

[2007/06/24 18:00:15 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/05/21 20:56:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2010/04/07 16:48:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog
[2009/02/08 23:23:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2010/06/18 09:26:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/03/01 21:15:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/07/09 18:40:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
[2007/06/07 22:32:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\.BitTornado
[2007/06/08 21:31:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\IsolatedStorage
[2009/02/25 21:12:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\muvee Technologies
[2010/07/14 22:28:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\OpenDNS Updater
[2007/09/16 19:08:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\pdf995
[2008/08/23 21:21:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\Regen
[2009/01/25 16:17:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\Sparx Systems
[2010/09/04 10:55:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\uTorrent
[2010/09/07 06:59:52 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/09/07 19:26:11 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/11/11 19:01:03 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/09/04 15:58:18 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/09/05 18:01:23 | 000,013,155 | ---- | M] () -- C:\ComboFix.txt
[2009/11/14 10:13:39 | 023,510,720 | ---- | M] (Microsoft Corporation) -- C:\dotnetfx.exe
[2009/11/14 09:54:21 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\erunt_setup.exe
[2010/08/12 22:45:59 | 000,018,095 | ---- | M] () -- C:\haltLog.txt
[2010/09/07 06:54:16 | 1601,753,088 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/14 09:43:35 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\HJTInstall.exe
[2007/07/02 20:41:24 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/11/20 06:45:05 | 000,000,913 | ---- | M] () -- C:\KasperskyOnlineScanner 11-19-09.txt
[2009/11/14 10:52:35 | 000,000,836 | ---- | M] () -- C:\mbam-log-2009-11-14 (10-52-35).txt
[2007/07/02 20:41:24 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2007/06/01 08:00:35 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/08/23 21:35:23 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/09/07 06:54:14 | 792,723,456 | -HS- | M] () -- C:\pagefile.sys
[2009/11/14 11:01:45 | 000,001,466 | ---- | M] () -- C:\RootRepeal report 11-14-09 (11-01-45).txt
[2009/11/14 11:06:31 | 000,001,466 | ---- | M] () -- C:\RootRepeal report 11-14-09 (11-06-31).txt
[2009/11/14 11:50:45 | 000,001,466 | ---- | M] () -- C:\RootRepeal report 11-14-09 (11-50-45).txt
[2009/11/14 11:52:02 | 000,001,466 | ---- | M] () -- C:\RootRepeal report 11-14-09 (11-52-02).txt
[2009/11/14 10:22:45 | 000,472,064 | ---- | M] ( ) -- C:\RootRepeal.exe
[2009/11/14 11:00:49 | 000,000,000 | ---- | M] () -- C:\settings.dat
[2009/11/14 10:42:01 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/11/14 10:56:00 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/11/15 22:25:50 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/11/17 00:00:30 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/11/17 23:59:46 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/11/21 23:10:57 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/11/22 20:55:11 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/11/23 21:10:41 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/11/24 21:07:31 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2009/11/27 22:01:57 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2009/11/28 20:31:43 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2010/02/24 22:34:54 | 000,000,232 | -H-- | M] () -- C:\sqmdata11.sqm
[2010/06/20 21:54:23 | 000,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[2010/07/21 21:21:52 | 000,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/11/14 10:42:01 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/11/14 10:56:00 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/11/14 23:07:45 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/11/15 22:25:50 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/11/17 00:00:30 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/11/17 23:59:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/11/21 23:10:57 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/11/22 20:55:11 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/11/23 21:10:40 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009/11/24 21:07:31 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009/11/27 22:01:56 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009/11/28 20:31:42 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2010/02/24 22:34:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2010/06/20 21:54:23 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2010/07/21 21:21:52 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2008/11/16 16:42:53 | 000,000,574 | ---- | M] () -- C:\swbbanned.swh
[2009/11/14 09:53:38 | 000,021,504 | ---- | M] (Doug Knox) -- C:\SysRestorePoint.exe
[2009/11/14 09:51:37 | 000,339,456 | ---- | M] (OldTimer Tools) -- C:\TFC.exe
[2007/06/24 18:54:17 | 000,002,714 | ---- | M] () -- C:\V2iSrLog.txt
[2008/01/12 21:05:46 | 000,000,077 | ---- | M] () -- C:\wizard.txt

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2003/05/19 07:21:02 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2005/05/06 14:00:00 | 000,020,992 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD7K.DLL
[2005/05/06 14:00:00 | 000,059,392 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP7K.DLL
[2008/07/06 06:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/09/08 18:00:00 | 000,130,048 | ---- | M] (©Winasm Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\IQ31c9s.dll
[2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2008/07/06 04:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
[2006/01/03 18:00:00 | 000,130,048 | ---- | M] (©Winasm Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\QG55a.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2008/05/06 18:47:40 | 000,069,632 | ---- | M] () -- C:\WINDOWS\Shutterfly Studio Screen Saver.scr

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2003/05/19 07:08:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2003/05/19 07:08:48 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2003/05/19 07:08:48 | 000,393,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2008/08/23 21:44:00 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2007/06/01 17:53:38 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2007/05/27 10:27:02 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/09/08 19:24:04 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2007/06/01 17:53:38 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Rick\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/09/04 15:07:59 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\Rick\Cookies\desktop.ini
[2010/09/08 19:33:28 | 000,245,760 | -HS- | M] () -- C:\Documents and Settings\Rick\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.exe >
[2008/04/13 18:12:28 | 001,695,232 | -HS- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2002/08/20 18:08:38 | 000,069,663 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgsin.exe

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< %USERPROFILE%\Templates\*.tmp >

< %SYSTEMDRIVE%\explorexxx.exe\*.* >

< %Windir%\Installer\*.tmp >
[5 C:\WINDOWS\Installer\*.tmp files -> C:\WINDOWS\Installer\*.tmp -> ]

< %systemroot%\System32\*.xco >

< %ProgramFiles%\system32\*.* >

< %systemroot%\System32\windos\*.* >

< %SystemRoot%\system32\sandbox\*.* >

< %SystemRoot%\system32\*.amo >

< %SystemRoot%\system32\Windows Live\*.* >

< %ProgramFiles%\logs\*.* >

< %ProgramFiles%\Bifrost\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install\\LastSuccessTime: 2010-09-03 04:01:44

========== Alternate Data Streams ==========

@Alternate Data Stream - 173 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F4CE9946
< End of report >

Rorschach112 · 09-Sep-2010, 09:23 AM **#14**

Open OTL
Under the Custom Scans/Fixes box at the bottom, paste the following:
Code:
```
:Commands
[clearallrestorepoints]
```
Click the Run Fix button at the top
It might ask you to reboot, if so click YES

Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
Click on the CleanUp button.
Click Yes to begin the cleanup process and remove tools, including this application
You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes

rdizy · 10-Sep-2010, 12:09 AM **#15**

It looks like everything is now clean and working as expected. Thanks for your help. There's no way I could have done this myself. I'm very glad I didn't have to reinstall everything.

I'm going to take a look at the Donation page.

Similar Threads
Title	Thread Starter	Forum	Replies	Last Post
Need Help With Virus Removal	steve006	Virus & Other Malware Removal	5	04-Dec-2007 06:59 PM
Need help with virus removal (Spylocked)	dkaras	Virus & Other Malware Removal	15	01-Jun-2007 12:24 PM
I need help with virus removal please	chaoticrez	Virus & Other Malware Removal	4	24-Sep-2006 12:11 PM
hi.. i need help with virus removal	speggettio	Virus & Other Malware Removal	7	23-Apr-2004 01:01 PM

Tag Cloud
access acer asus bios bsod computer crash desktop drive driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory missing monitor motherboard network printer problem ram random registry router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!