Hi

AVG initially found a win 32 heur virus, which it seems to have dealt with. I am now being redirected seemingly at random, and have noticed poiksin.ru in the status bar when this happens. Malwarebytes removed a ertfor trojan. I Have also run spyware doctor, which found and eliminated several threats but once again the redirects continued. Explorer also seems unstable, sometimes doesn't start correctly. Any advice would be much appreciated including whether it is safe to back up my photos and documents to a pen drive in case laptop crashes altogether - would this risk transferring problem to the destination computer?
Malwarebytes/HJT log are:

Malwarebytes' Anti-Malware 1.36
Database version: 1994
Windows 5.1.2600 Service Pack 3

18/04/2009 17:19:20
mbam-log-2009-04-18 (17-19-20).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 168278
Time elapsed: 1 hour(s), 18 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:49:57, on 18/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\MyInk\My Ink Resident.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Interwise\Participant\pull.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [WinCast] D:\setup.exe -leng
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\ijqxrlb.exe (User 'Default user')
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: My Ink Resident.lnk = ?
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/hibernia/suppor...s/ebraryRdr.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WTService - Unknown owner - C:\WINDOWS\system32\atwtusb.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 10135 bytes

Hello trevorrl.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member trevorrl only. If you are a lurker, do NOT try this on your system!
If you are not trevorrl and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.
=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

To disable the Resident Shield, please:
open AVG User Interface
double-click on the Resident Shield
un-tick the option "Resident Shield active"
save the changes

To disable the Web Shield, please:

open AVG User Interface
double-click on Web Shield
un-tick option "Web protection"
switch to tab "Instant messaging" and un-tick "Instant Messaging protection

When all done with the task at hand, please be sure to re-enable !!
=

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still presentClick on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

Use your browser to go here at Virustotal website
Click the Browse button and then navigate to C:\WINDOWS\TEMP\ijqxrlb.exe, then click the Submit button.
The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

==
Use your browser to go here at Viruscan.org website
Click the Browse button and then navigate to C:\WINDOWS\TEMP\ijqxrlb.exe, then click the Submit button.

Save the results, and post back here in a reply.

=
Use your browser to go Threatexpert
http://www.threatexpert.com/filescan.aspx
Click the Browse button and then navigate to C:\WINDOWS\TEMP\ijqxrlb.exe,
click the checkbox to checkmark "I agree to be bound by the Terms and Conditions"
then click the Submit button.
Save the results, and post back here in a reply.

Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}
=
Download The Avenger by Swandog46 from here.

• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  
  CODE
  Files to delete:
  C:\WINDOWS\TEMP\ijqxrlb.exe
  
  Folders to delete:
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler
• In the avenger window, click the Paste Script from Clipboard icon, button.
• Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
=

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on Combo-Fix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2003 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan. Let it quarantine or remove tagged items. Get a copy of that log in your next reply.


RE-Enable your AntiVirus and AntiSpyware applications.

Start HijackThis. Do a new Scan and Save report.

Reply with copy of the C:\Avenger.txt
C:\Combofix.txt
and the latest MBAM log
and the new Hijackthis log

Hi Maurice

Thanks for the prompt response and the comprehensive instructions. The file C:\WINDOWS\TEMP\ijqxrlb.exe did not exist but I have attached the other logs as requested. Unfortunately my browser is still being redirected by poiksin.ru as before. Also I now have a new version if internet explorer on my desktop.

Thanks again for your help

Richard

MBAM

Malwarebytes' Anti-Malware 1.36
Database version: 2009
Windows 5.1.2600 Service Pack 3

19/04/2009 13:34:19
mbam-log-2009-04-19 (13-34-19).txt

Scan type: Quick Scan
Objects scanned: 69502
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:46:18, on 19/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\MyInk\My Ink Resident.exe
C:\Program Files\Interwise\Participant\pull.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: My Ink Resident.lnk = ?
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/hibernia/suppor...s/ebraryRdr.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WTService - Unknown owner - C:\WINDOWS\system32\atwtusb.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9876 bytes

A few requests of you: When replying with logs & reports, do NOT use the attachment feature, but instead "Copy" all lines and "Paste" into the body of the reply.
It makes it possible for all people to read the logs and no one wants to download the files to their system.

If all reports do not fit into 1 reply box, use separate replies. Use more than 1 as needed.

Also, do NOT use the quote option when replying (as you did in last one). It makes for a long read.

I am pasting your logs here. Meantime, do NOT do any web surfing, browsing, or even general web mail. Just only go to this forum and the sites I guide you to.

You say your browser is being redirected; and you also have a rootkit infection that needs immediate attention. Please standy.

Avenger log report:
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Apr 19 12:47:48 2009

12:47:48: Error: Could not set driver ImagePath.
Aborting execution! (error 0: the operation completed successfully.)


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Apr 19 12:48:13 2009

12:48:13: Error: Could not set driver ImagePath.
Aborting execution! (error 0: the operation completed successfully.)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ovfsthxqbrfqjrw" found!
ImagePath: \systemroot\system32\drivers\ovfsthxtmovdlya.sys
Start Type: 1 (System)

Rootkit scan completed.


Error: file "C:\WINDOWS\TEMP\ijqxrlb.exe" not found!
Deletion of file "C:\WINDOWS\TEMP\ijqxrlb.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\recycler" deleted successfully.

Error: could not open folder "D:\recycler"
Deletion of folder "D:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Folder "e:\recycler" deleted successfully.

Error: could not open folder "f:\recycler"
Deletion of folder "f:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "g:\recycler"
Deletion of folder "g:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "h:\recycler"
Deletion of folder "h:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.

Combofix run log:
ComboFix 09-04-19.05 - richard trevor 19/04/2009 13:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.173 [GMT 1:00]
Running from: c:\documents and settings\richard trevor\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\_000019_.tmp.dll
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-18 14:45 . 2008-12-11 07:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-18 14:45 . 2009-03-06 15:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-18 14:45 . 2008-12-18 11:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-18 14:45 . 2009-04-19 11:54 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-18 14:45 . 2008-12-10 11:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-18 14:45 . 2009-04-18 14:45 -------- d-----w c:\documents and settings\richard trevor\Application Data\PC Tools
2009-04-18 14:45 . 2009-04-18 14:45 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-17 18:52 . 2009-04-19 12:10 89448 ----a-w c:\windows\system32\drivers\9a063706.sys
2009-04-17 18:45 . 2009-04-17 18:45 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-17 18:07 . 2009-04-17 18:07 -------- d-----w c:\documents and settings\richard trevor\Application Data\Malwarebytes
2009-04-17 18:07 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-17 18:07 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 18:07 . 2009-04-17 18:07 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 00:25 . 2008-06-19 15:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-16 23:59 . 2009-04-16 23:59 -------- d-----w c:\documents and settings\richard trevor\Local Settings\Application Data\Downloaded Installations
2009-04-16 18:12 . 2009-04-16 18:12 56368 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-16 02:05 . 2009-04-16 02:05 206 ----a-w c:\windows\system32\MRT.INI
2009-04-15 21:10 . 2009-04-15 21:10 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-15 20:55 . 2009-04-19 12:10 109010 ----a-w c:\windows\system32\drivers\b2ac14b6.sys
2009-04-15 20:28 . 2009-04-15 20:28 167936 ----a-w c:\documents and settings\richard trevor\zuBXEbqudoy.exe
2009-04-15 18:35 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 18:35 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 18:35 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 18:35 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 18:35 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 18:35 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 18:35 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 18:35 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 18:35 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 18:35 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 18:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 18:32 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 18:32 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 21:22 . 2009-04-10 21:22 -------- d-----w c:\documents and settings\richard trevor\New Folder
2009-04-10 11:10 . 2009-04-19 11:12 -------- d--h--w C:\$AVG8.VAULT$
2009-04-08 18:37 . 2009-04-08 18:37 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-08 18:37 . 2009-04-08 18:37 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-08 18:37 . 2009-04-08 18:37 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-08 18:37 . 2009-04-18 20:38 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-08 18:36 . 2009-04-11 22:00 -------- d-----w c:\documents and settings\richard trevor\Application Data\AVGTOOLBAR
2009-04-08 18:36 . 2009-04-17 17:33 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-08 17:52 . 2009-04-08 17:52 -------- d-----w c:\documents and settings\richard trevor\Application Data\AVG8
2009-03-29 21:16 . 2009-04-13 23:44 -------- d-----w c:\documents and settings\richard trevor\Application Data\GenStat
2009-03-28 14:33 . 2007-02-12 19:21 547 ----a-w c:\windows\system32\ff_vfw.dll.manifest
2009-03-28 14:33 . 2007-02-12 19:21 10752 ----a-w c:\windows\system32\ff_vfw.dll
2009-03-28 14:31 . 2009-03-28 14:31 36 ---h--w c:\windows\system32\swk.ini
2009-03-27 21:32 . 2009-03-27 21:32 -------- d-----w c:\windows\system32\scripting
2009-03-27 21:32 . 2009-03-27 21:32 -------- d-----w c:\windows\l2schemas
2009-03-27 21:32 . 2009-03-27 21:32 -------- d-----w c:\windows\system32\en
2009-03-27 21:32 . 2009-03-27 21:32 -------- d-----w c:\windows\system32\bits
2009-03-27 21:23 . 2009-03-27 21:33 -------- d-----w c:\windows\ServicePackFiles
2009-03-27 20:58 . 2009-03-27 20:58 -------- d-----w c:\windows\EHome
2009-03-26 19:53 . 2009-02-20 18:09 52224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-26 19:53 . 2009-02-20 18:09 459264 ------w c:\windows\system32\dllcache\msfeeds.dll
2009-03-26 19:53 . 2009-02-20 18:09 268288 ------w c:\windows\system32\dllcache\iertutil.dll
2009-03-26 19:53 . 2009-02-20 10:20 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-03-26 19:53 . 2009-02-20 18:09 6066176 ------w c:\windows\system32\dllcache\ieframe.dll
2009-03-26 19:53 . 2008-07-09 14:30 991232 ------w c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-26 19:53 . 2009-02-20 18:09 383488 ------w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-26 19:53 . 2008-07-09 14:25 2455488 ------w c:\windows\system32\dllcache\ieapfltr.dat
2009-03-26 19:53 . 2009-02-20 18:09 63488 ------w c:\windows\system32\dllcache\icardie.dll
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 11:53 . 2009-04-19 11:47 4784 ----a-w C:\avenger.txt
2009-04-18 19:49 . 2009-04-18 19:49 -------- d-----w c:\program files\Trend Micro
2009-04-18 19:22 . 2009-04-18 14:45 -------- d-----w c:\program files\Spyware Doctor
2009-04-18 14:49 . 2009-04-18 14:45 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-17 23:45 . 2008-12-07 20:28 -------- d-----w c:\documents and settings\richard trevor\Application Data\Azureus
2009-04-17 18:45 . 2007-01-27 05:32 -------- d-----w c:\program files\Java
2009-04-17 18:31 . 2009-04-17 18:07 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 00:24 . 2009-04-17 00:24 -------- d-----w c:\program files\Panda Security
2009-04-17 00:08 . 2009-04-17 00:08 -------- d-----w c:\program files\RegCure
2009-04-08 18:36 . 2009-04-08 18:36 -------- d-----w c:\program files\AVG
2009-04-08 18:31 . 2007-01-27 05:47 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-29 20:56 . 2009-03-29 20:45 -------- d-----w c:\program files\M346
2009-03-29 20:55 . 2007-01-27 05:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-29 20:54 . 2009-03-29 20:54 -------- d-----w c:\program files\Common Files\VSN International
2009-03-29 20:54 . 2009-03-29 20:52 -------- d-----w c:\program files\Gen10ed
2009-03-29 14:12 . 2009-03-28 14:31 -------- d-----w c:\program files\Avi Player
2009-03-28 14:33 . 2009-03-28 14:33 -------- d-----w c:\program files\ffdshow
2009-03-28 14:26 . 2009-03-28 14:26 -------- d-----w c:\program files\Full Pack Codecs
2009-03-27 21:41 . 2004-08-07 13:10 81983 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-27 21:15 . 2002-08-29 07:00 250048 --sha-r C:\ntldr
2009-03-12 00:56 . 2008-12-07 20:27 -------- d-----w c:\program files\Vuze
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2007-01-04 13:37 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 08:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 19:27 . 2008-03-06 19:49 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-28 04:54 . 2007-08-13 18:43 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-22 15:19 . 2007-11-18 19:23 -------- d-----w c:\program files\WinTV
2009-02-20 10:20 . 2007-08-13 18:39 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2007-08-13 17:56 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2007-04-24 22:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 08:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 08:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-23 20:00 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2007-04-24 22:50 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2008-10-23 20:00 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 18:02 . 2004-08-04 08:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 08:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-23 20:00 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2004-08-04 08:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-23 20:00 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2004-08-04 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-23 20:00 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-04 08:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-12-07 20:29 . 2007-06-01 23:41 67392 ----a-w c:\documents and settings\richard trevor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-01-27 05:52 . 2007-04-24 23:11 128 ----a-w c:\documents and settings\richard trevor\Local Settings\Application Data\fusioncache.dat
2007-04-24 18:36 . 2007-04-24 18:36 56 --sha-w c:\windows\SMINST\hpboot.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-17 148888]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-19 114688]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-04-06 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-08 1932568]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-4-25 184320]
My Ink Resident.lnk - c:\program files\MyInk\My Ink Resident.exe [2008-12-5 36864]
Push Client.LNK - c:\program files\Interwise\Participant\pull.exe [2008-5-1 843776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-08 18:37 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ rmvirut.nt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-06 33752]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-08 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-08 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-08 298264]
S2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
S2 WTService;WTService;c:\windows\system32\atwtusb.exe [2007-08-17 364192]


--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - avg8wd
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - hpqwmiex
*Deregistered* - ImapiService
*Deregistered* - iPod Service
*Deregistered* - javaquickstarterservice
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mchinjdrv
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PCA
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - sdauxservice
*Deregistered* - sdcoreservice
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - WTService
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76038e50-9773-11dc-acbf-0016d4e826c2}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76038e51-9773-11dc-acbf-0016d4e826c2}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8182d850-8f6f-11dc-acb1-0016d4e826c2}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8182d854-8f6f-11dc-acb1-0016d4e826c2}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-04-19 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-17 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinCast - D:\setup.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 13:10
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????]??????g?@?????L?@

scanning hidden files ...


c:\windows\system32\drivers\ovfsthxtmovdlya.sys 84992 bytes executable
c:\windows\system32\ovfsthxdxxfqpqw.dat 43 bytes
c:\windows\system32\ovfsthxixuruwkk.dll 19456 bytes executable
c:\windows\system32\ovfsthxkpuugfbp.dat 81586 bytes
c:\windows\system32\ovfsthxmdwdpsml.dll 61952 bytes executable
c:\windows\system32\ovfsthxymktpirk.dll 19456 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ovfsthxqbrfqjrw]
"imagepath"="\systemroot\system32\drivers\ovfsthxtmovdlya.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\9a063706]
"ImagePath"="\SystemRoot\System32\drivers\9a063706.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\b2ac14b6]
"ImagePath"="\SystemRoot\System32\drivers\b2ac14b6.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ovfsthxqbrfqjrw]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxtmovdlya.sys"
"inst"=dword:00000000
.
Completion time: 2009-04-19 13:13
ComboFix-quarantined-files.txt 2009-04-19 12:13

Pre-Run: 2,501,595,136 bytes free
Post-Run: 3,240,349,696 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

331 --- E O F --- 2009-04-16 02:06

Hello Richard,

Your pen-thumb-USB drives are most likely infected. Do NOT use them at all. Unplug them if any are connected to this system.
We can deal with those later.

The system has a serious rootkit infection which needs dealing with.
But I also need to know:
If this system was ever at any time without antivirus program?

If at any time the antivirus license, if any, had lapsed?

If you ever had any message or prompt about a "virut" infection?

You've gotten a bunch of tools lately, like PC Tools, Spyware Doctor, Panda, AVG, etc.
Don't load up on any more new tools without checking here, while we are working this case.
More important, did you only just recently put on AVG 8 ??

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member trevorrl only. If you are a lurker, do NOT try this on your system!
If you are not trevorrl and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
=

Use your browser to go here at Virustotal website
Click the Browse button and then navigate to c:\windows\system32\drivers\9a063706.sys, then click the Submit button.
The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Repeat the same steps for c:\windows\system32\drivers\b2ac14b6.sys
Save the results, and post back here in a reply.
==
Use your browser to go here at Viruscan.org website
Click the Browse button and then navigate to c:\windows\system32\drivers\9a063706.sys, then click the Submit button.

Save the results, and post back here in a reply.

Repeat the same steps for c:\windows\system32\drivers\b2ac14b6.sys
Save the results, and post back here in a reply.

=
Use your browser to go Threatexpert
http://www.threatexpert.com/filescan.aspx
Click the Browse button and then navigate to c:\windows\system32\drivers\9a063706.sys,
click the checkbox to checkmark "I agree to be bound by the Terms and Conditions"
then click the Submit button.
Save the results, and post back here in a reply.

=
Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2009 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a FULL Scan.

Reply with a copy of the C:\Combofix.txt (in-line and not as attachments for any of the reports ! )
the new MBAM log
and the logs from the online-virus submission sites: Virustotal, Virscan, and Threatexpert

Hello again and apologies for my earlier breaches of etiquette. The machine has never without a virus programme. I have updated from AVG 7.5 to AVG 8 within the last couple of weeks. However prior to the upgrade I also had a trial version of Norton leftover from when it was first bought. I was only recently made aware that you shouldn't run more than one package on the same machine, although it hadn't caused anyapparent problems.

I have seen no mention of virut - only win32 heur which AVG recognised and deleted. I have followed your instructions, and pasted the results below.

Both files gave the same response at the three websites namely

0 bytes size received / Se ha recibido un archivo vacio at virustotal

ERROR: can't fnd upload file at viruscan

The submitted file is not detected. at Threatexpert.

Combofix gave

ComboFix 09-04-19.05 - richard trevor 19/04/2009 17:47:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.223 [GMT 1:00]
Running from: C:\Documents and Settings\richard trevor\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\richard trevor\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

and finally MBAM

Malwarebytes' Anti-Malware 1.36
Database version: 2009
Windows 5.1.2600 Service Pack 3

19/04/2009 20:10:26
mbam-log-2009-04-19 (20-10-26).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 146944
Time elapsed: 42 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ovfsthxixuruwkk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthxymktpirk.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Thanks again for your help with this

Richard

The log of last Combifix run was incomplete. It just only shows the first few lines. I need to have all the lines in that file.
Please start Notepad, open the file, and select All and Copy, and paste into your next reply (separate reply if you have to).

I'm going to have you run a new Avenger run, simply to insure that rootkit files are really gone.

• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  
  CODE
  Files to delete:
  c:\windows\system32\drivers\ovfsthxtmovdlya.sys
  c:\windows\system32\ovfsthxdxxfqpqw.dat
  c:\windows\system32\ovfsthxixuruwkk.dll
  c:\windows\system32\ovfsthxkpuugfbp.dat
  c:\windows\system32\ovfsthxmdwdpsml.dll
  c:\windows\system32\ovfsthxymktpirk.dll
  C:\WINDOWS\TEMP\ijqxrlb.exe
  C:\WINDOWS\system32\ovfsthxixuruwkk.dll
  C:\WINDOWS\system32\ovfsthxymktpirk.dll
  
  Drivers to delete:
  ovfsthxtmovdlya
  
  
  Folders to delete:
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler
• In the avenger window, click the Paste Script from Clipboard icon, button.
• :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
=
Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe

• Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  :OTLI
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  
  :files
  c:\windows\system32\drivers\ovfsth*.*
  c:\windows\system32\ovfsth*.*
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
• Return to OTLisIt2. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  
• Close any browser(s) windows that may be open.
• Using your mouse, click on the red-lettered button Run Fix.
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
• The log will open in Notepad (your default text editor).
• Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTListIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
=


Reply with copy of the last C:\Combofix.txt
and the new C:\Avenger.txt
and the OTListIt2 moved log file from above

Hi again.
Unfortunately the text I copied from Combofix is everything saved in the log. I've tried a search for combofix.txt and it only finds that one file.
The Avenger txt is

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Apr 19 22:34:36 2009

22:34:36: Error: Could not set driver ImagePath.
Aborting execution! (error 0: the operation completed successfully.)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\windows\system32\drivers\ovfsthxtmovdlya.sys" not found!
Deletion of file "c:\windows\system32\drivers\ovfsthxtmovdlya.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\ovfsthxdxxfqpqw.dat" not found!
Deletion of file "c:\windows\system32\ovfsthxdxxfqpqw.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\ovfsthxixuruwkk.dll" not found!
Deletion of file "c:\windows\system32\ovfsthxixuruwkk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\ovfsthxkpuugfbp.dat" not found!
Deletion of file "c:\windows\system32\ovfsthxkpuugfbp.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\ovfsthxmdwdpsml.dll" not found!
Deletion of file "c:\windows\system32\ovfsthxmdwdpsml.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\ovfsthxymktpirk.dll" not found!
Deletion of file "c:\windows\system32\ovfsthxymktpirk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\TEMP\ijqxrlb.exe" not found!
Deletion of file "C:\WINDOWS\TEMP\ijqxrlb.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\ovfsthxixuruwkk.dll" not found!
Deletion of file "C:\WINDOWS\system32\ovfsthxixuruwkk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\ovfsthxymktpirk.dll" not found!
Deletion of file "C:\WINDOWS\system32\ovfsthxymktpirk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthxtmovdlya" not found!
Deletion of driver "ovfsthxtmovdlya" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\recycler" deleted successfully.

Error: could not open folder "D:\recycler"
Deletion of folder "D:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Folder "e:\recycler" deleted successfully.

Error: could not open folder "f:\recycler"
Deletion of folder "f:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "g:\recycler"
Deletion of folder "g:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "h:\recycler"
Deletion of folder "h:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.

and OTListIT2

========== OTLISTIT ==========
Process explorer.exe killed successfully!
========== FILES ==========
File/Folder c:\windows\system32\drivers\ovfsth*.* not found.
File/Folder c:\windows\system32\ovfsth*.* not found.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\richard trevor\Local Settings\temp\WCESLog.log scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\richard trevor\Local Settings\temp\~DF4C05.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\richard trevor\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_84.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.14.0 log created on 04192009_224349

Files moved on Reboot...
C:\Documents and Settings\richard trevor\Local Settings\temp\WCESLog.log moved successfully.
C:\Documents and Settings\richard trevor\Local Settings\temp\~DF4C05.tmp moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_84.dat not found!

Registry entries deleted on Reboot...

Thanks again

Richard

Place your USB-pen-flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.
=

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

• Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
• Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
• When done, a message will be displayed at the bottom advising if any viruses were found.
• Click "Yes to all" if it asks if you want to cure/move the file.
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2009 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

=

• Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
• In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
• Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
• It will produce two logs for you, one will pop up called OTListIt.txt, the other will be saved on your desktop and called Extras.txt.
• Exit Notepad. Remember where you've saved these 2 files as we will need both of them !
• Exit OTListIt2 by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
• Follow the onscreen instructions inside of the command window.
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your next reply (in order):
the Dr.Web Cure-it report
the latest MBAM scan log
OTListIt.txt
Extras.txt
and checkup.txt
and tell me, How is your system now ?

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Hi

Not tried connecting to ay web sites other than this one. Explorer froze when first run, but every thing else seems to be running normally. Here are the logs

drweb
b2ac14b6.sys;c:\windows\system32\drivers;Trojan.NtRootKit.2795;Deleted.;
MBAM
Malwarebytes' Anti-Malware 1.36
Database version: 2016
Windows 5.1.2600 Service Pack 3

21/04/2009 00:27:51
mbam-log-2009-04-21 (00-27-51).txt

Scan type: Quick Scan
Objects scanned: 75875
Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\temp\67DB8627.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

OT Listit
OTListIt logfile created on: 21/04/2009 00:34:37 - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\richard trevor\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

503.36 Mb Total Physical Memory | 56.57 Mb Available Physical Memory | 11.24% Memory free
1.20 Gb Paging File | 0.52 Gb Available in Paging File | 43.63% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.48 Gb Total Space | 2.95 Gb Free Space | 5.85% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 5.41 Gb Total Space | 0.44 Gb Free Space | 8.06% Space Free | Partition Type: NTFS
Drive F: | 15.05 Gb Total Space | 10.28 Gb Free Space | 68.30% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC622264192296
Current User Name: richard trevor
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2008/04/14 01:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/07/22 20:42:12 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/04/08 19:36:39 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2007/07/24 15:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2009/04/17 19:45:41 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/01/07 13:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2009/01/21 14:08:06 | 01,095,560 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe
PRC - [2009/04/08 19:36:49 | 00,485,144 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/04/08 19:36:49 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/04/17 19:45:41 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2005/10/19 11:15:00 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/10/19 11:15:12 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2006/04/06 14:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLACTRLW.EXE
PRC - [2006/06/16 17:22:46 | 00,794,713 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2006/06/19 20:33:12 | 00,163,840 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
PRC - [2006/05/03 23:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
PRC - [2005/10/19 11:15:22 | 00,159,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2006/10/09 19:23:06 | 00,697,976 | ---- | M] () -- C:\WINDOWS\SMINST\Scheduler.exe
PRC - [2004/08/11 10:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
PRC - [2007/05/08 16:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
PRC - [2008/07/30 10:47:56 | 00,289,064 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2007/08/17 16:13:20 | 00,364,192 | ---- | M] () -- C:\WINDOWS\system32\atwtusb.exe
PRC - [2008/06/12 03:38:00 | 00,034,672 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
PRC - [2009/04/08 19:36:43 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2004/07/28 01:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2008/12/08 14:33:48 | 01,173,384 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsTray.exe
PRC - [2007/07/31 02:02:08 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
PRC - [2008/07/08 17:41:02 | 02,828,184 | ---- | M] (PC Tools) -- C:\Program Files\Registry Mechanic\RegMech.exe
PRC - [2006/05/03 00:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2006/08/17 17:53:14 | 00,036,864 | ---- | M] () -- C:\Program Files\MyInk\My Ink Resident.exe
PRC - [2007/08/02 16:39:12 | 00,843,776 | ---- | M] (Interwise Ltd) -- C:\Program Files\Interwise\Participant\pull.exe
PRC - [2006/11/13 14:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2009/02/06 11:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2009/02/06 11:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/04/14 01:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2007/08/17 16:13:20 | 00,364,192 | ---- | M] () -- C:\WINDOWS\system32\atwtusb.exe
PRC - [2008/07/30 10:47:48 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2005/12/23 22:44:26 | 00,491,606 | ---- | M] () -- C:\Program Files\HPQ\Shared\HpqToaster.exe
PRC - [2009/04/19 22:42:34 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\richard trevor\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2006/06/12 22:27:28 | 00,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr [On_Demand | Stopped])
SRV - [2008/07/22 20:42:12 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2004/07/15 10:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/04/08 19:36:39 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2007/07/24 15:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/10/06 10:18:06 | 00,033,752 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper [On_Demand | Stopped])
SRV - [2009/01/12 23:00:48 | 00,137,200 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/14 01:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2006/05/03 00:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex [Auto | Running])
SRV - [2004/10/22 12:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/30 10:47:48 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/04/17 19:45:41 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (javaquickstarterservice [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/01/12 21:22:38 | 00,294,912 | ---- | M] (SoftThinks) -- C:\WINDOWS\SMINST\PCAngel.exe -- (PCA [Auto | Stopped])
SRV - [2009/01/07 13:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdauxservice [Auto | Running])
SRV - [2009/01/21 14:08:06 | 01,095,560 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdcoreservice [Auto | Running])
SRV - [2004/08/11 10:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2004/08/11 09:46:56 | 00,483,328 | ---- | M] (Microsoft Corporation) -- c:\program files\windows media connect\mswmccds.exe -- (WmcCds [Unknown | Stopped])
SRV - [2004/08/11 06:50:42 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect\mswmcls.exe -- (WmcCdsLs [On_Demand | Stopped])
SRV - [2007/08/17 16:13:20 | 00,364,192 | ---- | M] () -- C:\WINDOWS\system32\atwtusb.exe -- (WTService [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2001/08/17 16:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Boot | Running])
DRV - [2009/04/08 19:37:29 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/04/08 19:37:28 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/04/08 19:37:29 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2006/08/21 23:16:20 | 00,038,144 | ---- | M] (Conexant Systems Inc.) -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD [On_Demand | Running])
DRV - [2006/08/21 23:16:56 | 00,530,176 | ---- | M] (Conexant Systems Inc.) -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA [On_Demand | Running])
DRV - [2006/04/06 14:20:00 | 00,025,628 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLABOIOM.SYS -- (DLABOIOM [Auto | Running])
DRV - [2006/03/17 17:35:24 | 00,005,660 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM [System | Running])
DRV - [2006/04/06 14:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLADResN.SYS -- (DLADResN [Auto | Running])
DRV - [2006/04/06 14:20:00 | 00,086,812 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAIFS_M.SYS -- (DLAIFS_M [Auto | Running])
DRV - [2006/04/06 14:20:00 | 00,014,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAOPIOM.SYS -- (DLAOPIOM [Auto | Running])
DRV - [2006/04/06 14:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAPoolM.SYS -- (DLAPoolM [Auto | Running])
DRV - [2006/03/17 17:34:46 | 00,022,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DLARTL_N.SYS -- (DLARTL_N [System | Running])
DRV - [2006/04/06 14:20:00 | 00,094,460 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAUDFAM.SYS -- (DLAUDFAM [Auto | Running])
DRV - [2006/04/06 14:20:00 | 00,087,068 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAUDF_M.SYS -- (DLAUDF_M [Auto | Running])
DRV - [2006/03/30 12:30:00 | 00,089,072 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB [Boot | Running])
DRV - [2006/03/17 14:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS -- (DRVNDDM [Auto | Running])
DRV - [2006/08/22 08:21:26 | 00,163,328 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2005/09/19 23:23:52 | 00,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\system32\DRIVERS\eabfiltr.sys -- (eabfiltr [System | Running])
DRV - [2005/09/19 23:24:20 | 00,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\system32\DRIVERS\eabusb.sys -- (eabusb [On_Demand | Stopped])
DRV - [2008/07/21 13:11:58 | 00,024,392 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\System32\Drivers\ElbyCDIO.sys -- (ElbyCDIO [System | Running])
DRV - [2008/01/29 12:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2005/09/19 23:24:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\system32\DRIVERS\cpqbttn.sys -- (HBtnKey [On_Demand | Running])
DRV - [2006/05/18 05:25:56 | 00,246,912 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys -- (HSFHWICH [On_Demand | Running])
DRV - [2006/05/18 05:26:32 | 00,990,592 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys -- (HSF_DPV [On_Demand | Running])
DRV - [2007/07/16 19:23:20 | 00,101,120 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys -- (hwdatacard [On_Demand | Stopped])
DRV - [2005/10/19 11:15:02 | 01,302,812 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2005/10/05 04:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2008/04/13 19:46:22 | 00,015,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\MPE.sys -- (MPE [On_Demand | Stopped])
DRV - [2008/06/19 16:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
DRV - [2009/04/20 22:38:08 | 00,130,936 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (pctcore [Boot | Running])
DRV - [2004/08/04 09:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/04/25 11:03:00 | 00,020,640 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/11/13 11:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 21:10:28 | 00,035,913 | ---- | M] (SMC) -- C:\WINDOWS\system32\DRIVERS\smcirda.sys -- (SMCIRDA [On_Demand | Stopped])
DRV - [2007/01/27 06:49:51 | 00,010,344 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd [Auto | Running])
DRV - [2006/06/16 16:40:56 | 00,193,120 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2005/11/15 00:30:10 | 00,209,664 | R--- | M] (eMPIA Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\emBDA.sys -- (USB28xxBGA [On_Demand | Stopped])
DRV - [2005/11/15 00:29:58 | 00,017,152 | R--- | M] (eMPIA Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\emOEM.sys -- (USB28xxOEM [On_Demand | Stopped])
DRV - [2008/04/13 19:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2008/04/13 19:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\usb8023x.sys -- (usb_rndisx [On_Demand | Stopped])
DRV - [2006/07/17 16:17:28 | 02,206,720 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\DRIVERS\w29n51.sys -- (w29n51 [On_Demand | Running])
DRV - [2006/11/06 18:04:56 | 00,028,672 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\wceusbsh.sys -- (wceusbsh [On_Demand | Stopped])
DRV - [2006/05/18 05:25:50 | 00,727,808 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/04/17 19:45:42 | 00,000,000 | ---D | M]


O1 HOSTS File: (0 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe ()
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" (PC Tools)
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe ()
O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O4 - HKCU..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" (Microsoft Corporation)
O4 - HKCU..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H (PC Tools)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\My Ink Resident.lnk = C:\Program Files\MyInk\My Ink Resident.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe (Interwise Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = F7 FF FF 03 [binary data]
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} http://site.ebrary.com/lib/hibernia/suppor...s/ebraryRdr.cab (Infotl Control)
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/jinstall-14-win.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {cafeefac-0016-0000-0013-abcdeffedcba} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

Extras
OTListIt Extras logfile created on: 21/04/2009 00:34:37 - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\richard trevor\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

503.36 Mb Total Physical Memory | 56.57 Mb Available Physical Memory | 11.24% Memory free
1.20 Gb Paging File | 0.52 Gb Available in Paging File | 43.63% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.48 Gb Total Space | 2.95 Gb Free Space | 5.85% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 5.41 Gb Total Space | 0.44 Gb Free Space | 8.06% Space Free | Partition Type: NTFS
Drive F: | 15.05 Gb Total Space | 10.28 Gb Free Space | 68.30% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC622264192296
Current User Name: richard trevor
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2006/11/13 14:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
[2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
[2006/11/13 14:39:54 | 04,270,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
[2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2006/10/09 19:23:06 | 00,697,976 | ---- | M] () -- C:\WINDOWS\SMINST\Scheduler.exe:*:Enabled:Scheduler
[2006/11/13 14:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
[2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
[2006/11/13 14:39:54 | 04,270,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
[2007/07/24 15:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008/07/30 10:47:50 | 20,252,968 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2009/04/08 19:36:41 | 01,057,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2009/04/08 19:36:49 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{2227E1FA-01F5-483C-AB0E-2A308E900B3D}" = InterVideo FilterSDK for Hauppauge
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26a24ae4-039d-4ca4-87b4-2f83216013ff}" = Java™ 6 Update 13
"{29031977-EF5E-446E-B3E1-E66B6FA3895D}" = SCRABBLE® 2005 EDITION
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.10 A2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AEBFEEE-3345-430C-AD1D-865AD7C3DEA1}" = Exerciser Revision Tool
"{3DE0053C-FD9A-483E-B7C9-B06E4392206E}" = iTunes
"{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup and Recovery Manager Installer
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 G2
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}" = Apple Mobile Device Support
"{4C234785-E7EE-44E7-8277-92AAED2D8801}" = BlackBerry Service for PocketPC 4.0
"{556F2137-B772-43BB-9A45-E0275234DD16}" = Free Notes & Office Ink
"{5D97A4A7-C274-4B63-86D9-07A33435F505}" = InterVideo DVD Check
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6AF6BFD2-D368-4F81-9B82-D3B1414351C8}" = Power Presenter RE
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76C8A611-8059-44EB-8513-C86A6B3A9C5F}" = Mathcad 2001i Professional
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7AE99502-ABB3-45F6-BC0C-73169A3BAF08}" = GenStat 10th Edition
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{929AB598-BB08-4875-B8D2-952C151D6E47}" = HP User Guides 0038
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AEDDF5A3-29CE-11D5-A8C2-000102246AAE}" = ubi.com
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{C2CC8C1F-D5C4-4751-86B2-0EE04C601651}" = BlackBerry Connect Desktop for Windows Mobile
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}" = Safari
"{CA47A854-2BA9-498F-97EE-D8FBECF0BA79}" = MyInk
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DB8CEC42-30B1-4F49-BD06-9393EB81CCF7}" = SPSS 13.0 for Windows
"{DE4A7830-7480-425C-8330-699C30FD8C66}" = PHM Registry Editor
"{E0DBC47C-ED3F-4A1B-A929-9A26DAAA14B3}" = Application Installer 4.00.B5
"{F4588301-0A06-11D6-A761-00B0D079AF64}" = Java 2 Runtime Environment, SE v1.4.0
"{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}" = Windows Media Connect
"3 USB Modem" = 3 USB Modem
"3D Sea Aquarium_is1" = 3D Sea Aquarium
"7-Zip" = 7-Zip 4.57
"activescan 2.0" = Panda ActiveScan 2.0
"Adobe AIR" = Adobe AIR
"AVG8Uninstall" = AVG 8.5
"Avi Player" = Avi Player
"CloneDVD2" = CloneDVD2
"CNXT_AUDIO" = Conexant AC-Link Audio
"CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_30C4103C" = Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ffdshow_is1" = ffdshow [rev 918] [2007-02-12]
"FotoSketcher_is1" = FotoSketcher - Version 1.8
"Full Pack" = Full Pack Codecs
"Hauppauge English Help Files and Resources" = Hauppauge English Help Files and Resources
"Hauppauge WinTV Scheduler" = Hauppauge WinTV Scheduler
"Hauppauge WinTV Soft PVR" = Hauppauge WinTV Soft PVR
"Hauppauge WinTV2000" = Hauppauge WinTV2000
"hijackthis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{76C8A611-8059-44EB-8513-C86A6B3A9C5F}" = Mathcad 2001i Professional
"InstallShield_{7AE99502-ABB3-45F6-BC0C-73169A3BAF08}" = GenStat 10th Edition
"InstallShield_{C2CC8C1F-D5C4-4751-86B2-0EE04C601651}" = BlackBerry Connect Desktop for Windows Mobile
"Interwise Participant" = Interwise Participant
"M248 Data files" = M248 Data files
"M248 SUStats" = M248 SUStats
"M249 CD-ROM 1" = M249 CD-ROM 1
"M249 CD-ROM 2" = M249 CD-ROM 2
"M346 Data files and GenStat 10" = M346 Data files and GenStat 10
"malwarebytes' anti-malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MinitabDeinstKeySV" = Minitab Student Release 12
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Online Manuals for WinTV (English)" = Online Manuals for WinTV (English)
"PROSet" = Intel® PRO Network Connections Drivers
"regcure" = RegCure 1.5.2.7
"registry mechanic_is1" = Registry Mechanic 8.0
"Rmtablet" = USB Tablet Manager
"Spb Diary" = Spb Diary
"Spb Mobile Shell" = Spb Mobile Shell
"Spb Pocket PC Tips And Tricks" = Spb Pocket PC Tips And Tricks
"Spb Pocket Plus" = Spb Pocket Plus
"Spb Traveler" = Spb Traveler
"Spb Weather" = Spb Weather
"spyware doctor" = Spyware Doctor 6.0
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"T851 The Information Systems Toolkit" = T851 The Information Systems Toolkit
"tweak ui 2.10" = Tweak UI
"Vuze" = Vuze
"WGA" = Windows Genuine Advantage Validation Tool
"Windows Media Connect" = Windows Media Connect
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"Zattoo" = Zattoo 3.3.1 Beta

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Checkup

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Enabled!
AVG8.5
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Spyware Doctor 6.0
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 13
Java™ SE Runtime Environment 6 Update 1
Java 2 Runtime Environment, SE v1.4.0
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````
GREAT! (Very random)

Scan took 31 seconds.
`````````End of Log```````````

Thanks again

Richard

Hello Richard,
Small maintenance item:
Go to Control Panel's Add-or-Remove Programs.
Look for and select these Java items (in turn) and select Change/Remove and select de-install.
Java™ SE Runtime Environment 6 Update 1
Java 2 Runtime Environment, SE v1.4.0

Otherwise, you already have the current version, JRE 6 update 13.

=
These next 2 are for touchups:

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<

• Double-click FixPolicies.exe.
• Click the "Install" button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies.
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
• A black box will briefly appear and then close.
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm

Steps to follow for the MVP Hosts file:
1) Download and SAVE the zip file to a temporary folder
2) Unzip (extract the contents) in the same folder
3) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts resides
typically, C:\WINDOWS\system32\drivers\etc

and after that copy is saved, it replaces the old Hosts with the new one.

And you should see (in the blue background command window) the following:


Find the folder where you saved the original download. Delete hosts.zip and a file folder there named hosts
The latter is the same folder that had mvps.bat
=

You already have ATF Cleaner from before. Run it to cleanout (delete) all temp / temporary files.

Next, I want to see if there are any leftover rootkits.
Download RootRepeal:
http://rootrepeal.googlepages.com/RootRepeal.zip

• Extract the archive to a folder you create such as C:\RootRepeal
• Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
• Click the "File" tab (located at the bottom of the RootRepeal screen)
• Click the "Scan" button
• In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
• Click OK and the file scan will begin
• When the scan is done, there will be files listed, but most if not all of them will be legitimate
• Click the "Save Report" Button
• Save the log file to your Documents folder
• Post the content of the RootRepeal file scan log in your next reply.

=
Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

Trend Micro Damage Cleanup Engine
• Make sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1st
• Basically there are 3 parts that need to be downloaded from these links:
  
  1. Sysclean Package
  2. Virus Pattern Files
  3. Spyware Pattern Files

• Create a brand new folder to copy these files to.
• As an example: C:\DCE
• Then open each of the zipped archive files and copy their contents to C:\DCE
• Copy the file sysclean.com to the new folder C:\DCE as well.
• Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
  
  After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

Reply with copy of the Rootrepeal log
and the Sysclean scan log,
and tell me, How is your system now ?

Hi

apologies for not yet posting the required logs, I am a contractor and am currently away from home. I will not be back until Friday night , but will post the info then. Please don't think I've given up and close the thread!

Thanks for your help and patience

Richard

Hi
My system seems OK but I haven't tried connecting to any websites other than this one. Also I still have a new copy of internet explorer on my desktop, which didn't used to be there - should I delete this?

rootrepeal log is

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/22 02:13
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector
Status: Locked to the Windows API!

Path: C:\WINDOWS\temp\Perflib_Perfdata_7d8.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\WINDOWS\system32\drivers\9a063706.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\richard trevor\My Documents\Azureus Downloads\Microsoft Excel Vba Programming For The Absolute Beginner 2002 - allfreeebooks.tk\Microsoft Excel VBA Programming for the Absolute Beginner 2002\Microsoft Excel VBA Programming for the Absolute Beginner 2002.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\richard trevor\My Documents\Azureus Downloads\Zero,The Biography of a Dangerous Idea\Zero,The Biography of a Dangerous Idea (Charles Seife)_JOG\ZERO CH 05 - Infinite Zeros And Infidel Mathematicians, Zero And The Scientific Revolution.mp3
Status: Locked to the Windows API!

Path: E:\RCBoot.sys
Status: Size mismatch (API: 0, Raw: 575053377419870208)

Path: E:\autorun.inf\lpt3.This folder was created by Flash_Disinfector
Status: Locked to the Windows API!

Path: E:\cmdcons\diõk.sy_
Status: Invisible to the Windows API!

Path: E:\cmdcons\i8042prt.sõ_
Status: Invisible to the Windows API!

Path: E:\cmdcons\KBDHU1ôDLL
Status: Invisible to the Windows API!

Path: E:\cmdcons\KBDGR.õLL
Status: Invisible to the Windows API!

Path: E:\cmdcons\ohôi1394.sy_
Status: Invisible to the Windows API!

Path: E:\cmdcons\serialôsy_
Status: Invisible to the Windows API!

Path: E:\cmdcons\sparrow.sy_
Status: Size mismatch (API: 11098, Raw: 68679894317411162)

Path: E:\cmdcons\usbohcø.sy_
Status: Invisible to the Windows API!

Path: E:\cmdcons\vgaoemøfo_
Status: Invisible to the Windows API!

Path: E:\cmdcons\disk.sy_
Status: Visible to the Windows API, but not on disk.

Path: E:\cmdcons\i8042prt.sy_
Status: Visible to the Windows API, but not on disk.

Path: E:\cmdcons\KBDGR.DLL
Status: Visible to the Windows API, but not on disk.

Path: E:\cmdcons\KBDHU1.DLL
Status: Visible to the Windows API, but not on disk.

Path: E:\cmdcons\ohci1394.sy_
Status: Visible to the Windows API, but not on disk.

Path: E:\cmdcons\serial.sy_
Status: Visible to the Windows API, but not on disk.

Path: E:\cmdcons\usbohci.sy_
Status: Visible to the Windows API, but not on disk.

Path: E:\cmdcons\vgaoem.fo_
Status: Visible to the Windows API, but not on disk.

Path: E:\PRELOAD\ALL.MDF
Status: Allocation size mismatch (API: 8, Raw: 68679894317400072)

Path: E:\MiniNT\Fonts\coòre.fon
Status: Invisible to the Windows API!

Path: E:\MiniNT\Fonts\GULIM.TTC
Status: Allocation size mismatch (API: 13518848, Raw: 68116944377497600)

Path: E:\MiniNT\Fonts\coure.fon
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\inf\layoutðPNF
Status: Invisible to the Windows API!

Path: E:\MiniNT\inf\neð21x4.inf
Status: Invisible to the Windows API!

Path: E:\MiniNT\inf\neïan983.inf
Status: Invisible to the Windows API!

Path: E:\MiniNT\inf\netcicap.inf
Status: Allocation size mismatch (API: 8192, Raw: 67272519433854976)

Path: E:\MiniNT\inf\netcb325.iïf
Status: Invisible to the Windows API!

Path: E:\MiniNT\inf\netepro.PNF
Status: Size mismatch (API: 8232, Raw: 67272519433855016)

Path: E:\MiniNT\inf\neïias.PNF
Status: Invisible to the Windows API!

Path: E:\MiniNT\inf\netklsï.PNF
Status: Invisible to the Windows API!

Path: E:\MiniNT\inf\netlanep.inf
Status: Size mismatch (API: 1823, Raw: 67272519433848607)

Path: E:\MiniNT\inf\netmhzï5.inf
Status: Invisible to the Windows API!

Path: E:\MiniNT\inf\neïrsvp.inf
Status: Invisible to the Windows API!

Path: E:\MiniNT\inf\netsk_ïp.PNF
Status: Invisible to the Windows API!

Path: E:\MiniNT\inf\nettdkï.PNF
Status: Invisible to the Windows API!

Path: E:\MiniNT\inf\nettpsmp.inf
Status: Size mismatch (API: 4749, Raw: 67272519433851533)

Path: E:\MiniNT\inf\netwv48.PNð
Status: Invisible to the Windows API!

Path: E:\MiniNT\inf\netx56ð5.inf
Status: Invisible to the Windows API!

Path: E:\MiniNT\inf\oem1.inf
Status: Size mismatch (API: 304116, Raw: 67553994410861556)

Path: E:\MiniNT\inf\layout.PNF
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\inf\net21x4.inf
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\inf\netan983.inf
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\inf\netcb325.inf
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\inf\netias.PNF
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\inf\netklsi.PNF
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\inf\netmhzn5.inf
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\inf\netrsvp.inf
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\inf\netsk_fp.PNF
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\inf\nettdkb.PNF
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\inf\netwv48.PNF
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\inf\netx56n5.inf
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\BackupST.exe
Status: Allocation size mismatch (API: 901120, Raw: 68398419341590528)

Path: E:\MiniNT\system32\BackupSTJP_OEM1.smó
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\clusapi.dló
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\C_1000Ǎ.NLS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\IPCONFIG.EXE
Status: Size mismatch (API: 49664, Raw: 175077435514077696)

Path: E:\MiniNT\system32\oleacc.dll
Status: Allocation size mismatch (API: 163840, Raw: 175077435514191872)

Path: E:\MiniNT\system32\dbgengódll
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\dgnet.dll
Status: Size mismatch (API: 103424, Raw: 131167339147269120)

Path: E:\MiniNT\system32\driverǘ
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\e100b325.dǘn
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\fpnpbaõe.usa
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\hal.dll
Status: Allocation size mismatch (API: 104448, Raw: 68961369294215168)

Path: E:\MiniNT\system32\IMJP81K.DLø
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\io8porøs.dll
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\kböca.dll
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\kbdic.dll
Status: Size mismatch (API: 6656, Raw: 69242844270828032)

Path: E:\MiniNT\system32\kernel32.døl
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\LO·O_XGA.BMP
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\msjet40.dlĖ
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\neımsg.dll
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\ntlanmIJn.dll
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\NvRaidSvEnā.dll
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\odùccp32.cpl
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\polstore.d÷l
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\Pr÷mium.exe
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\rasapi32.dǛl
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\Restore.xgþ
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\RestoreSTCH_OEM1.smf
Status: Allocation size mismatch (API: 61440, Raw: 71494644084568064)

Path: E:\MiniNT\system32\RestoreST_OEM1.smf
Status: Allocation size mismatch (API: 61440, Raw: 71494644084568064)

Path: E:\MiniNT\system32\rpúrt4.dll
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\servicûs.exe
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\sortkey.nlΐ
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\spΐolss.dll
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\startnet.cmd
Status: Allocation size mismatch (API: 0, Raw: 256705178760118272)

Path: E:\MiniNT\system32\UNICDIąE.IME
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\virtdk64.sĚs
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\WINGB.IME
Status: Allocation size mismatch (API: 69632, Raw: 79375943432474624)

Path: E:\MiniNT\system32\wkġsvc.dll
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\Writer.ini
Status: Size mismatch (API: 569, Raw: 81346268269380153)

Path: E:\MiniNT\system32\BackupWiz_OEM1.smf
Status: Allocation size mismatch (API: 157696, Raw: 68398419340847104)

Path: E:\MiniNT\system32\BackupSTJP_OEM1.smf
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\clusapi.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\C_10006.NLS
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\dbgeng.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\drivers
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\e100b325.din
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\fpnpbase.usa
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\IMJP81K.DLL
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\io8ports.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\kbdca.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\kernel32.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\LOGO_XGA.BMP
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\msjet40.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\netmsg.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\ntlanman.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\NvRaidSvEnu.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\odbccp32.cpl
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\polstore.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\Premium.exe
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\rasapi32.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\Restore.xga
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\rpcrt4.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\services.exe
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\sortkey.nls
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\spoolss.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\UNICDIME.IME
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\virtdk64.sys
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\wkssvc.dll
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0òx-ww_ff9986d7
Status: Invisible to the Windows API!

Path: E:\MiniNT\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\system32\config\security
Status: Allocation size mismatch (API: 0, Raw: 68679894317400064)

Path: \\?\E:\MiniNT\system32\driverǘ\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: E:\MiniNT\system32\driverǘ\1394BUS.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\1394vdbg.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ABP480N5.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ac300nd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ACPI.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ACPIEC.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\adm8511.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\adptsf50.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ADPU16ôM.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\afd.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\AHA154X.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ahcix86.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\AIC78U2.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\AIô78XX.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\akspccard.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\aksusb.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ali5261.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ALIIDE.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\AMSINT.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\an983.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\arp1394.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ASC.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ASC3350P.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ASC3550.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\aspi32.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\aspndis3.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\asyncmac.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ATAPI.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\atmarpc.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\atmlane.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\atmuni.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\b1.t4
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\b1cbase.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\b1tr6.t4
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\b1usa.t4
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\b57xp32.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\bcm42u.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\bcm4e5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\beep.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\bioprime.bin
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\brzwlan.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\c4.bin
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\cb102.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\cb325.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\cben5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\CBIDF2K.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\CD20XRNT.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\cdaudio.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\CDFS.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\CDROM.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ce2n5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ce3n5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\cem28n5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\cem33n5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\cem56n5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\cinemst2.sós
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\CMDIDE.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\cnxt1803.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\CPQARRAY.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\cpqndis5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\cpqtrnd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\c_1252.nl_
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\c_437.nl_
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\d100ib5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\DAC2W2ó.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\DAC960NT.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dc21x4.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\defpa.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dfe650.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dfe650d.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dgapci.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dgsetup.dll
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\diapi2.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\digirlpt.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\DISK.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\diskdump.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\diwan.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dlh5xnd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dm9pci5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\DMBOOT.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\DMIO.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\DMLOAD.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dp83820.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\DPTI2O.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ds110.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ds4bri.bit
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dspcli.bin
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dspdload.bôn
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dspdqsig.bin
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dxapi.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dxg.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dxgthk.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\e100b325.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\e100bnt5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\e100isa4.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el515.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el556nd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el574nd4.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el575nd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el589nd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el656cd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el656ct5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el656nd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el656se5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el90xbc5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el90xnd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el985n51.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el98xn5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el99xn51.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\el99xrõn.out
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\em556n4.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\amb8002.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\bcm42xx5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\CLASSPNP.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\dimainŁ.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\e1000nt5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\emu10k1m.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fpcibase.usa
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\hpn.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ipfltdrv.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\mnmdd.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\netbt.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\OPRGHDLR.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\PERC2.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\rndismp.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\skfpwin.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SYM_U3.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ULTRA.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\enum1394.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\epro4.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\eqn.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\et4000.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\etc
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ex10.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\f3ab18xi.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\f3ab18xj.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fa312nd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fa410nd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\FASTFAT.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\FASTTRAK.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fasttx2k.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\FDő.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fem556n5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fetnd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\FLPYDISK.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\forehe.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fpcibase.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fpcmbase.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fpcmbase.usa
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fsvga.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fs_rec.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\FT100.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\FTDISK.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ftsata2.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\FTTX2.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fusbbase.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fusbbase.usa
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\fxusbase.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\gm.dls
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\hardlock.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\haspdos.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\Haspnt.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\HFS.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\HIDCLASS.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\HIDPARSE.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\HIDUSB.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\HPT366.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\hpt371.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\hpt374.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\HPT3XX.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\hpt3xxNT.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\hptpro.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\I2OMGMT.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\I2OMP.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\I8042PRT.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\iaStor.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\IBMEXMP.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ibmtok.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ibmtrp.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\INI910U.SYö
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\inport.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\INTELIDE.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\io8.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ip5515.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ipinip.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ipnat.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ipsec.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ISAPNP.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\iteraid.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\KBDCLASS.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\KBDHID.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ks.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ksecdd.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ktc111.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\lanepic5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\LBRTFDC.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\lmndis3.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\lne100.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\lne100tx.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\loop.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\mcd.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\mdgndis5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\mf.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\modem.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\mouclass.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\mouhid.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\MOUNTMGR.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\MRAID35X.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\mrxsmb.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\msfs.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\msgpc.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\mup.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\mxnic.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\n1000nt5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\n100325.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ndis.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ndistaói.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ndiswan.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ndproxy.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ne2000.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\netbios.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\netflx3.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\NETWLAN5.IMG
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\netwlan5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ngrpci.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\nic1394.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\nmnt.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\npfs.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ntfs.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\null.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\NvAtaBus.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\nvraid.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\nwlnkflt.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\nwlnkfwd.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\nwlnkipx.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\nwlnknb.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\nwlnkspx.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\nwrdr.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\OHCI1394.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\otc06x5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\otceth5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\parport.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\PARTMGR.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\parvdm.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\pc100nds.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\pca200e.bin
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\pca200e.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\PCI.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\pcibios.bin
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\pcifep.bin
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\PCIIDE.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\PCIIDEX.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\PCMCIA.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\pcmlm56.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\pcntn5hl.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\pcntn5m.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\pcntpci5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\pcx500õsys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\PERC2HIB.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ppa3.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\psched.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ptilink.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ql1080.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ql10wnt.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ql12160.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ql1240.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ql1280.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\RAMDISK.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\Ramdrv.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\rasacd.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\rasl2tp.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\raspppoe.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\raspptp.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\raspti.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\rawwan.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\rdbss.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\rlnet5÷sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\rocket.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\rootmdm.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\rtl8029.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\rtl8139.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\Rtlnic.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\Rtlnicxp.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\Rtnic.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\Rtnicxp.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SBP2PORT.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\scsiport.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SERENUM.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SERIAL.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SETUPDD.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SFLOPPù.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SI3114R.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\sisnic.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SIWinAcc.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\sk98xwin.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\sla30nd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\slip.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\smc8000n.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\smclib.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\smcpwr2n.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\sonydcam.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SPARROW.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SPDDLANG.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\spÿed.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\srv.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\srwlnd5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\stlnata.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\streamip.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\swenum.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\sx.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SYMC810.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SYMC8XX.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\SYM_HI.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\tape.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\tbatm155.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\tcpip.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\tdi.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\tdk100b.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\tdkcd31.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\te_protm.pm
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\te_protm.pm2
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\te_protu.qm
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\te_protu.sm
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\TFFSPORT.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\tjisdn.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\tos4mo.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\tosdvd.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\TOSIDE.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\tpro4.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\tsbvcap.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\U133.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\udfs.sės
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\update.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\usb101et.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\usb8023.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\usbcamd.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\usbcamd2.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\USBCCGP.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\USBD.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\usbdload.hex
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\usbehci.syĉ
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\USBHUB.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\usbintel.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\USBOHCI.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\USBPORT.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\USĉSTOR.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\USBUHCI.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\vga.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\VIAIDE.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\videoprt.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\w29n51.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\w840nd.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\w926nd.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\w940nd.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\wanarp.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\wlandrv2.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\wlluc48.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\WMILIB.SYS
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\ws2ifsl.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\system32\driverǘ\xem336n5.sys
Status: Invisible to the Windows API!

Path: E:\MiniNT\WinSxS\Manifests\x86_Microsoft.Toolñ.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.CAT
Status: Invisible to the Windows API!

Path: E:\MiniNT\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a.CAT
Status: Allocation size mismatch (API: 8192, Raw: 67835469387276288)

Path: E:\MiniNT\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a.CAT
Status: Size mismatch (API: 7238, Raw: 67835469387275334)

Path: E:\MiniNT\WinSxS\Manifests\x86_Microsoft.Windñws.SystemCompatible_6595b64144ccf1df_5.1.0.0_x-ww_fc342b0b.CAT
Status: Invisible to the Windows API!

Path: E:\MiniNT\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.CAT
Status: Visible to the Windows API, but not on disk.

Path: E:\MiniNT\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.0.0_x-ww_fc342b0b.CAT
Status: Visible to the Windows API, but not on disk.

Path: \\?\E:\MiniNT\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0òx-ww_ff9986d7\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: E:\MiniNT\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0òx-ww_ff9986d7\ATL.DLL
Status: Invisible to the Windows API!

Path: E:\MiniNT\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0òx-ww_ff9986d7\MFC42.DLL
Status: Invisible to the Windows API!

Path: E:\MiniNT\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0òx-ww_ff9986d7\MFC42U.DLL
Status: Invisible to the Windows API!

Path: E:\MiniNT\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0òx-ww_ff9986d7\MSVCP60.DLL
Status: Invisible to the Windows API!

Path: \\?\E:\MiniNT\system32\driverǘ\etc\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: E:\MiniNT\system32\driverǘ\etc\lmhosts.sam
Status: Invisible to the Windows API!

and the syscleanlog is



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2009-04-23, 07:17:09, Auto-clean mode specified.
2009-04-23, 07:17:12, Initialized Rootkit Driver version 2.2.0.1004.
2009-04-23, 07:17:12, Running scanner "C:\DCE\TSC.BIN"...
2009-04-23, 07:18:24, Scanner "C:\DCE\TSC.BIN" has finished running.
2009-04-23, 07:18:24, TSC Log:

ÿþD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 0 ( B u i l d 1 1 7 2 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : T h u A p r 2 3 2 0 0 9 0 7 : 1 7 : 3 0





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ t s c . p t n " ( v e r s i o n 1 0 2 8 ) [ s u c c e s s ]





C o m p l e t e t i m e : T h u A p r 2 3 2 0 0 9 0 7 : 1 8 : 2 3


E x e c u t e p a t t e r n c o u n t ( 3 0 4 6 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-04-23, 07:18:24, Running scanner "C:\DCE\VSCANTM.BIN"...
2009-04-23, 08:46:06, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2009-04-23, 08:46:06, VSCANTM Log:

2009-04-23, 08:46:06, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 4/23/2009 07:18:24
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 979 (383621/383621 Patterns) (2009/04/21) (597900)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE\lpt$vpn.979

71425 files have been read.
71425 files have been checked.
71393 files have been scanned.
287992 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 4/23/2009 08:46:03 1 hour 27 minutes 38 seconds (5258.06 seconds) has elapsed.(73.617 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-04-23, 08:46:06, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 4/23/2009 07:18:24
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 979 (383621/383621 Patterns) (2009/04/21) (597900)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE\lpt$vpn.979

71425 files have been read.
71425 files have been checked.
71393 files have been scanned.
287992 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 4/23/2009 08:46:03 1 hour 27 minutes 38 seconds (5258.06 seconds) has elapsed.(73.617 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-04-23, 08:46:06, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 4/23/2009 07:18:24
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 979 (383621/383621 Patterns) (2009/04/21) (597900)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE\lpt$vpn.979

71425 files have been read.
71425 files have been checked.
71393 files have been scanned.
287992 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 4/23/2009 08:46:03 1 hour 27 minutes 38 seconds (5258.06 seconds) has elapsed.(73.617 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-04-23, 08:46:06, Running scanner "C:\DCE\VSCANTM.BIN"...
2009-04-23, 08:47:28, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2009-04-23, 08:47:28, VSCANTM Log:

2009-04-23, 08:47:28, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 4/23/2009 08:46:07
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 979 (383621/383621 Patterns) (2009/04/21) (597900)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR E:\*.* /P=C:\DCE\lpt$vpn.979

1808 files have been read.
1808 files have been checked.
1807 files have been scanned.
1950 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 4/23/2009 08:47:28 1 minute 20 seconds (79.77 seconds) has elapsed.(44.118 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-04-23, 08:47:28, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 4/23/2009 08:46:07
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 979 (383621/383621 Patterns) (2009/04/21) (597900)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR E:\*.* /P=C:\DCE\lpt$vpn.979

1808 files have been read.
1808 files have been checked.
1807 files have been scanned.
1950 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 4/23/2009 08:47:28 1 minute 20 seconds (79.77 seconds) has elapsed.(44.118 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-04-23, 08:47:28, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 4/23/2009 08:46:07
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 979 (383621/383621 Patterns) (2009/04/21) (597900)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR E:\*.* /P=C:\DCE\lpt$vpn.979

1808 files have been read.
1808 files have been checked.
1807 files have been scanned.
1950 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 4/23/2009 08:47:28 1 minute 20 seconds (79.77 seconds) has elapsed.(44.118 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-04-23, 08:47:28, Running SSAPI scanner ""...
2009-04-23, 09:36:07, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.59
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 04/23/2009 08:47:33


SSAPI requires the system to reboot.
Detected Items:
[CLEAN SUCCESS][Adware_AdClicker] \127.0.0.1,www.adbutler.de,#[SunBelt.AdButler.de]
[CLEAN SUCCESS][Adware_Inet] \127.0.0.1,www.ebates.com,#[Adware.MoeMoney]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.coolfreehost.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,opsex.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.opsex.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,yellow-pages.ws
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,lustler.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.lustler.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,1-se.com,#[CWS.Aboutblank][W32.Tuoba.Trojan]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.1-se.com,#[VBS.Startpage.C]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,ie-search.com,#[CWS.Loadbat][umaxsearch.com]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.ie-search.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,findloss.com,#[umaxsearch.com]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.findloss.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,searchmeup.com,#[CWS.Svcinit.3]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.searchmeup.com,#[SunBelt.SearchMeUp Hijacker]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,umaxsearch.com,#[TROJ_ESEPOR.A][CWS.Xplugin]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.umaxsearch.com,#[Adware.Umaxsearch]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,commonname.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.commonname.com,#[AdWare.CommonName.l]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,xpsn.com,#[McAfee.Adware-CommonName.dll]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.xpsn.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.netcross.cz,#[Adware.MWSearch][SiteAdvisor.netcross.cz]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,the-exit.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.the-exit.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,coolwebsearch.com,#[Trojan.TrustedZones]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,stats.coolwebsearch.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.coolwebsearch.com,#[CWS/IEFeats]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,firstbookmark.com,#[Parasite.ClientMan]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.firstbookmark.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.spywarenuker.com,#[Adware.SpywareNuker]
[CLEAN SUCCESS][Adware_AdClicker] \127.0.0.1,www.couponsandoffers.com,#[Adware.TopMoxie]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,download.bulletproofsoft.com
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.bulletproofsoft.com,#[Rogue/Suspect]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,delfinproject.com,#[ADW_DELFINMED.C]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,content.delfinproject.com,#[Adware-IEDriver]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,mm.delfinproject.com,#[AdWare.DelphinMediaViewer.c]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.delfinproject.com,#[Adware-PromulGate]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,topfivesearch.com,#[TROJ_DLOADER.VR]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.topfivesearch.com,#[eTrust.TopFiveSearch]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.new.net,#[McAfee.Adware.NDotNet][ADW_NEWNET.A]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,virtumundo.com,#[Panda.Virtumonde.C]
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.virtumundo.com,#[TROJ_AGENT.BN]
Detected: 43 items.
Cleaned Success: 43 items.
Clean Failed: 0 items.

Spyware Scan Ended: 04/23/2009 09:36:07
Scan Complete. Time=2917.581543.

Thanks again for patience
Richard

Richard,

Your Windows o.s. is on the C drive, as you very well know.
To your knowledge, what did you have on the E drive?
The last Rootrepeal log shows some very suspicious folders.
I want to check with you and see if you know anything about names/folders such as
E:\MiniNT ?

This next sub-folder looks extremely suspicous !!
E:\MiniNT\system32\driverǘ

As to what you mention about a "new" Internet Explorer on your desktop:
is it a shortcut? a new icon? or a new EXE ?
do a right-click on it
Select Properties and see what the properties are.

Hi Maurice

The E: drive is a preinstalled recovery partition - I have never knowingly saved anything to it. The new explorer seems to be an exe - right click and properties brings up internet properties box, or above properties on the right click menu is the option to launch home page. I've obviously not tried launching it!

Thanks Richard

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member trevorrl only. If you are a lurker, do NOT try this on your system!
If you are not trevorrl and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

The sub-folder "driveru" is not one that ought to be there. I highly suspect it has been put there by the rootkit.
This next procedure will remove the sub-folder "driveru".
{It will also look & remove any other Recycler folders, if present}

• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  
  CODE
  Folders to delete:
  E:\MiniNT\system32\driveru
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler
• In the avenger window, click the Paste Script from Clipboard icon, button.
• :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
=

Next, a new run of Combo-fix

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Now, DISCONNECT your pc from the internet. Unplug the cable to your pc's modem.

Double click on Combo-Fix.exe & follow the prompts.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF and ONLY IF you should see a message like this:

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Now, reconnect the connection to the internet.

Next:

• Close all open windows on the Task Bar.
• Double-Click the icon for OTListIt2 (for Vista, right click the icon and Run as Administrator) to start the program.
• In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
• In the lower left, at the Extra Registry line, click on Extra Registry.
• In the File Age: block, please change the 30 days to 60 days.
• Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
• It will produce two logs for you, one will pop up called OTListIt.txt, the other will be saved on your desktop and called Extras.txt.
• Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
• Exit OTListIt2 by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
• Follow the onscreen instructions inside of the command window.
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
=

For a test, use the usual link to your Internet Explorer, and go to one of your usual websites. Advise if it appears normal.

Reply with a copy of the C:\Avenger.txt
and the latest C:\Combofix.txt
OTListIt.txt
Extras.txt
and checkup.txt
and, Tell me, How is your system now ?
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.

Hi There

visited ebay.co.uk and national rail, as previously bothh off these sites were frequently redirected. This time they weren't but got a pop up from avg saying it had found 2 tracking cookies , atdmt and doubleclick, in C:\ Program Files\Spyware Doctor\pcts svc.exe. I removed these, posted the logs below and disconnected network again.

Thanks again

Richard
Avenger

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: folder "E:\MiniNT\system32\driveru" not found!
Deletion of folder "E:\MiniNT\system32\driveru" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\recycler" deleted successfully.

Error: could not open folder "D:\recycler"
Deletion of folder "D:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Folder "e:\recycler" deleted successfully.

Error: could not open folder "f:\recycler"
Deletion of folder "f:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "g:\recycler"
Deletion of folder "g:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "h:\recycler"
Deletion of folder "h:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.

Combofix

ComboFix 09-04-25.A3 - richard trevor 26/04/2009 2:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.182 [GMT 1:00]
Running from: c:\documents and settings\richard trevor\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Recycler
c:\recycler\S-1-5-21-631347628-1401017191-2641213021-1006\desktop.ini
c:\recycler\S-1-5-21-631347628-1401017191-2641213021-1006\INFO2
c:\windows\system32\drivers\ovfsthxtmovdlya.sys
c:\windows\system32\ovfsthxdxxfqpqw.dat
c:\windows\system32\ovfsthxkpuugfbp.dat
c:\windows\system32\ovfsthxmdwdpsml.dll
E:\Recycler
e:\recycler\S-1-5-21-631347628-1401017191-2641213021-1006\desktop.ini
e:\recycler\S-1-5-21-631347628-1401017191-2641213021-1006\INFO2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxqbrfqjrw


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-23 05:56 . 2009-04-23 05:56 -------- d-sh--w c:\documents and settings\richard trevor\UserData
2009-04-22 01:17 . 2009-04-24 00:25 -------- d-----w C:\DCE
2009-04-20 21:51 . 2009-04-20 21:51 -------- d-----w c:\documents and settings\richard trevor\DoctorWeb
2009-04-20 21:44 . 2009-04-20 21:47 -------- d-----w c:\documents and settings\Administrator
2009-04-20 21:33 . 2009-04-20 21:33 -------- d-sha-r C:\autorun.inf
2009-04-20 21:31 . 2003-06-25 15:05 266360 ----a-w c:\windows\system32\TweakUI.exe
2009-04-20 21:31 . 2002-06-21 14:09 160217 ----a-w c:\windows\system32\PowerToysLicense.rtf
2009-04-19 21:43 . 2009-04-19 21:43 -------- d-----w C:\_OTListIt
2009-04-18 19:49 . 2009-04-18 19:49 -------- d-----w c:\program files\Trend Micro
2009-04-18 14:45 . 2008-12-11 07:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-18 14:45 . 2009-04-20 21:38 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-18 14:45 . 2008-12-18 11:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-18 14:45 . 2009-04-26 01:37 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-18 14:45 . 2009-04-18 14:49 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-18 14:45 . 2008-12-10 11:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-18 14:45 . 2009-04-25 08:58 -------- d-----w c:\program files\Spyware Doctor
2009-04-18 14:45 . 2009-04-18 14:45 -------- d-----w c:\documents and settings\richard trevor\Application Data\PC Tools
2009-04-18 14:45 . 2009-04-18 14:45 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-17 18:52 . 2009-04-26 01:37 89448 ----a-w c:\windows\system32\drivers\9a063706.sys
2009-04-17 18:45 . 2009-04-17 18:45 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-17 18:07 . 2009-04-17 18:07 -------- d-----w c:\documents and settings\richard trevor\Application Data\Malwarebytes
2009-04-17 18:07 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-17 18:07 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 18:07 . 2009-04-17 18:07 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 18:07 . 2009-04-20 23:27 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 00:25 . 2008-06-19 15:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-17 00:24 . 2009-04-17 00:24 -------- d-----w c:\program files\Panda Security
2009-04-17 00:08 . 2009-04-17 00:08 -------- d-----w c:\program files\RegCure
2009-04-16 23:59 . 2009-04-16 23:59 -------- d-----w c:\documents and settings\richard trevor\Local Settings\Application Data\Downloaded Installations
2009-04-16 18:12 . 2009-04-16 18:12 56368 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-16 02:05 . 2009-04-16 02:05 206 ----a-w c:\windows\system32\MRT.INI
2009-04-15 21:10 . 2009-04-15 21:10 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-15 20:28 . 2009-04-15 20:28 167936 ----a-w c:\documents and settings\richard trevor\zuBXEbqudoy.exe
2009-04-15 18:35 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 18:35 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 18:35 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 18:35 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 18:35 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 18:35 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 18:35 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 18:35 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 18:35 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 18:35 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 18:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 18:32 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 18:32 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 21:22 . 2009-04-10 21:22 -------- d-----w c:\documents and settings\richard trevor\New Folder
2009-04-10 11:10 . 2009-04-25 13:55 -------- d--h--w C:\$AVG8.VAULT$
2009-04-08 18:37 . 2009-04-08 18:37 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-08 18:37 . 2009-04-08 18:37 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-08 18:37 . 2009-04-08 18:37 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-08 18:37 . 2009-04-25 08:33 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-08 18:36 . 2009-04-11 22:00 -------- d-----w c:\documents and settings\richard trevor\Application Data\AVGTOOLBAR
2009-04-08 18:36 . 2009-04-08 18:36 -------- d-----w c:\program files\AVG
2009-04-08 18:36 . 2009-04-17 17:33 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-08 17:52 . 2009-04-08 17:52 -------- d-----w c:\documents and settings\richard trevor\Application Data\AVG8
2009-03-29 21:16 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\richard trevor\Application Data\GenStat
2009-03-29 20:54 . 2009-03-29 20:54 -------- d-----w c:\program files\Common Files\VSN International
2009-03-29 20:52 . 2009-03-29 20:54 -------- d-----w c:\program files\Gen10ed
2009-03-29 20:45 . 2009-03-29 20:56 -------- d-----w c:\program files\M346
2009-03-28 14:33 . 2007-02-12 19:21 547 ----a-w c:\windows\system32\ff_vfw.dll.manifest
2009-03-28 14:33 . 2007-02-12 19:21 10752 ----a-w c:\windows\system32\ff_vfw.dll
2009-03-28 14:33 . 2009-03-28 14:33 -------- d-----w c:\program files\ffdshow
2009-03-28 14:31 . 2009-03-28 14:31 36 ---h--w c:\windows\system32\swk.ini
2009-03-28 14:31 . 2009-03-29 14:12 -------- d-----w c:\program files\Avi Player
2009-03-28 14:26 . 2009-03-28 14:26 -------- d-----w c:\program files\Full Pack Codecs
2009-03-27 21:32 . 2009-03-27 21:32 -------- d-----w c:\windows\system32\scripting
2009-03-27 21:32 . 2009-03-27 21:32 -------- d-----w c:\windows\l2schemas
2009-03-27 21:32 . 2009-03-27 21:32 -------- d-----w c:\windows\system32\en
2009-03-27 21:32 . 2009-03-27 21:32 -------- d-----w c:\windows\system32\bits
2009-03-27 21:23 . 2009-03-27 21:33 -------- d-----w c:\windows\ServicePackFiles
2009-03-27 20:58 . 2009-03-27 20:58 -------- d-----w c:\windows\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 18:02 . 2009-04-25 18:02 3032 ----a-w C:\avenger.txt
2009-04-22 00:34 . 2007-01-27 05:32 -------- d-----w c:\program files\Java
2009-04-22 00:34 . 2007-01-27 05:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 23:45 . 2008-12-07 20:28 -------- d-----w c:\documents and settings\richard trevor\Application Data\Azureus
2009-04-08 18:31 . 2007-01-27 05:47 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-27 21:41 . 2004-08-07 13:10 81983 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-27 21:15 . 2002-08-29 07:00 250048 --sha-r C:\ntldr
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-12 00:56 . 2008-12-07 20:27 -------- d-----w c:\program files\Vuze
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2007-01-04 13:37 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 08:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 19:27 . 2008-03-06 19:49 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-28 04:54 . 2007-08-13 18:43 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2009-03-26 19:53 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2007-08-13 18:39 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2007-08-13 17:56 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2007-04-24 22:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 08:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 08:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-23 20:00 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2007-04-24 22:50 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2008-10-23 20:00 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 18:02 . 2004-08-04 08:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 08:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-23 20:00 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2004-08-04 08:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-23 20:00 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2004-08-04 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-23 20:00 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-04 08:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-12-07 20:29 . 2007-06-01 23:41 67392 ----a-w c:\documents and settings\richard trevor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-01-27 05:52 . 2007-04-24 23:11 128 ----a-w c:\documents and settings\richard trevor\Local Settings\Application Data\fusioncache.dat
2007-04-24 18:36 . 2007-04-24 18:36 56 --sha-w c:\windows\SMINST\hpboot.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-19 114688]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-04-06 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-08 1932568]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-17 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-4-25 184320]
My Ink Resident.lnk - c:\program files\MyInk\My Ink Resident.exe [2008-12-5 36864]
Push Client.LNK - c:\program files\Interwise\Participant\pull.exe [2008-5-1 843776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-08 18:37 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ rmvirut.nt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-06 33752]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-20 130936]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-08 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-08 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-08 298264]
S2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
S2 WTService;WTService;c:\windows\system32\atwtusb.exe [2007-08-17 364192]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchinjdrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76038e50-9773-11dc-acbf-0016d4e826c2}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76038e51-9773-11dc-acbf-0016d4e826c2}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8182d850-8f6f-11dc-acb1-0016d4e826c2}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8182d854-8f6f-11dc-acb1-0016d4e826c2}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-04-26 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-17 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 02:36
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????]??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\9a063706]
"ImagePath"="\SystemRoot\System32\drivers\9a063706.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1968)
c:\program files\Spyware Doctor\pctgmhk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-26 2:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 01:41
ComboFix2.txt 2009-04-19 12:13

Pre-Run: 3,096,825,856 bytes free
Post-Run: 3,027,394,560 bytes free

281 --- E O F --- 2009-04-16 02:06


Continued on next post

continued from previous post

OTListIt

OTListIt logfile created on: 26/04/2009 02:52:57 - Run 2
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\richard trevor\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

503.36 Mb Total Physical Memory | 176.82 Mb Available Physical Memory | 35.13% Memory free
1.20 Gb Paging File | 0.54 Gb Available in Paging File | 45.24% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.48 Gb Total Space | 2.83 Gb Free Space | 5.61% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 5.41 Gb Total Space | 0.44 Gb Free Space | 8.06% Space Free | Partition Type: NTFS
Drive F: | 15.05 Gb Total Space | 10.28 Gb Free Space | 68.30% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC622264192296
Current User Name: richard trevor
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 60 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2008/07/22 20:42:12 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/04/08 19:36:39 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2007/07/24 15:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2009/04/17 19:45:41 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/01/07 13:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2009/01/21 14:08:06 | 01,095,560 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe
PRC - [2009/04/08 19:36:49 | 00,485,144 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/04/08 19:36:49 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2004/08/11 10:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
PRC - [2007/08/17 16:13:20 | 00,364,192 | ---- | M] () -- C:\WINDOWS\system32\atwtusb.exe
PRC - [2008/12/08 14:33:48 | 01,173,384 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsTray.exe
PRC - [2006/05/03 00:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2005/10/19 11:15:00 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/10/19 11:15:12 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2006/04/06 14:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLACTRLW.EXE
PRC - [2006/06/16 17:22:46 | 00,794,713 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2006/06/19 20:33:12 | 00,163,840 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
PRC - [2005/10/19 11:15:22 | 00,159,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2006/05/03 23:58:26 | 00,458,752 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
PRC - [2006/10/09 19:23:06 | 00,697,976 | ---- | M] () -- C:\WINDOWS\SMINST\Scheduler.exe
PRC - [2007/05/08 16:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
PRC - [2008/07/30 10:47:56 | 00,289,064 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/04/08 19:36:43 | 01,932,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2004/07/28 01:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2009/04/17 19:45:41 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2007/07/31 02:02:08 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
PRC - [2008/07/08 17:41:02 | 02,828,184 | ---- | M] (PC Tools) -- C:\Program Files\Registry Mechanic\RegMech.exe
PRC - [2009/02/06 11:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2006/11/13 14:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2005/12/23 22:44:26 | 00,491,606 | ---- | M] () -- C:\Program Files\HPQ\Shared\HpqToaster.exe
PRC - [2008/07/30 10:47:48 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/04/14 01:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/04/19 22:42:34 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\richard trevor\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2006/06/12 22:27:28 | 00,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr [On_Demand | Stopped])
SRV - [2008/07/22 20:42:12 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2004/07/15 10:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/04/08 19:36:39 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2007/07/24 15:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/10/06 10:18:06 | 00,033,752 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper [On_Demand | Stopped])
SRV - [2009/04/23 07:17:14 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/14 01:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2006/05/03 00:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex [Auto | Running])
SRV - [2004/10/22 12:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/30 10:47:48 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/04/17 19:45:41 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (javaquickstarterservice [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/01/12 21:22:38 | 00,294,912 | ---- | M] (SoftThinks) -- C:\WINDOWS\SMINST\PCAngel.exe -- (PCA [Auto | Stopped])
SRV - [2009/01/07 13:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdauxservice [Auto | Running])
SRV - [2009/01/21 14:08:06 | 01,095,560 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdcoreservice [Auto | Running])
SRV - [2004/08/11 10:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2004/08/11 09:46:56 | 00,483,328 | ---- | M] (Microsoft Corporation) -- c:\program files\windows media connect\mswmccds.exe -- (WmcCds [Unknown | Stopped])
SRV - [2004/08/11 06:50:42 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect\mswmcls.exe -- (WmcCdsLs [On_Demand | Stopped])
SRV - [2007/08/17 16:13:20 | 00,364,192 | ---- | M] () -- C:\WINDOWS\system32\atwtusb.exe -- (WTService [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2001/08/17 16:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Boot | Running])
DRV - [2009/04/08 19:37:29 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/04/08 19:37:28 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/04/08 19:37:29 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2006/08/21 23:16:20 | 00,038,144 | ---- | M] (Conexant Systems Inc.) -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD [On_Demand | Running])
DRV - [2006/08/21 23:16:56 | 00,530,176 | ---- | M] (Conexant Systems Inc.) -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA [On_Demand | Running])
DRV - File not found -- -- (catchme [Disabled | Running])
DRV - [2006/04/06 14:20:00 | 00,025,628 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLABOIOM.SYS -- (DLABOIOM [Auto | Running])
DRV - [2006/03/17 17:35:24 | 00,005,660 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM [System | Running])
DRV - [2006/04/06 14:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLADResN.SYS -- (DLADResN [Auto | Running])
DRV - [2006/04/06 14:20:00 | 00,086,812 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAIFS_M.SYS -- (DLAIFS_M [Auto | Running])
DRV - [2006/04/06 14:20:00 | 00,014,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAOPIOM.SYS -- (DLAOPIOM [Auto | Running])
DRV - [2006/04/06 14:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAPoolM.SYS -- (DLAPoolM [Auto | Running])
DRV - [2006/03/17 17:34:46 | 00,022,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DLARTL_N.SYS -- (DLARTL_N [System | Running])
DRV - [2006/04/06 14:20:00 | 00,094,460 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAUDFAM.SYS -- (DLAUDFAM [Auto | Running])
DRV - [2006/04/06 14:20:00 | 00,087,068 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAUDF_M.SYS -- (DLAUDF_M [Auto | Running])
DRV - [2006/03/30 12:30:00 | 00,089,072 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB [Boot | Running])
DRV - [2006/03/17 14:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS -- (DRVNDDM [Auto | Running])
DRV - [2006/08/22 08:21:26 | 00,163,328 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2005/09/19 23:23:52 | 00,007,808 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\system32\DRIVERS\eabfiltr.sys -- (eabfiltr [System | Running])
DRV - [2005/09/19 23:24:20 | 00,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\system32\DRIVERS\eabusb.sys -- (eabusb [On_Demand | Stopped])
DRV - [2008/07/21 13:11:58 | 00,024,392 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\System32\Drivers\ElbyCDIO.sys -- (ElbyCDIO [System | Running])
DRV - [2008/01/29 12:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2005/09/19 23:24:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\system32\DRIVERS\cpqbttn.sys -- (HBtnKey [On_Demand | Running])
DRV - [2006/05/18 05:25:56 | 00,246,912 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys -- (HSFHWICH [On_Demand | Running])
DRV - [2006/05/18 05:26:32 | 00,990,592 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys -- (HSF_DPV [On_Demand | Running])
DRV - [2007/07/16 19:23:20 | 00,101,120 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys -- (hwdatacard [On_Demand | Stopped])
DRV - [2005/10/19 11:15:02 | 01,302,812 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2005/10/05 04:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2008/04/13 19:46:22 | 00,015,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\MPE.sys -- (MPE [On_Demand | Stopped])
DRV - [2008/06/19 16:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
DRV - [2009/04/20 22:38:08 | 00,130,936 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (pctcore [Boot | Running])
DRV - [2004/08/04 09:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/04/25 11:03:00 | 00,020,640 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/11/13 11:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 21:10:28 | 00,035,913 | ---- | M] (SMC) -- C:\WINDOWS\system32\DRIVERS\smcirda.sys -- (SMCIRDA [On_Demand | Stopped])
DRV - [2007/01/27 06:49:51 | 00,010,344 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd [Auto | Running])
DRV - [2006/06/16 16:40:56 | 00,193,120 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2005/11/15 00:30:10 | 00,209,664 | R--- | M] (eMPIA Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\emBDA.sys -- (USB28xxBGA [On_Demand | Stopped])
DRV - [2005/11/15 00:29:58 | 00,017,152 | R--- | M] (eMPIA Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\emOEM.sys -- (USB28xxOEM [On_Demand | Stopped])
DRV - [2008/04/13 19:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2008/04/13 19:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\usb8023x.sys -- (usb_rndisx [On_Demand | Stopped])
DRV - [2006/07/17 16:17:28 | 02,206,720 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\DRIVERS\w29n51.sys -- (w29n51 [On_Demand | Running])
DRV - [2006/11/06 18:04:56 | 00,028,672 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\wceusbsh.sys -- (wceusbsh [On_Demand | Stopped])
DRV - [2006/05/18 05:25:50 | 00,727,808 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/04/17 19:45:42 | 00,000,000 | ---D | M]


O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SSVHelper Class) - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll ([[[COMPANYNAME]]]----------------------------)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe ()
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" (PC Tools)
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe ()
O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O4 - HKCU..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" (Microsoft Corporation)
O4 - HKCU..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H (PC Tools)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\My Ink Resident.lnk = C:\Program Files\MyInk\My Ink Resident.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe (Interwise Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} http://site.ebrary.com/lib/hibernia/suppor...s/ebraryRdr.cab (Infotl Control)
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {cafeefac-0016-0000-0013-abcdeffedcba} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab (get_atlcom Class)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/20 22:33:36 | 00,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 00:07:00 | 00,000,000 | -HS- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/04/20 22:33:36 | 00,000,000 | RHSD | M] - E:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/04/20 22:33:38 | 00,000,000 | RHSD | M] - F:\autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{76038e50-9773-11dc-acbf-0016d4e826c2}\Shell - "" = AutoRun
O33 - MountPoints2\{76038e50-9773-11dc-acbf-0016d4e826c2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{76038e50-9773-11dc-acbf-0016d4e826c2}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- File not found
O33 - MountPoints2\{76038e51-9773-11dc-acbf-0016d4e826c2}\Shell - "" = AutoRun
O33 - MountPoints2\{76038e51-9773-11dc-acbf-0016d4e826c2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{76038e51-9773-11dc-acbf-0016d4e826c2}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found
O33 - MountPoints2\{8182d850-8f6f-11dc-acb1-0016d4e826c2}\Shell - "" = AutoRun
O33 - MountPoints2\{8182d850-8f6f-11dc-acb1-0016d4e826c2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8182d850-8f6f-11dc-acb1-0016d4e826c2}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- File not found
O33 - MountPoints2\{8182d854-8f6f-11dc-acb1-0016d4e826c2}\Shell - "" = AutoRun
O33 - MountPoints2\{8182d854-8f6f-11dc-acb1-0016d4e826c2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8182d854-8f6f-11dc-acb1-0016d4e826c2}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- File not found
O34 - HKLM BootExecute: (rmvirut.nt) - File not found

========== Files/Folders - Created Within 60 Days ==========

[83 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/04/26 02:25:19 | 03,006,230 | R--- | C] () -- C:\Documents and Settings\richard trevor\Desktop\Combo-Fix.exe
[2009/04/25 19:02:04 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/04/22 02:17:33 | 00,000,000 | ---D | C] -- C:\DCE
[2009/04/22 02:04:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\Desktop\RootRepeal
[2009/04/22 02:04:16 | 00,440,104 | ---- | C] () -- C:\Documents and Settings\richard trevor\Desktop\RootRepeal.zip
[2009/04/22 01:39:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\Desktop\FixPolicies
[2009/04/22 01:38:53 | 00,185,065 | ---- | C] () -- C:\Documents and Settings\richard trevor\Desktop\FixPolicies.exe
[2009/04/22 01:37:52 | 00,046,570 | ---- | C] () -- C:\Documents and Settings\richard trevor\Desktop\FixPolicies.htm
[2009/04/21 00:47:24 | 00,532,626 | ---- | C] () -- C:\Documents and Settings\richard trevor\Desktop\SecurityCheck.exe
[2009/04/21 00:17:34 | 52,788,0192 | -HS- | C] () -- C:\hiberfil.sys
[2009/04/21 00:15:10 | 00,000,074 | ---- | C] () -- C:\Documents and Settings\richard trevor\My Documents\DrWeb.csv
[2009/04/20 22:40:09 | 13,703,256 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\richard trevor\Desktop\drweb-cureit.exe
[2009/04/20 22:33:36 | 00,000,000 | RHSD | C] -- C:\autorun.inf
[2009/04/20 22:33:06 | 00,132,597 | ---- | C] () -- C:\Documents and Settings\richard trevor\Desktop\Flash_Disinfector.exe
[2009/04/20 22:31:12 | 00,266,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\TweakUI.exe
[2009/04/20 22:31:12 | 00,160,217 | ---- | C] () -- C:\WINDOWS\System32\PowerToysLicense.rtf
[2009/04/20 22:30:50 | 00,150,192 | ---- | C] () -- C:\Documents and Settings\richard trevor\Desktop\TweakUiPowertoySetup.exe
[2009/04/20 22:29:52 | 00,040,399 | ---- | C] () -- C:\Documents and Settings\richard trevor\Desktop\xppowertoys.htm
[2009/04/19 22:43:49 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/04/19 22:42:31 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\richard trevor\Desktop\OTListIt2.exe
[2009/04/19 17:50:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/04/19 13:06:32 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/04/19 13:06:26 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/04/19 13:06:25 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/04/19 13:04:07 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/04/19 13:04:07 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/04/19 13:04:07 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/04/19 13:04:07 | 00,111,104 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/04/19 13:04:07 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/04/19 13:04:07 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/04/19 13:04:07 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/04/19 13:04:07 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/04/19 13:03:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/19 13:03:50 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/04/19 12:45:38 | 00,724,952 | ---- | C] () -- C:\Documents and Settings\richard trevor\Desktop\avenger.zip
[2009/04/19 12:02:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\My Documents\downloaded shortcuts
[2009/04/18 20:49:27 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\richard trevor\Desktop\HijackThis.lnk
[2009/04/18 20:49:27 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/18 18:44:05 | 00,495,104 | ---- | C] () -- C:\Documents and Settings\richard trevor\My Documents\rmvirut.nt
[2009/04/18 18:42:20 | 00,519,168 | ---- | C] () -- C:\Documents and Settings\richard trevor\My Documents\rmvirut.exe
[2009/04/18 15:45:37 | 00,159,600 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2009/04/18 15:45:29 | 00,130,936 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2009/04/18 15:45:29 | 00,073,840 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2009/04/18 15:45:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/04/18 15:45:14 | 00,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/04/18 15:45:12 | 00,064,392 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2009/04/18 15:45:12 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2009/04/18 15:45:08 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2009/04/18 15:45:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\Application Data\PC Tools
[2009/04/18 15:45:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2009/04/18 15:45:03 | 00,000,738 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2009/04/18 15:45:02 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\STKIT432.DLL
[2009/04/18 15:44:57 | 00,000,000 | ---D | C] -- C:\Program Files\Registry Mechanic
[2009/04/17 19:52:05 | 00,089,448 | ---- | C] () -- C:\WINDOWS\System32\drivers\9a063706.sys
[2009/04/17 19:07:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\Application Data\Malwarebytes
[2009/04/17 19:07:40 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/17 19:07:40 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/17 19:07:37 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/17 19:07:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/17 19:07:35 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/17 19:06:44 | 02,967,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\richard trevor\Desktop\mbam-setup.exe
[2009/04/17 18:57:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\Desktop\GooredFixBackups
[2009/04/17 18:56:50 | 00,094,208 | ---- | C] () -- C:\Documents and Settings\richard trevor\Desktop\GooredFix.exe
[2009/04/17 01:25:03 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2009/04/17 01:24:55 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2009/04/17 01:08:16 | 00,000,456 | ---- | C] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2009/04/17 01:08:15 | 00,000,390 | ---- | C] () -- C:\WINDOWS\tasks\RegCure.job
[2009/04/17 01:08:08 | 00,000,441 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RegCure.lnk
[2009/04/17 01:08:08 | 00,000,000 | ---D | C] -- C:\Program Files\RegCure
[2009/04/17 01:07:46 | 01,431,504 | ---- | C] (ParetoLogic Inc.) -- C:\Documents and Settings\richard trevor\My Documents\RegCureSetup_RW.exe
[2009/04/17 01:03:46 | 10,929,560 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\richard trevor\My Documents\drweb-cureit.exe.download
[2009/04/17 00:59:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\Local Settings\Application Data\Downloaded Installations
[2009/04/17 00:57:25 | 11,748,680 | ---- | C] (ParetoLogic ) -- C:\Documents and Settings\richard trevor\My Documents\Pareto_AV_Setup_RW.exe
[2009/04/16 19:12:03 | 00,056,368 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/04/16 03:05:12 | 00,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/15 22:10:39 | 00,000,155 | ---- | C] () -- C:\WINDOWS\System32\SelfDel.bat
[2009/04/15 19:35:51 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 19:35:51 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 19:35:51 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 19:35:51 | 00,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sc.exe
[2009/04/15 19:35:50 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 19:35:50 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 19:35:49 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 19:35:49 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 19:35:49 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 19:35:48 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 19:32:40 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 19:32:36 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/15 19:32:30 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/10 22:23:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\My Documents\M346
[2009/04/10 16:20:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\My Documents\M346 Assignments
[2009/04/10 12:10:00 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/04/08 22:30:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\Desktop\Downloads
[2009/04/08 19:44:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\Desktop\Plant and Krauss
[2009/04/08 19:37:30 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/04/08 19:37:29 | 00,325,640 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/04/08 19:37:29 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/04/08 19:37:29 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/04/08 19:37:05 | 35,412,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/04/08 19:37:04 | 00,032,111 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/04/08 19:37:03 | 00,434,673 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/04/08 19:37:00 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/04/08 19:37:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/04/08 19:36:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\Application Data\AVGTOOLBAR
[2009/04/08 19:36:37 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/04/08 19:36:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/04/08 18:52:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\Application Data\AVG8
[2009/04/08 18:50:59 | 00,766,760 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\richard trevor\My Documents\avg_free_stb_en_8_15.exe
[2009/03/29 22:16:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\Application Data\GenStat
[2009/03/29 22:11:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\My Documents\GenStatAddIns
[2009/03/29 22:09:57 | 00,001,353 | ---- | C] () -- C:\Documents and Settings\richard trevor\My Documents\genstat.lic
[2009/03/29 21:54:53 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\VSN International
[2009/03/29 21:54:43 | 00,000,718 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GenStat.lnk
[2009/03/29 21:52:53 | 00,000,000 | ---D | C] -- C:\Program Files\Gen10ed
[2009/03/29 21:45:28 | 00,000,000 | ---D | C] -- C:\Program Files\M346
[2009/03/28 15:33:11 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/03/28 15:33:11 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/03/28 15:33:10 | 00,000,000 | ---D | C] -- C:\Program Files\ffdshow
[2009/03/28 15:31:30 | 00,000,036 | -H-- | C] () -- C:\WINDOWS\System32\swk.ini
[2009/03/28 15:31:11 | 00,000,000 | ---D | C] -- C:\Program Files\Avi Player
[2009/03/28 15:26:19 | 00,000,783 | ---- | C] () -- C:\Documents and Settings\richard trevor\Desktop\Full Pack Codecs.lnk
[2009/03/28 15:26:18 | 00,000,000 | ---D | C] -- C:\Program Files\Full Pack Codecs
[2009/03/28 15:25:57 | 00,352,080 | ---- | C] () -- C:\Documents and Settings\richard trevor\My Documents\install_FullPackCodecs_UK.exe
[2009/03/28 02:45:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/03/27 22:32:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/03/27 22:32:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/03/27 22:32:11 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/03/27 22:32:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2009/03/27 22:23:35 | 00,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2009/03/27 21:58:54 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2009/03/27 21:58:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\EHome
[2009/03/26 20:54:41 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie7updates
[2009/03/26 20:53:27 | 00,052,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2009/03/26 20:53:26 | 00,459,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2009/03/26 20:53:25 | 00,268,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2009/03/26 20:53:25 | 00,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieudinit.exe
[2009/03/26 20:53:23 | 06,066,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2009/03/26 20:53:23 | 00,991,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll.mui
[2009/03/26 20:53:22 | 02,455,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieapfltr.dat
[2009/03/26 20:53:22 | 00,383,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieapfltr.dll
[2009/03/26 20:53:21 | 00,063,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icardie.dll
[2009/03/26 20:52:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2009/03/26 20:52:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-US
[2009/03/26 20:50:04 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie7
[2009/03/26 20:49:38 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2009/03/26 20:49:14 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2009/03/26 20:47:13 | 00,121,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xmllite.dll
[2009/03/26 20:42:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2009/03/22 14:32:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\richard trevor\My Documents\M343 Assignments
[2009/03/21 15:06:58 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll
[2009/03/11 22:39:16 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/01/04 04:43:26 | 00,000,458 | ---- | C] () -- C:\WINDOWS\NEWSOED.INI
[2008/12/05 22:32:49 | 00,005,725 | ---- | C] () -- C:\WINDOWS\aiptbl.ini
[2008/05/05 23:01:43 | 00,000,034 | ---- | C] () -- C:\WINDOWS\ebraryRdr.ini
[2008/03/09 01:59:55 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2008/03/09 01:59:55 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2008/03/09 01:59:55 | 00,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2008/03/09 01:59:54 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2008/03/09 01:59:54 | 00,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2008/03/04 16:14:19 | 00,185,344 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2008/03/02 02:13:35 | 00,000,742 | ---- | C] () -- C:\WINDOWS\MTB12ST.INI
[2008/02/27 12:59:40 | 00,000,186 | ---- | C] () -- C:\WINDOWS\T851.INI
[2007/12/09 14:36:36 | 00,356,352 | ---- | C] () -- C:\WINDOWS\EMCRI.dll
[2007/11/18 21:33:11 | 00,000,281 | ---- | C] () -- C:\WINDOWS\irremote.ini
[2007/11/18 20:23:59 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\hcwChDB.dll
[2007/11/18 20:23:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\dmcrypto.dll
[2007/11/18 20:20:57 | 00,002,089 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI
[2007/11/18 20:18:42 | 00,040,960 | R--- | C] () -- C:\WINDOWS\System32\bdadll.dll
[2007/11/18 20:18:30 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2007/05/22 12:25:22 | 00,000,483 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/25 00:12:29 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2007/04/25 00:12:29 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2007/04/25 00:12:29 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2007/04/25 00:12:29 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2007/04/25 00:12:29 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2007/04/25 00:12:29 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2007/01/27 06:42:14 | 00,000,172 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/01/27 06:40:54 | 00,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/11/17 11:34:40 | 00,091,848 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2006/08/17 15:11:32 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/07 14:16:44 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 14:10:08 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/07 13:58:22 | 00,000,800 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/07 06:47:16 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Modified Within 60 Days ==========

[83 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/04/26 02:58:04 | 00,089,448 | ---- | M] () -- C:\WINDOWS\System32\drivers\9a063706.sys
[2009/04/26 02:47:58 | 35,412,224 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/04/26 02:37:21 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/04/26 02:37:02 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/26 02:36:43 | 00,000,800 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/04/26 02:34:53 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/04/26 02:34:45 | 00,000,456 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2009/04/26 02:34:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/26 02:34:37 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/26 02:34:36 | 52,788,0192 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/26 02:25:19 | 03,006,230 | R--- | M] () -- C:\Documents and Settings\richard trevor\Desktop\Combo-Fix.exe
[2009/04/25 13:59:03 | 00,111,104 | ---- | M] () -- C:\WINDOWS\vFind.exe
[2009/04/25 09:33:30 | 00,032,111 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/04/23 22:45:07 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/22 02:04:17 | 00,440,104 | ---- | M] () -- C:\Documents and Settings\richard trevor\Desktop\RootRepeal.zip
[2009/04/22 02:01:21 | 00,609,998 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS.MVP
[2009/04/22 01:38:53 | 00,185,065 | ---- | M] () -- C:\Documents and Settings\richard trevor\Desktop\FixPolicies.exe
[2009/04/22 01:37:53 | 00,046,570 | ---- | M] () -- C:\Documents and Settings\richard trevor\Desktop\FixPolicies.htm
[2009/04/21 00:47:25 | 00,532,626 | ---- | M] () -- C:\Documents and Settings\richard trevor\Desktop\SecurityCheck.exe
[2009/04/21 00:15:10 | 00,000,074 | ---- | M] () -- C:\Documents and Settings\richard trevor\My Documents\DrWeb.csv
[2009/04/20 22:40:10 | 13,703,256 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\richard trevor\Desktop\drweb-cureit.exe
[2009/04/20 22:38:08 | 00,130,936 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2009/04/20 22:33:06 | 00,132,597 | ---- | M] () -- C:\Documents and Settings\richard trevor\Desktop\Flash_Disinfector.exe
[2009/04/20 22:30:50 | 00,150,192 | ---- | M] () -- C:\Documents and Settings\richard trevor\Desktop\TweakUiPowertoySetup.exe
[2009/04/20 22:29:54 | 00,040,399 | ---- | M] () -- C:\Documents and Settings\richard trevor\Desktop\xppowertoys.htm
[2009/04/19 22:42:34 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\richard trevor\Desktop\OTListIt2.exe
[2009/04/19 13:06:32 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/04/19 12:45:41 | 00,724,952 | ---- | M] () -- C:\Documents and Settings\richard trevor\Desktop\avenger.zip
[2009/04/19 12:43:16 | 00,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2009/04/19 01:36:34 | 00,610,270 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2009/04/18 20:49:27 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\richard trevor\Desktop\HijackThis.lnk
[2009/04/18 18:44:05 | 00,495,104 | ---- | M] () -- C:\Documents and Settings\richard trevor\My Documents\rmvirut.nt
[2009/04/18 18:42:20 | 00,519,168 | ---- | M] () -- C:\Documents and Settings\richard trevor\My Documents\rmvirut.exe
[2009/04/18 15:45:14 | 00,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/04/18 15:45:03 | 00,000,738 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2009/04/18 13:08:33 | 00,434,673 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/04/17 19:07:40 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/17 19:06:44 | 02,967,800 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\richard trevor\Desktop\mbam-setup.exe
[2009/04/17 18:56:51 | 00,094,208 | ---- | M] () -- C:\Documents and Settings\richard trevor\Desktop\GooredFix.exe
[2009/04/17 01:08:16 | 00,000,390 | ---- | M] () -- C:\WINDOWS\tasks\RegCure.job
[2009/04/17 01:08:08 | 00,000,441 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RegCure.lnk
[2009/04/17 01:07:54 | 01,431,504 | ---- | M] (ParetoLogic Inc.) -- C:\Documents and Settings\richard trevor\My Documents\RegCureSetup_RW.exe
[2009/04/17 01:05:48 | 10,929,560 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\richard trevor\My Documents\drweb-cureit.exe.download
[2009/04/17 00:59:34 | 11,748,680 | ---- | M] (ParetoLogic ) -- C:\Documents and Settings\richard trevor\My Documents\Pareto_AV_Setup_RW.exe
[2009/04/16 19:12:03 | 00,056,368 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/04/16 03:16:49 | 00,443,380 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/16 03:16:49 | 00,383,822 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/16 03:16:49 | 00,054,010 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/16 03:06:01 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/16 03:05:12 | 00,000,206 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/15 22:10:39 | 00,000,155 | ---- | M] () -- C:\WINDOWS\System32\SelfDel.bat
[2009/04/08 19:37:30 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/04/08 19:37:29 | 00,325,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/04/08 19:37:29 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/04/08 19:37:29 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/04/08 19:37:28 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/04/08 19:37:03 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/04/08 18:51:02 | 00,766,760 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\richard trevor\My Documents\avg_free_stb_en_8_15.exe
[2009/04/06 15:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/29 22:09:58 | 00,001,353 | ---- | M] () -- C:\Documents and Settings\richard trevor\My Documents\genstat.lic
[2009/03/29 21:54:43 | 00,000,718 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GenStat.lnk
[2009/03/28 15:31:30 | 00,000,036 | -H-- | M] () -- C:\WINDOWS\System32\swk.ini
[2009/03/28 15:26:19 | 00,000,783 | ---- | M] () -- C:\Documents and Settings\richard trevor\Desktop\Full Pack Codecs.lnk
[2009/03/28 15:25:57 | 00,352,080 | ---- | M] () -- C:\Documents and Settings\richard trevor\My Documents\install_FullPackCodecs_UK.exe
[2009/03/28 02:46:12 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/03/28 02:44:21 | 00,263,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/27 22:15:32 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2009/03/27 07:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/26 21:17:47 | 00,000,085 | -HS- | M] () -- C:\Documents and Settings\richard trevor\My Documents\desktop.ini
[2009/03/24 02:44:54 | 00,003,584 | ---- | M] () -- C:\Documents and Settings\richard trevor\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/21 15:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32.dll
[2009/03/21 15:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll
[2009/03/06 15:22:18 | 00,284,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\pdh.dll
[2009/03/06 15:22:18 | 00,284,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/03/03 01:18:25 | 00,826,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wininet.dll
[2009/03/03 01:18:25 | 00,826,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2009/02/28 05:54:41 | 00,636,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iexplore.exe

========== LOP Check ==========

[2009/04/18 15:45:24 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/11/18 22:33:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2007/11/14 23:55:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2008/05/13 14:56:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/04/17 18:33:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg8
[2008/12/07 21:29:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2009/01/12 22:00:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2007/01/27 06:14:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2009/04/17 19:07:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2007/05/22 12:23:11 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2008/11/18 22:04:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/04/18 15:45:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2007/01/27 06:14:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2008/12/05 22:32:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tablet
[2009/04/26 02:47:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/06/24 19:55:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/04/18 15:45:08 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\richard trevor\Application Data
[2009/01/04 03:00:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\Adobe
[2008/05/23 12:43:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\AdobeUM
[2008/05/24 18:04:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\Apple Computer
[2009/04/08 18:52:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\AVG8
[2009/04/11 23:00:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\AVGTOOLBAR
[2009/04/18 00:45:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\Azureus
[2009/04/19 22:30:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\GenStat
[2008/02/15 18:35:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\Google
[2007/08/29 18:27:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\Help
[2007/01/27 06:14:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\Identities
[2008/01/28 01:17:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\InstallShield
[2007/04/24 15:27:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\InterVideo
[2007/04/24 23:11:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\Leadertech
[2007/04/24 16:02:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\Macromedia
[2009/04/17 19:07:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\Malwarebytes
[2009/02/23 23:32:46 | 00,000,000 | --SD | M] -- C:\Documents and Settings\richard trevor\Application Data\Microsoft
[2009/04/18 15:45:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\PC Tools
[2007/01/27 06:14:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\SampleView
[2007/04/24 23:13:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\Sonic
[2007/04/24 15:53:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\Sun
[2008/03/04 16:14:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\ubi.com
[2008/12/08 21:39:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\richard trevor\Application Data\WinRAR
[2009/04/23 22:45:07 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2004/08/04 09:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/04/26 02:34:45 | 00,000,456 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure Program Check.job
[2009/04/17 01:08:16 | 00,000,390 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure.job
[2009/04/26 02:34:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


========== Alternate Data Streams ==========

@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
< End of report >


Extras

OTListIt Extras logfile created on: 26/04/2009 02:52:57 - Run 2
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\richard trevor\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

503.36 Mb Total Physical Memory | 176.82 Mb Available Physical Memory | 35.13% Memory free
1.20 Gb Paging File | 0.54 Gb Available in Paging File | 45.24% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.48 Gb Total Space | 2.83 Gb Free Space | 5.61% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 5.41 Gb Total Space | 0.44 Gb Free Space | 8.06% Space Free | Partition Type: NTFS
Drive F: | 15.05 Gb Total Space | 10.28 Gb Free Space | 68.30% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC622264192296
Current User Name: richard trevor
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 60 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\WINDOWS\system32\shell32.DLL (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\system32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\system32\ieframe.DLL (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\system32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2006/11/13 14:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
[2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
[2006/11/13 14:39:54 | 04,270,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
[2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2006/10/09 19:23:06 | 00,697,976 | ---- | M] () -- C:\WINDOWS\SMINST\Scheduler.exe:*:Enabled:Scheduler
[2006/11/13 14:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
[2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
[2006/11/13 14:39:54 | 04,270,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
[2007/07/24 15:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008/07/30 10:47:50 | 20,252,968 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2009/04/08 19:36:41 | 01,057,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2009/04/08 19:36:49 | 00,594,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{18455581-e099-4ba8-bc6b-f34b2f06600c}" = Google Toolbar for Internet Explorer
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{2227E1FA-01F5-483C-AB0E-2A308E900B3D}" = InterVideo FilterSDK for Hauppauge
"{2318c2b1-4965-11d4-9b18-009027a5cd4f}" = Google Toolbar for Internet Explorer
"{26a24ae4-039d-4ca4-87b4-2f83216013ff}" = Java™ 6 Update 13
"{29031977-EF5E-446E-B3E1-E66B6FA3895D}" = SCRABBLE® 2005 EDITION
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.10 A2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AEBFEEE-3345-430C-AD1D-865AD7C3DEA1}" = Exerciser Revision Tool
"{3DE0053C-FD9A-483E-B7C9-B06E4392206E}" = iTunes
"{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup and Recovery Manager Installer
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 G2
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}" = Apple Mobile Device Support
"{4C234785-E7EE-44E7-8277-92AAED2D8801}" = BlackBerry Service for PocketPC 4.0
"{556F2137-B772-43BB-9A45-E0275234DD16}" = Free Notes & Office Ink
"{5D97A4A7-C274-4B63-86D9-07A33435F505}" = InterVideo DVD Check
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6AF6BFD2-D368-4F81-9B82-D3B1414351C8}" = Power Presenter RE
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76C8A611-8059-44EB-8513-C86A6B3A9C5F}" = Mathcad 2001i Professional
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7AE99502-ABB3-45F6-BC0C-73169A3BAF08}" = GenStat 10th Edition
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{929AB598-BB08-4875-B8D2-952C151D6E47}" = HP User Guides 0038
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AEDDF5A3-29CE-11D5-A8C2-000102246AAE}" = ubi.com
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{C2CC8C1F-D5C4-4751-86B2-0EE04C601651}" = BlackBerry Connect Desktop for Windows Mobile
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}" = Safari
"{CA47A854-2BA9-498F-97EE-D8FBECF0BA79}" = MyInk
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DB8CEC42-30B1-4F49-BD06-9393EB81CCF7}" = SPSS 13.0 for Windows
"{DE4A7830-7480-425C-8330-699C30FD8C66}" = PHM Registry Editor
"{E0DBC47C-ED3F-4A1B-A929-9A26DAAA14B3}" = Application Installer 4.00.B5
"{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}" = Windows Media Connect
"3 USB Modem" = 3 USB Modem
"3D Sea Aquarium_is1" = 3D Sea Aquarium
"7-Zip" = 7-Zip 4.57
"activescan 2.0" = Panda ActiveScan 2.0
"Adobe AIR" = Adobe AIR
"AVG8Uninstall" = AVG 8.5
"Avi Player" = Avi Player
"CloneDVD2" = CloneDVD2
"CNXT_AUDIO" = Conexant AC-Link Audio
"CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_30C4103C" = Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ffdshow_is1" = ffdshow [rev 918] [2007-02-12]
"FotoSketcher_is1" = FotoSketcher - Version 1.8
"Full Pack" = Full Pack Codecs
"Hauppauge English Help Files and Resources" = Hauppauge English Help Files and Resources
"Hauppauge WinTV Scheduler" = Hauppauge WinTV Scheduler
"Hauppauge WinTV Soft PVR" = Hauppauge WinTV Soft PVR
"Hauppauge WinTV2000" = Hauppauge WinTV2000
"hijackthis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{76C8A611-8059-44EB-8513-C86A6B3A9C5F}" = Mathcad 2001i Professional
"InstallShield_{7AE99502-ABB3-45F6-BC0C-73169A3BAF08}" = GenStat 10th Edition
"InstallShield_{C2CC8C1F-D5C4-4751-86B2-0EE04C601651}" = BlackBerry Connect Desktop for Windows Mobile
"Interwise Participant" = Interwise Participant
"M248 Data files" = M248 Data files
"M248 SUStats" = M248 SUStats
"M249 CD-ROM 1" = M249 CD-ROM 1
"M249 CD-ROM 2" = M249 CD-ROM 2
"M346 Data files and GenStat 10" = M346 Data files and GenStat 10
"malwarebytes' anti-malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MinitabDeinstKeySV" = Minitab Student Release 12
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Online Manuals for WinTV (English)" = Online Manuals for WinTV (English)
"PROSet" = Intel® PRO Network Connections Drivers
"regcure" = RegCure 1.5.2.7
"registry mechanic_is1" = Registry Mechanic 8.0
"Rmtablet" = USB Tablet Manager
"Spb Diary" = Spb Diary
"Spb Mobile Shell" = Spb Mobile Shell
"Spb Pocket PC Tips And Tricks" = Spb Pocket PC Tips And Tricks
"Spb Pocket Plus" = Spb Pocket Plus
"Spb Traveler" = Spb Traveler
"Spb Weather" = Spb Weather
"spyware doctor" = Spyware Doctor 6.0
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"T851 The Information Systems Toolkit" = T851 The Information Systems Toolkit
"tweak ui 2.10" = Tweak UI
"Vuze" = Vuze
"WGA" = Windows Genuine Advantage Validation Tool
"Windows Media Connect" = Windows Media Connect
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"Zattoo" = Zattoo 3.3.1 Beta

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

and checkup

sorry should have been end of last post

checkup log

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Enabled!
AVG8.5
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Spyware Doctor 6.0
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 13
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````
GREAT! (Very random)

Scan took 39 seconds.
`````````End of Log```````````


Thanks

Richard

Hello Richard,

Do the following, which will consist of one new run of Avenger, a Gooredfix run to help fix the hijack issue, and e new run of MBAM to check things once more.

• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  
  CODE
  Drivers to delete:
  ovfsthxqbrfqjrw
  9a063706
  
  Files to delete:
  c:\windows\system32\drivers\ovfsthxqbrfqjrw.sys
  C:\WINDOWS\System32\drivers\9a063706.sys
  
  Folders to delete:
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler
• In the avenger window, click the Paste Script from Clipboard icon, button.
• :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
=

Please download GooredFix and save it to your Desktop.
Now double-click Goored.exe on your Desktop to run it.
Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
=

Then, next, get and run FixIEDef:

Use this URL to Download the latest version, and SAVE it to your Desktop !
http://downloads.malwareteks.com/FixIEDef.exe

Double click FixIEdef.exe on your Desktop to start it.
Click OK when you get the 1st FixIEDef window.

Next, at 2nd message-window, press SCAN button.

Click OK when you see a FixIEDef alert window.
Let it scan the file system and the resgistry. Do not touch keyboard or mouse while utility is running.

Click Exit once FixIEDef displays the !!! All Finished message !!! window.

WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

Click Exit once FixIEDef displays the All Finished message.

Post the FixIEDef log file, located on the Desktop.
=


Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2043 or later.

When done, click the Scanner tab.
Do a Quick Scan.

Reply with a copy of C:\Avenger.txt
Goored.txt
the FixIEDef log file
and the new MBAM scan log
and advise, How is your system now ?

Hi Maurice

System seems stable but Spydoctor warned of TrojanAgent!sd6 on first booting up. Ran the suggested programs and again tried Ebay and National Rail websites and AVG warned of three tracking cookies - atdmt, doubleclick and mediaplex which it associated witn process C:\ Program Files\Spyware Doctor\pcts svc.exe. Logs were

Avenger

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthxqbrfqjrw" not found!
Deletion of driver "ovfsthxqbrfqjrw" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "9a063706" deleted successfully.

Error: file "c:\windows\system32\drivers\ovfsthxqbrfqjrw.sys" not found!
Deletion of file "c:\windows\system32\drivers\ovfsthxqbrfqjrw.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\System32\drivers\9a063706.sys" deleted successfully.

Error: folder "C:\recycler" not found!
Deletion of folder "C:\recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open folder "D:\recycler"
Deletion of folder "D:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Folder "e:\recycler" deleted successfully.

Error: could not open folder "f:\recycler"
Deletion of folder "f:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "g:\recycler"
Deletion of folder "g:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "h:\recycler"
Deletion of folder "h:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.

Goored

GooredFix v1.92 by jpshortstuff
Log created at 00:36 on 27/04/2009 running Option #2 (richard trevor)
Firefox version [Unable to determine]
(Subsequent Run)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

FixEDef

********************************************************************************
* *
* FixIEDef Log *
* Version 1.7.22.7514 *
* *
********************************************************************************

Created at 00:45:56 on Monday, April 27, 2009

Time Zone : (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Logged On User : richard trevor

Operating System : Microsoft Windows XP Home Edition Service Pack 3
OS Architecture : X86
System Langauge : English (United States)
Keyboard Layout : English (United States)
Processor : X86 Intel® Pentium® M processor 2.26GHz

System Drive : C:\
Windows Directory : C:\WINDOWS
System Directory : C:\WINDOWS\system32

System Drive Type : Fixed
System Drive Status : READY
System Drive Label :
System Drive Size : 51.69 GB
System Drive Free : 2.83 GB

Total Physical Memory: 503 MB
Free Physical Memory : 183 MB
Total Page File : 503 MB
Free Page File : 528 MB
Total Virtual Memory : 2048 MB
Free Virtual Memory : 1958 MB

Boot State : Normal boot

--------------------------------------------------------------------------------

!!! userinit.exe is Clean !!!

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

No malicious files found

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done

ShadowPuterDude

Safe Surfing!!!

and finally MBAM

Malwarebytes' Anti-Malware 1.36
Database version: 2046
Windows 5.1.2600 Service Pack 3

27/04/2009 01:02:56
mbam-log-2009-04-27 (01-02-56).txt

Scan type: Quick Scan
Objects scanned: 80384
Time elapsed: 8 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks again

Richard

Cookies are not malware. They are an annoyance, but not malware.
I'd like for you to do this one next procedure, and afterwards, in next round, we'll remove the tools I had you use.
These are removals of traces of some rootkits that have already been deleted.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:

• :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once :!:

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the C:\Combofix.txt

Hi Maurice

Combofix log

ComboFix 09-04-25.A3 - richard trevor 27/04/2009 2:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.216 [GMT 1:00]
Running from: c:\documents and settings\richard trevor\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\richard trevor\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\System32\drivers\b2ac14b6.sys
c:\windows\system32\drivers\ovfsthxqbrfqjrw.sys
c:\windows\system32\drivers\ovfsthxtmovdlya.sys
.

((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-26 23:45 . 2009-04-26 23:45 -------- d-----w C:\ERDNT
2009-04-26 23:45 . 2009-04-26 23:45 -------- d-----w c:\windows\ERUNT
2009-04-26 23:44 . 2009-04-26 23:44 -------- d-----w C:\!FixIEDef
2009-04-23 05:56 . 2009-04-23 05:56 -------- d-sh--w c:\documents and settings\richard trevor\UserData
2009-04-22 01:17 . 2009-04-24 00:25 -------- d-----w C:\DCE
2009-04-20 21:51 . 2009-04-20 21:51 -------- d-----w c:\documents and settings\richard trevor\DoctorWeb
2009-04-20 21:44 . 2009-04-20 21:47 -------- d-----w c:\documents and settings\Administrator
2009-04-20 21:33 . 2009-04-20 21:33 -------- d-sha-r C:\autorun.inf
2009-04-20 21:31 . 2003-06-25 15:05 266360 ----a-w c:\windows\system32\TweakUI.exe
2009-04-20 21:31 . 2002-06-21 14:09 160217 ----a-w c:\windows\system32\PowerToysLicense.rtf
2009-04-19 21:43 . 2009-04-19 21:43 -------- d-----w C:\_OTListIt
2009-04-18 19:49 . 2009-04-18 19:49 -------- d-----w c:\program files\Trend Micro
2009-04-18 14:45 . 2008-12-11 07:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-18 14:45 . 2009-04-20 21:38 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-18 14:45 . 2008-12-18 11:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-18 14:45 . 2009-04-27 01:46 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-18 14:45 . 2009-04-18 14:49 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-18 14:45 . 2008-12-10 11:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-18 14:45 . 2009-04-25 08:58 -------- d-----w c:\program files\Spyware Doctor
2009-04-18 14:45 . 2009-04-18 14:45 -------- d-----w c:\documents and settings\richard trevor\Application Data\PC Tools
2009-04-18 14:45 . 2009-04-18 14:45 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-17 18:45 . 2009-04-17 18:45 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-17 18:07 . 2009-04-17 18:07 -------- d-----w c:\documents and settings\richard trevor\Application Data\Malwarebytes
2009-04-17 18:07 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-17 18:07 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 18:07 . 2009-04-17 18:07 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 18:07 . 2009-04-20 23:27 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 00:25 . 2008-06-19 15:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-17 00:24 . 2009-04-17 00:24 -------- d-----w c:\program files\Panda Security
2009-04-17 00:08 . 2009-04-17 00:08 -------- d-----w c:\program files\RegCure
2009-04-16 23:59 . 2009-04-16 23:59 -------- d-----w c:\documents and settings\richard trevor\Local Settings\Application Data\Downloaded Installations
2009-04-16 18:12 . 2009-04-16 18:12 56368 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-16 02:05 . 2009-04-16 02:05 206 ----a-w c:\windows\system32\MRT.INI
2009-04-15 21:10 . 2009-04-15 21:10 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-15 20:28 . 2009-04-15 20:28 167936 ----a-w c:\documents and settings\richard trevor\zuBXEbqudoy.exe
2009-04-15 18:35 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 18:35 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 18:35 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 18:35 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 18:35 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 18:35 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 18:35 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 18:35 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 18:35 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 18:35 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 18:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 18:32 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 18:32 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 21:22 . 2009-04-10 21:22 -------- d-----w c:\documents and settings\richard trevor\New Folder
2009-04-10 11:10 . 2009-04-27 00:16 -------- d--h--w C:\$AVG8.VAULT$
2009-04-08 18:37 . 2009-04-08 18:37 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-08 18:37 . 2009-04-08 18:37 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-08 18:37 . 2009-04-08 18:37 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-08 18:37 . 2009-04-26 23:25 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-08 18:36 . 2009-04-11 22:00 -------- d-----w c:\documents and settings\richard trevor\Application Data\AVGTOOLBAR
2009-04-08 18:36 . 2009-04-08 18:36 -------- d-----w c:\program files\AVG
2009-04-08 18:36 . 2009-04-17 17:33 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-08 17:52 . 2009-04-08 17:52 -------- d-----w c:\documents and settings\richard trevor\Application Data\AVG8
2009-03-29 21:16 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\richard trevor\Application Data\GenStat
2009-03-29 20:54 . 2009-03-29 20:54 -------- d-----w c:\program files\Common Files\VSN International
2009-03-29 20:52 . 2009-03-29 20:54 -------- d-----w c:\program files\Gen10ed
2009-03-29 20:45 . 2009-03-29 20:56 -------- d-----w c:\program files\M346
2009-03-28 14:33 . 2007-02-12 19:21 547 ----a-w c:\windows\system32\ff_vfw.dll.manifest
2009-03-28 14:33 . 2007-02-12 19:21 10752 ----a-w c:\windows\system32\ff_vfw.dll
2009-03-28 14:33 . 2009-03-28 14:33 -------- d-----w c:\program files\ffdshow
2009-03-28 14:31 . 2009-03-28 14:31 36 ---h--w c:\windows\system32\swk.ini
2009-03-28 14:31 . 2009-03-29 14:12 -------- d-----w c:\program files\Avi Player
2009-03-28 14:26 . 2009-03-28 14:26 -------- d-----w c:\program files\Full Pack Codecs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 23:33 . 2009-04-26 23:33 4060 ----a-w C:\avenger.txt
2009-04-22 00:34 . 2007-01-27 05:32 -------- d-----w c:\program files\Java
2009-04-22 00:34 . 2007-01-27 05:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 23:45 . 2008-12-07 20:28 -------- d-----w c:\documents and settings\richard trevor\Application Data\Azureus
2009-04-08 18:31 . 2007-01-27 05:47 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-27 21:41 . 2004-08-07 13:10 81983 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-27 21:15 . 2002-08-29 07:00 250048 --sha-r C:\ntldr
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-12 00:56 . 2008-12-07 20:27 -------- d-----w c:\program files\Vuze
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2007-01-04 13:37 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-04 08:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 19:27 . 2008-03-06 19:49 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-28 04:54 . 2007-08-13 18:43 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2009-03-26 19:53 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2007-08-13 18:39 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2007-08-13 17:56 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2007-04-24 22:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 08:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 08:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-23 20:00 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2007-04-24 22:50 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2008-10-23 20:00 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 18:02 . 2004-08-04 08:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 08:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-23 20:00 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2004-08-04 08:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-23 20:00 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2004-08-04 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-23 20:00 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-04 08:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-12-07 20:29 . 2007-06-01 23:41 67392 ----a-w c:\documents and settings\richard trevor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-01-27 05:52 . 2007-04-24 23:11 128 ----a-w c:\documents and settings\richard trevor\Local Settings\Application Data\fusioncache.dat
2007-04-24 18:36 . 2007-04-24 18:36 56 --sha-w c:\windows\SMINST\hpboot.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-26_01.37.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-27 01:43 . 2009-04-27 01:43 16384 c:\windows\temp\Perflib_Perfdata_71c.dat
+ 2008-12-25 03:47 . 2005-10-20 16:00 157696 c:\windows\ERUNT\ERUNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-19 114688]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-04-06 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-08 1932568]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-17 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-4-25 184320]
My Ink Resident.lnk - c:\program files\MyInk\My Ink Resident.exe [2008-12-5 36864]
Push Client.LNK - c:\program files\Interwise\Participant\pull.exe [2008-5-1 843776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-08 18:37 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ rmvirut.nt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-06 33752]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-20 130936]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-08 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-08 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-08 298264]
S2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
S2 WTService;WTService;c:\windows\system32\atwtusb.exe [2007-08-17 364192]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76038e50-9773-11dc-acbf-0016d4e826c2}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76038e51-9773-11dc-acbf-0016d4e826c2}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8182d850-8f6f-11dc-acb1-0016d4e826c2}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8182d854-8f6f-11dc-acb1-0016d4e826c2}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-04-27 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-26 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 02:45
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????]??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1168)
c:\program files\Spyware Doctor\pctgmhk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-27 2:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-27 01:54
ComboFix2.txt 2009-04-26 01:41
ComboFix3.txt 2009-04-19 12:13

Pre-Run: 2,926,120,960 bytes free
Post-Run: 3,058,720,768 bytes free

267 --- E O F --- 2009-04-16 02:06

Thanks again

Richard

Richard,
We have reached the end of the trail now.
Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you need to un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
OK & Exit out of Control Panel

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix !), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

• Click Start, then click Run.
  
  In the command box that opens, type or copy/paste combo-fix /u and then click OK.

• Please double-click OTListIt2.exe to run it.
• Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTListIt2 attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Critical Updates offered.
  
• Download and Install Windows Defender by Microsoft (free) if you do not already have it:
  http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in WinXP:
  http://support.microsoft.com/kb/306525
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  Kaspersky Webscan Online Virus Scanner
  
  ESET Online Scanner
  
  Panda ActiveScan?
  
  Trend Micro Housecall
  
  F-Secure Online Scanner
  
• Read Tony Klein's article How Did I Get Infected In The First Place
  
• Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
  
  Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.html

We are finished here. Best regards.

Maurice

Thank you so much for your help with this problem, it really has been appreciated. And thanks for the advice on staying safe, I'll certainly take steps not to let this happen again!

Very best wishes

Richard

You're welcome I'm going to now have this thread closed.