TechSpot

Browser redirects and gernic host process terminates

By loketar
Oct 26, 2010
  1. Hi guys new to the forum. I seem to be having a lot of issues with this browser redirects. I have been reading and have tried several of the suggestions mentioned but to no avail. So I must turn to the pros. I all so have a generic host process that terminates and then reopens a lot. I have pasted the required logs that is requested in the 8 step process. looking forward to working with you...
    Cheers, Brian

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4855

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    25/10/2010 2:16:50 AM
    mbam-log-2010-10-25 (02-16-50).txt

    Scan type: Quick scan
    Objects scanned: 154588
    Time elapsed: 9 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Brian & Kim\Application Data\hotfix.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
     
  2. loketar

    loketar TS Rookie Topic Starter Posts: 33

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit quick scan 2010-10-25 20:21:30
    Windows 5.1.2600 Service Pack 3
    Running: 9im9j18e.exe; Driver: C:\DOCUME~1\BRIAN&~1\LOCALS~1\Temp\pwtdapod.sys


    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8A396BB8

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \Driver\Tcpip \Device\Ip 8960CC00
    Device \Driver\Tcpip \Device\Tcp 8960CC00
    Device \Driver\Tcpip \Device\Udp 8960CC00
    Device \Driver\Tcpip \Device\RawIp 8960CC00
    Device \Device\00000074 -> \??\IDE#DiskMAXTOR_6L060J3__________________________A93.0500#3636323333313133333735352020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Services - GMER 1.0.15 ----

    Service (*** hidden *** ) [BOOT] ucwfs <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-21.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/03/2010 7:14:42 PM
    System Uptime: 25/10/2010 8:29:19 PM (0 hours ago)

    Motherboard: http://www.abit.com.tw/ | | NF7-S/NF7,NF7-V (nVidia-nForce2)
    Processor: AMD Athlon(tm) XP | Socket A | 2004/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 56 GiB total, 43.392 GiB free.
    D: is FIXED (NTFS) - 19 GiB total, 12.954 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    H: is CDROM (UDF)
    I: is FIXED (NTFS) - 931 GiB total, 888.534 GiB free.



    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    2007 Microsoft Office Suite Service Pack 2 (SP2)
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.0
    ATI Display Driver
    µTorrent
    Avira AntiVir Personal - Free Antivirus
    Brother MFL-Pro Suite
    Canon IJ Network Scan Utility
    Canon IJ Network Tool
    Canon MP Navigator EX 2.0
    Canon MP620 series MP Drivers
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    CCleaner
    Creative Audio Console
    Creative Software AutoUpdate
    doubleTwist
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    DVDneXtCOPY
    DVDneXtCOPY3
    ffdshow [rev 2527] [2008-12-19]
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    Hoyle Puzzle & Board Games 2010 (remove only)
    Inkjet Printer/Scanner Extended Survey Program
    Java(TM) 6 Update 16
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Web Publishing Wizard 1.52
    Mozilla Firefox (3.6.11)
    MSVC80_x86
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Nero 7 Ultra Edition
    neroxml
    NVIDIA Drivers
    OLYMPUS Master 2
    PaperPort Image Printer
    PC Suite
    PrintMaster
    RegVac Registry Cleaner 5.01 (Registered Version)
    ScanSoft PaperPort 11
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB980376)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB982135)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows XP (KB923789)
    Segoe UI
    Shockwave
    T4 Internet - T4 par Internet 10.0
    TOD 012010
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Outlook 2007 Junk Email Filter (kb2202131)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB978506)
    Update for Windows Internet Explorer 8 (KB980182)
    WD SmartWare
    WebFldrs XP
    Windows 7 Upgrade Advisor
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    25/10/2010 7:55:06 PM, error: Service Control Manager [7034] - The WD SmartWare Drive Manager service terminated unexpectedly. It has done this 1 time(s).
    25/10/2010 7:55:06 PM, error: Service Control Manager [7034] - The WD SmartWare Background Service service terminated unexpectedly. It has done this 1 time(s).
    25/10/2010 7:55:06 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    25/10/2010 7:55:06 PM, error: Service Control Manager [7034] - The Inkjet Printer/Scanner Extended Survey Program service terminated unexpectedly. It has done this 1 time(s).
    25/10/2010 7:55:06 PM, error: Service Control Manager [7034] - The Creative Audio Service service terminated unexpectedly. It has done this 1 time(s).
    25/10/2010 7:55:06 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    25/10/2010 2:19:09 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi PCIIde
    25/10/2010 1:50:53 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    24/10/2010 11:42:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 avgio avipbb Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
    24/10/2010 11:42:53 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    24/10/2010 11:42:53 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    24/10/2010 11:42:53 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    24/10/2010 11:42:53 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    24/10/2010 11:42:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    24/10/2010 11:41:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    24/10/2010 11:41:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    24/10/2010 11:25:00 PM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: A device attached to the system is not functioning.
    24/10/2010 1:39:38 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    22/10/2010 2:36:28 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    22/10/2010 2:36:28 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    22/10/2010 10:58:31 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    21/10/2010 5:18:09 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\usbser.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.

    ==== End Of File ===========================



    DDS (Ver_10-10-21.02) - NTFSx86
    Run by Brian & Kim at 20:41:32.67 on 25/10/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
    Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.1535.1072 [GMT -7:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    "C:\WINDOWS\System32\svchost.exe"
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\Documents and Settings\Brian & Kim\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.ca/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: PodcastBHO Class: {65134fdf-f8a5-4b3d-91d9-cdf273cfd578} - c:\program files\common files\doubletwist\IEPodcastPlugin.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [20090604] c:\program files\common files\datalode\encore\hoyle casino 2010\encore_reg.exe /r "c:\program files\common files\datalode\encore\hoyle casino 2010\encore_reg.rpd"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
    mRun: [Thica] rundll32.exe "c:\windows\ojivehul.dll",Startup
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [YXE7DXCQ37] c:\windows\temp\Djc.exe
    dRun: [Samsung.PCSync] "c:\samsung\samsung pc studio 7\PcSync2.exe" /NoDialog
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: cryptnet32 - cryptnet32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\brian&~1\applic~1\mozilla\firefox\profiles\rba2lgg0.default\
    FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
    FF - plugin: c:\program files\common files\doubletwist\NPPodcast.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {89390E67-B894-4AED-B723-13C0B856D393} - c:\documents and settings\brian & kim\local settings\application data\{89390E67-B894-4AED-B723-13C0B856D393}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-10-23 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-23 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-23 267432]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-23 60936]
    R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2010-8-4 6656]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-2-26 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
    R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
    R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
    R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-3-17 11520]
    S0 khqlmxop;khqlmxop;c:\windows\system32\drivers\oopuhnpkpjv.sys [2010-9-16 69120]
    S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-10-23 79360]
    S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
    S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
    S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
    S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
    S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-10-16 36608]
    S3 hwmobilehsn;High Speed USB Modem and USB Serial For Normal;c:\windows\system32\drivers\hwmob01.sys [2010-10-23 106240]
    S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]

    =============== Created Last 30 ================

    2010-10-25 08:57:10 -------- d-----w- c:\windows\peernet
    2010-10-25 06:24:58 762880 ----a-w- c:\windows\system32\drivers\ucwfs.sys
    2010-10-24 05:04:51 -------- d-----w- c:\windows\system32\NtmsData
    2010-10-24 05:03:32 -------- d-----w- c:\docume~1\brian&~1\applic~1\Avira
    2010-10-24 04:58:18 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-10-24 04:58:18 -------- d-----w- c:\program files\Avira
    2010-10-24 04:58:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-10-23 23:46:24 -------- d-----w- c:\program files\common files\Creative Labs Shared
    2010-10-23 07:58:17 106240 ----a-r- c:\windows\system32\drivers\hwmob01.sys
    2010-10-22 00:31:18 -------- d-----w- c:\docume~1\brian&~1\locals~1\applic~1\doubleTwist_Corporation
    2010-10-22 00:15:02 -------- d-----w- c:\docume~1\brian&~1\locals~1\applic~1\doubleTwist Corporation
    2010-10-22 00:14:57 -------- d-----w- c:\program files\common files\doubleTwist
    2010-10-22 00:14:56 57344 ----a-w- c:\windows\system32\ff_vfw.dll
    2010-10-22 00:14:55 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
    2010-10-22 00:14:55 -------- d-----w- c:\program files\ffdshow
    2010-10-22 00:14:16 -------- d-----w- c:\program files\doubleTwist 2.0
    2010-10-22 00:13:01 -------- d-----w- C:\PC Suite
    2010-10-18 00:26:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Samsung
    2010-10-17 05:03:11 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
    2010-10-17 05:02:40 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
    2010-10-17 05:02:36 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
    2010-10-17 05:02:36 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
    2010-10-17 05:02:36 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
    2010-10-17 01:52:47 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
    2010-10-13 05:25:00 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2010-10-13 05:20:31 23936 ----a-w- c:\windows\system32\drivers\motmodem.sys
    2010-10-13 05:20:31 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
    2010-10-13 05:07:42 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
    2010-10-13 05:07:42 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
    2010-10-13 05:07:14 -------- d-----w- c:\program files\Motorola
    2010-10-13 05:07:14 -------- d-----w- c:\program files\common files\Motorola Shared

    ==================== Find3M ====================

    2010-10-25 09:40:17 0 ----a-w- c:\windows\Dmoqupavidifexe.bin
    2010-10-23 23:45:34 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2010-10-23 23:45:34 109080 ----a-w- c:\windows\system32\OpenAL32.dll

    ============= FINISH: 20:43:04.21 ===============
     
  3. loketar

    loketar TS Rookie Topic Starter Posts: 33

    I will leave it with you for the night. I will check back when I get home from work tomorrow. Have a gr8 night. If I have left anything out just let me know...
    Cheers for now
     
  4. crunchie

    crunchie Malware Helper Posts: 728

    Hi and welcome to TechSpot forums :).

    ====

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
  5. loketar

    loketar TS Rookie Topic Starter Posts: 33

    hi ya Crunchie, thanks for getting back to me. here is the log for combofix,

    ComboFix 10-10-25.04 - Brian & Kim 26/10/2010 18:23:07.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.1535.1079 [GMT -7:00]
    Running from: c:\documents and settings\Brian & Kim\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Brian & Kim\Local Settings\Application Data\{89390E67-B894-4AED-B723-13C0B856D393}
    c:\documents and settings\Brian & Kim\Local Settings\Application Data\{89390E67-B894-4AED-B723-13C0B856D393}\chrome.manifest
    c:\documents and settings\Brian & Kim\Local Settings\Application Data\{89390E67-B894-4AED-B723-13C0B856D393}\chrome\content\_cfg.js
    c:\documents and settings\Brian & Kim\Local Settings\Application Data\{89390E67-B894-4AED-B723-13C0B856D393}\chrome\content\overlay.xul
    c:\documents and settings\Brian & Kim\Local Settings\Application Data\{89390E67-B894-4AED-B723-13C0B856D393}\install.rdf
    c:\windows\ojivehul.dll
    c:\windows\sgstme.dll
    c:\windows\system32\drivers\oopuhnpkpjv.sys

    c:\windows\system32\drivers\oopuhnpkpjv.sys . . . is infected!! . . . Failed to find a valid replacement.
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_khqlmxop


    ((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
    .

    2010-10-25 08:57 . 2010-10-25 08:57 -------- d-----w- c:\windows\peernet
    2010-10-25 06:30 . 2010-10-25 06:30 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-10-25 06:24 . 2010-10-27 01:35 0 ----a-w- c:\windows\system32\drivers\ucwfs.sys
    2010-10-24 05:04 . 2010-10-25 09:25 -------- d-----w- c:\windows\system32\NtmsData
    2010-10-24 05:03 . 2010-10-24 05:03 -------- d-----w- c:\documents and settings\Brian & Kim\Application Data\Avira
    2010-10-24 04:58 . 2010-10-24 04:58 -------- d-----w- c:\program files\Avira
    2010-10-24 04:58 . 2010-10-24 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-10-24 04:58 . 2010-03-01 17:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-10-24 04:58 . 2010-02-16 21:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-10-24 04:58 . 2009-05-11 19:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-10-24 04:58 . 2009-05-11 19:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-10-23 23:46 . 2010-10-23 23:46 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
    2010-10-23 07:58 . 2009-07-08 17:12 106240 ----a-r- c:\windows\system32\drivers\hwmob01.sys
    2010-10-22 00:31 . 2010-10-22 00:31 -------- d-----w- c:\documents and settings\Brian & Kim\Local Settings\Application Data\doubleTwist_Corporation
    2010-10-22 00:15 . 2010-10-22 00:31 -------- d-----w- c:\documents and settings\Brian & Kim\Local Settings\Application Data\doubleTwist Corporation
    2010-10-22 00:14 . 2010-10-22 00:14 -------- d-----w- c:\program files\Common Files\doubleTwist
    2010-10-22 00:14 . 2008-12-18 02:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll
    2010-10-22 00:14 . 2010-10-22 00:14 -------- d-----w- c:\program files\ffdshow
    2010-10-22 00:14 . 2008-12-11 20:26 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
    2010-10-22 00:14 . 2010-10-22 00:14 -------- d-----w- c:\program files\doubleTwist 2.0
    2010-10-22 00:13 . 2010-10-23 07:59 -------- d-----w- C:\PC Suite
    2010-10-18 00:26 . 2010-10-18 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Samsung
    2010-10-17 05:03 . 2008-07-03 00:48 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
    2010-10-17 05:02 . 2010-10-18 00:28 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
    2010-10-17 05:02 . 2009-06-03 16:34 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
    2010-10-17 05:02 . 2009-06-03 16:34 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
    2010-10-17 05:02 . 2009-05-18 17:42 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
    2010-10-17 01:55 . 2010-10-17 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
    2010-10-17 01:55 . 2010-10-17 01:55 -------- d-----w- c:\documents and settings\Brian & Kim\Application Data\PC Suite
    2010-10-17 01:53 . 2010-10-17 01:53 -------- d-----w- c:\program files\DIFX
    2010-10-17 01:52 . 2007-05-02 23:31 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
    2010-10-17 01:51 . 2010-10-17 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
    2010-10-13 05:25 . 2008-03-21 20:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2010-10-13 05:20 . 2009-10-27 19:02 23936 ----a-w- c:\windows\system32\drivers\motmodem.sys
    2010-10-13 05:20 . 2008-03-28 00:49 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
    2010-10-13 05:07 . 2008-04-13 17:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
    2010-10-13 05:07 . 2008-04-13 17:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
    2010-10-13 05:07 . 2010-10-22 00:18 -------- d-----w- c:\program files\Motorola
    2010-10-13 05:07 . 2010-10-13 05:07 -------- d-----w- c:\program files\Common Files\Motorola Shared
    2010-10-13 05:06 . 2010-10-22 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
    2010-10-04 00:28 . 2010-10-04 00:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-23 23:45 . 2010-03-13 09:51 444952 ----a-w- c:\windows\system32\wrap_oal.dll
    2010-10-23 23:45 . 2010-03-13 09:51 109080 ----a-w- c:\windows\system32\OpenAL32.dll
    2010-08-04 21:41 . 2010-08-04 21:41 6656 ----a-w- c:\windows\system32\drivers\iPodDrv.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
    backup=c:\windows\pss\Event Reminder.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
    backup=c:\windows\pss\WDDMStatus.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
    backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 06:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 11:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
    2009-02-10 18:03 745472 ------r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2008-03-17 16:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2008-03-10 16:20 689488 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
    2007-10-30 22:05 77824 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    2009-06-23 18:48 19456 ----a-w- c:\windows\system32\CtHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
    2007-04-09 19:32 19968 ----a-w- c:\windows\system32\Ctxfihlp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\doubleTwist]
    2010-09-18 17:57 24576 ----a-w- c:\program files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 19:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    2007-10-12 02:01 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2010-04-17 05:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2007-03-01 23:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
    2009-11-26 03:42 54672 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
    2007-10-12 02:03 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2006-10-25 16:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-03-14 22:07 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 04:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [23/10/2010 9:58 PM 135336]
    R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [04/08/2010 2:41 PM 6656]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [26/02/2010 8:58 AM 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 8:58 AM 20480]
    R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [23/06/2009 1:34 PM 99352]
    R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [23/06/2009 1:34 PM 555032]
    R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [23/06/2009 1:34 PM 566296]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [17/03/2010 4:45 PM 11520]
    S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [23/06/2009 1:34 PM 99352]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [23/10/2010 4:46 PM 79360]
    S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [23/06/2009 1:34 PM 555032]
    S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [23/06/2009 1:35 PM 100888]
    S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [23/06/2009 1:35 PM 100888]
    S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [23/06/2009 1:34 PM 566296]
    S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [16/10/2010 10:02 PM 36608]
    S3 hwmobilehsn;High Speed USB Modem and USB Serial For Normal;c:\windows\system32\drivers\hwmob01.sys [23/10/2010 12:58 AM 106240]
    S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - ucwfs
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Brian & Kim\Application Data\Mozilla\Firefox\Profiles\rba2lgg0.default\
    FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
    FF - plugin: c:\program files\Common Files\doubleTwist\NPPodcast.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-Thica - c:\windows\ojivehul.dll
    HKU-Default-Run-Samsung.PCSync - c:\samsung\Samsung PC Studio 7\PcSync2.exe
    MSConfigStartUp-AutoStartNPSAgent - c:\samsung new pc studio\NPSAgent.exe
    MSConfigStartUp-download - c:\documents and settings\NetworkService\Application Data\download2\svcnost.exe
    MSConfigStartUp-ISTray - c:\spyware doctor\pctsTray.exe
    MSConfigStartUp-Qfesera - c:\windows\sgstme.dll
    MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
    MSConfigStartUp-RegistryMonitor1 - c:\windows\system32\qtplugin.exe
    MSConfigStartUp-Thica - c:\windows\ojivehul.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-26 18:34
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.0 by Gmer, http://www.gmer.net
    Windows 5.1.2600

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A21DEC5]<<
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A2DB9C0]
    2 nt[0x804E37D5] -> CLASSPNP.SYS[0xF7657FD7] -> \Device\Harddisk0\DR0[0x8A2DB9C0]
    3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000007a[0x8A3732E8]
    4 nt[0x804E37D5] -> ACPI.sys[0xF75AE620] -> \Device\0000007a[0x8A3732E8]
    5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8A31E030]
    [0x8A333750] -> IRP_MJ_CREATE -> 0x8A21DEC5
    6 nt[0x804E37D5] -> UNKNOWN[0x8A21DEC8] -> [0x8A31E030]
    error: Read \Device\Ide\IdePort0 The system cannot find the file specified.
    kernel: MBR read successfully
    detected hooks:
    \Device\00000076 -> \??\IDE#DiskMAXTOR_6L060J3__________________________A93.0500#3636323333313133333735352020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    \Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
    \Driver\ACPI -> ACPI.sys @ 0xf75aecb8
    \Driver\atapi -> atapi.sys @ 0xf7408852
    IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
    SecurityProcedure -> ntoskrnl.exe @ 0x8059b445
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
    SecurityProcedure -> ntoskrnl.exe @ 0x8059b445
    NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7a37bb0
    PacketIndicateHandler -> NDIS.sys @ 0xf7a44a21
    SendHandler -> NDIS.sys @ 0xf7a2287b
    user & kernel MBR OK

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ucwfs]

    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(720)
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'lsass.exe'(784)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(3212)
    c:\windows\system32\WININET.dll
    c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Creative\Shared Files\CTAudSvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Canon\IJPLM\IJPLMSVC.EXE
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-26 18:39:51 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-27 01:39

    Pre-Run: 46,484,623,360 bytes free
    Post-Run: 46,362,607,616 bytes free

    - - End Of File - - FF6DC90119196FCF230E21A2C072BC73
     
  6. crunchie

    crunchie Malware Helper Posts: 728

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    KillAll::
    
    File::
    c:\windows\system32\drivers\oopuhnpkpjv.sys
    Driver::
    oopuhnpkpjv
    
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  7. loketar

    loketar TS Rookie Topic Starter Posts: 33

    hi again Crunchie,
    well i have been trying to get combofix to run now for 2 hours. I have copied exactly what you had written and pasted it into combofix. It starts out fine up untill it rebots the computer, then it will just hang. so I let it sit for about 15 min. the first time then I had to reset via the front switch. tried it again, thought i might have messed up something, but i still got the same action with no warnings or errors to report. It will reboot then it just freezes. So I let it sit for about 2 hrs. on the off chance it was just working, still the same. so I am stuck. not sure what to do now...
    any help will be greatly appreciated...
    cheers
     
  8. crunchie

    crunchie Malware Helper Posts: 728

    Let's try another tool then.

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  9. loketar

    loketar TS Rookie Topic Starter Posts: 33

    yea it ran

    hi crunch, that one seemed to run fine. here are the logs...

    OTL logfile created on: 27/10/2010 8:34:19 PM - Run 1
    OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Brian & Kim\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

    1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 55.91 Gb Total Space | 43.21 Gb Free Space | 77.30% Space Free | Partition Type: NTFS
    Drive D: | 19.14 Gb Total Space | 12.95 Gb Free Space | 67.69% Space Free | Partition Type: NTFS
    Drive H: | 446.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
    Drive I: | 930.86 Gb Total Space | 888.53 Gb Free Space | 95.45% Space Free | Partition Type: NTFS

    Computer Name: OFFICE | User Name: Brian & Kim | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010/10/27 20:31:24 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brian & Kim\Desktop\OTL.exe
    PRC - [2010/02/26 08:58:40 | 000,110,592 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    PRC - [2009/06/16 08:58:08 | 000,020,480 | ---- | M] (Memeo) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    PRC - [2009/02/14 16:29:14 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2008/01/22 01:35:52 | 000,103,808 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/10/27 20:31:24 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brian & Kim\Desktop\OTL.exe


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- C:\ComboFix\PEV.cfx -- (PEVSystemStart)
    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - [2010/10/23 16:46:24 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
    SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Disabled | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2010/02/26 08:58:40 | 000,110,592 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
    SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Disabled | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2009/06/16 08:58:08 | 000,020,480 | ---- | M] (Memeo) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe -- (WDSmartWareBackgroundService)
    SRV - [2009/02/14 16:29:14 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
    SRV - [2008/01/22 01:35:52 | 000,103,808 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
    SRV - [2007/06/29 20:16:56 | 000,800,040 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Nero 7\Nero BackItUp\NBService.exe -- (NBService)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\pccsmcfd.sys -- (pccsmcfd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\ivusb.sys -- (ivusb)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTSBLFX.DLL -- (CTSBLFX.DLL)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTERFXFX.DLL -- (CTERFXFX.DLL)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTAUDFX.DLL -- (CTAUDFX.DLL)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\COMMONFX.DLL -- (COMMONFX.DLL)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\BRIAN&~1\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/08/04 14:41:04 | 000,006,656 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\iPodDrv.sys -- (iPodDrv)
    DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2009/10/27 12:02:14 | 000,023,936 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
    DRV - [2009/07/08 10:12:06 | 000,106,240 | R--- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hwmob01.sys -- (hwmobilehsn)
    DRV - [2009/06/23 13:38:26 | 000,189,464 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
    DRV - [2009/06/23 13:38:16 | 000,162,840 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
    DRV - [2009/06/23 13:38:06 | 000,798,744 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
    DRV - [2009/06/23 13:37:54 | 000,092,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
    DRV - [2009/06/23 13:37:32 | 000,157,208 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
    DRV - [2009/06/23 13:37:22 | 000,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
    DRV - [2009/06/23 13:37:10 | 000,127,512 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
    DRV - [2009/06/23 13:36:36 | 000,347,080 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
    DRV - [2009/06/23 13:36:24 | 000,528,408 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
    DRV - [2009/06/23 13:36:14 | 000,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
    DRV - [2009/06/23 13:35:04 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTERFXFX.SYS -- (CTERFXFX.SYS)
    DRV - [2009/06/23 13:35:04 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTERFXFX.sys -- (CTERFXFX)
    DRV - [2009/06/23 13:34:52 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTSBLFX.SYS -- (CTSBLFX.SYS)
    DRV - [2009/06/23 13:34:52 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTSBLFX.sys -- (CTSBLFX)
    DRV - [2009/06/23 13:34:40 | 000,555,032 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTAUDFX.SYS -- (CTAUDFX.SYS)
    DRV - [2009/06/23 13:34:40 | 000,555,032 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTAUDFX.sys -- (CTAUDFX)
    DRV - [2009/06/23 13:34:30 | 000,099,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\COMMONFX.SYS -- (COMMONFX.SYS)
    DRV - [2009/06/23 13:34:30 | 000,099,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COMMONFX.sys -- (COMMONFX)
    DRV - [2009/05/18 10:42:12 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
    DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2009/02/13 11:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
    DRV - [2008/04/13 10:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
    DRV - [2007/04/12 08:10:26 | 000,164,608 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
    DRV - [2007/04/12 08:10:26 | 000,066,816 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
    DRV - [2007/04/12 08:10:24 | 001,317,632 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
    DRV - [2007/04/12 08:10:22 | 000,323,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
    DRV - [2007/04/12 08:10:22 | 000,128,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
    DRV - [2007/04/12 08:10:20 | 000,280,320 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
    DRV - [2007/04/12 08:10:18 | 000,168,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
    DRV - [2006/02/21 21:46:26 | 001,505,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2004/10/15 12:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
    DRV - [2004/06/03 11:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
    DRV - [2004/04/02 16:40:00 | 000,021,760 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
    DRV - [2004/01/29 02:45:50 | 000,093,764 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.736
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/21 16:36:41 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/21 16:36:39 | 000,000,000 | ---D | M]

    [2010/10/16 23:18:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\Mozilla\Extensions
    [2010/10/26 23:07:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\Mozilla\Firefox\Profiles\rba2lgg0.default\extensions
    [2010/10/16 23:23:58 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Brian & Kim\Application Data\Mozilla\Firefox\Profiles\rba2lgg0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/10/26 23:07:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/03/13 11:20:25 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru

    O1 HOSTS File: ([2010/10/26 18:33:30 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (PodcastBHO Class) - {65134FDF-F8A5-4B3D-91D9-CDF273CFD578} - C:\Program Files\Common Files\doubleTwist\IEPodcastPlugin.dll (doubleTwist Corporation)
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
    O4 - HKLM..\Run: [PPort11reminder] C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe (Nuance Communications, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 64.59.160.13 64.59.160.15 64.59.161.68
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/18 14:12:18 | 000,000,088 | R--- | M] () - H:\autorun.inf -- [ UDF ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16902109354000384)

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/10/27 20:31:22 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Brian & Kim\Desktop\OTL.exe
    [2010/10/27 17:17:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/10/27 17:17:28 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/10/27 17:17:28 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/10/27 17:17:28 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/10/27 17:17:21 | 000,000,000 | --SD | C] -- C:\ComboFix
    [2010/10/26 22:18:11 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Brian & Kim\Recent
    [2010/10/26 21:23:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\Desktop\logs
    [2010/10/26 21:19:39 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2010/10/26 17:35:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/10/26 17:35:06 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/10/25 19:47:06 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Brian & Kim\Desktop\TFC.exe
    [2010/10/25 01:57:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\peernet
    [2010/10/23 22:04:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
    [2010/10/23 22:03:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\Application Data\Avira
    [2010/10/23 21:58:19 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
    [2010/10/23 21:58:18 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2010/10/23 21:58:18 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2010/10/23 21:58:18 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
    [2010/10/23 21:58:18 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
    [2010/10/23 21:58:18 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2010/10/23 21:58:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
    [2010/10/23 16:46:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Creative Labs Shared
    [2010/10/23 00:58:17 | 000,106,240 | R--- | C] (QUALCOMM Incorporated) -- C:\WINDOWS\System32\drivers\hwmob01.sys
    [2010/10/21 17:35:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\My Documents\Subscriptions
    [2010/10/21 17:31:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\doubleTwist_Corporation
    [2010/10/21 17:22:06 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2010/10/21 17:15:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\doubleTwist Corporation
    [2010/10/21 17:14:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\doubleTwist
    [2010/10/21 17:14:55 | 000,060,273 | ---- | C] (Open Source Software community project) -- C:\WINDOWS\System32\pthreadGC2.dll
    [2010/10/21 17:14:55 | 000,000,000 | ---D | C] -- C:\Program Files\ffdshow
    [2010/10/21 17:14:16 | 000,000,000 | ---D | C] -- C:\Program Files\doubleTwist 2.0
    [2010/10/21 17:13:01 | 000,000,000 | ---D | C] -- C:\PC Suite
    [2010/10/17 17:26:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Samsung
    [2010/10/16 23:18:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\Application Data\Mozilla
    [2010/10/16 22:02:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Samsung_USB_Drivers
    [2010/10/16 22:02:36 | 000,233,472 | ---- | C] (Teruten) -- C:\WINDOWS\System32\FsUsbExService.Exe
    [2010/10/16 22:02:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\My Documents\My NPS Files
    [2010/10/16 18:55:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Suite
    [2010/10/16 18:55:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\Application Data\PC Suite
    [2010/10/16 18:53:02 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
    [2010/10/16 18:52:47 | 000,090,624 | ---- | C] (Nokia) -- C:\WINDOWS\System32\nmwcdcls.dll
    [2010/10/16 18:51:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Installations
    [2010/10/12 22:20:31 | 000,023,936 | ---- | C] (Motorola) -- C:\WINDOWS\System32\drivers\motmodem.sys
    [2010/10/12 22:07:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Motorola Shared
    [2010/10/12 22:07:14 | 000,000,000 | ---D | C] -- C:\Program Files\Motorola
    [2010/10/12 22:06:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
    [2010/10/03 17:28:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
    [2009/06/23 11:49:14 | 000,010,752 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

    ========== Files - Modified Within 30 Days ==========

    [2010/10/27 20:35:57 | 000,762,880 | ---- | M] () -- C:\WINDOWS\System32\drivers\ucwfs.sys
    [2010/10/27 20:31:24 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brian & Kim\Desktop\OTL.exe
    [2010/10/27 19:33:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/10/27 19:32:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/10/27 17:14:21 | 000,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/27 17:14:21 | 000,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/27 17:14:21 | 000,027,408 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/27 17:14:21 | 000,027,408 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/27 17:14:21 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/27 17:01:25 | 000,000,211 | RHS- | M] () -- C:\boot.ini
    [2010/10/26 18:33:30 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/10/26 17:26:44 | 003,886,890 | R--- | M] () -- C:\Documents and Settings\Brian & Kim\Desktop\ComboFix.exe
    [2010/10/26 15:36:39 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Xriqecofe.dat
    [2010/10/26 00:00:50 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Dmoqupavidifexe.bin
    [2010/10/25 22:16:10 | 000,079,872 | ---- | M] () -- C:\WINDOWS\MBR.exe
    [2010/10/25 20:37:04 | 000,545,280 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Desktop\dds.scr
    [2010/10/25 20:14:31 | 000,294,912 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Desktop\9im9j18e.exe
    [2010/10/25 19:47:06 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brian & Kim\Desktop\TFC.exe
    [2010/10/25 01:34:47 | 000,000,010 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Application Data\install
    [2010/10/24 23:38:52 | 003,162,278 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-00511102}.CDF
    [2010/10/24 23:22:26 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/10/24 17:33:11 | 000,017,745 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\My Documents\A wild night.docx
    [2010/10/23 21:58:34 | 000,001,741 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2010/10/23 16:45:34 | 000,444,952 | ---- | M] (Creative Labs) -- C:\WINDOWS\System32\wrap_oal.dll
    [2010/10/23 01:24:26 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\default.pls
    [2010/10/23 01:24:21 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
    [2010/10/21 22:32:51 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/10/21 17:31:25 | 000,000,127 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
    [2010/10/21 17:14:57 | 000,001,780 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Application Data\Microsoft\Internet Explorer\Quick Launch\doubleTwist.lnk
    [2010/10/21 17:14:57 | 000,001,762 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\doubleTwist.lnk
    [2010/10/21 17:13:14 | 000,000,556 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PC Suite.lnk
    [2010/10/21 16:38:55 | 000,000,426 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
    [2010/10/19 15:31:35 | 000,435,568 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/10/19 15:31:35 | 000,068,272 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/10/18 18:56:35 | 000,012,708 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\My Documents\French project paragraphs.docx
    [2010/10/17 22:51:12 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\housecall.guid.cache
    [2010/10/16 23:18:12 | 000,001,654 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2010/10/16 23:18:12 | 000,001,636 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2010/10/16 22:02:18 | 000,002,528 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Application Data\$_hpcst$.hpc
    [2010/10/15 16:51:40 | 000,000,074 | ---- | M] () -- C:\WINDOWS\ImportClient.INI
    [2010/10/12 22:25:04 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_motmodem_01007.Wdf
    [2010/10/12 22:25:03 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

    ========== Files Created - No Company Name ==========

    [2010/10/27 17:17:28 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/10/27 17:17:28 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/10/27 17:17:28 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/10/27 17:17:28 | 000,079,872 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/10/27 17:17:28 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/10/26 17:26:43 | 003,886,890 | R--- | C] () -- C:\Documents and Settings\Brian & Kim\Desktop\ComboFix.exe
    [2010/10/25 20:37:04 | 000,545,280 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Desktop\dds.scr
    [2010/10/25 20:14:30 | 000,294,912 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Desktop\9im9j18e.exe
    [2010/10/25 01:34:47 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Application Data\install
    [2010/10/24 23:24:58 | 000,762,880 | ---- | C] () -- C:\WINDOWS\System32\drivers\ucwfs.sys
    [2010/10/24 17:13:18 | 000,017,745 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\My Documents\A wild night.docx
    [2010/10/23 21:58:34 | 000,001,741 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2010/10/23 16:47:58 | 000,027,408 | ---- | C] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/23 16:47:58 | 000,027,408 | ---- | C] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/23 16:47:58 | 000,011,564 | ---- | C] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/23 16:45:47 | 003,162,278 | ---- | C] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-00511102}.CDF
    [2010/10/21 21:53:20 | 000,245,328 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2010/10/21 17:31:25 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
    [2010/10/21 17:14:57 | 000,001,780 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Application Data\Microsoft\Internet Explorer\Quick Launch\doubleTwist.lnk
    [2010/10/21 17:14:57 | 000,001,762 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\doubleTwist.lnk
    [2010/10/21 17:14:56 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2010/10/21 17:13:14 | 000,000,556 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PC Suite.lnk
    [2010/10/18 18:50:47 | 000,012,708 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\My Documents\French project paragraphs.docx
    [2010/10/17 22:51:12 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\housecall.guid.cache
    [2010/10/16 23:18:12 | 000,001,654 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2010/10/16 23:18:12 | 000,001,636 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2010/10/16 22:02:36 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
    [2010/10/16 22:02:36 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
    [2010/10/16 22:02:18 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Application Data\$_hpcst$.hpc
    [2010/10/12 22:25:04 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_motmodem_01007.Wdf
    [2010/10/12 22:25:03 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
    [2010/05/01 18:14:39 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
    [2010/05/01 18:11:23 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
    [2010/05/01 18:09:19 | 000,031,567 | ---- | C] () -- C:\WINDOWS\maxlink.ini
    [2010/03/14 13:27:12 | 000,000,074 | ---- | C] () -- C:\WINDOWS\ImportClient.INI
    [2010/03/14 13:10:37 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\PretzelSpellCheck.dll
    [2010/03/14 13:10:36 | 000,745,472 | ---- | C] () -- C:\WINDOWS\System32\PMAppBuilder.dll
    [2010/03/14 13:10:36 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\PMovieServer.dll
    [2010/03/13 16:16:14 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2010/03/13 13:09:27 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/03/13 12:36:18 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
    [2010/03/12 11:34:28 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2009/06/23 12:29:50 | 000,049,719 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
    [2009/06/23 12:29:48 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
    [2009/06/23 11:51:00 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
    [2007/10/25 17:26:10 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
    [2007/08/13 20:45:02 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
    [2007/04/12 09:10:28 | 000,105,728 | ---- | C] () -- C:\WINDOWS\System32\APOMgrH.dll
    [2006/10/02 17:25:18 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini

    ========== LOP Check ==========

    [2010/10/21 17:17:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
    [2010/03/13 12:44:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
    [2010/03/13 12:53:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMyPrinter
    [2010/09/13 16:23:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
    [2010/03/13 12:53:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJSolutionMenu
    [2010/10/16 18:51:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
    [2010/10/16 18:55:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
    [2010/10/17 17:26:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Samsung
    [2010/05/02 11:35:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
    [2010/10/25 02:51:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2010/03/12 20:31:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital
    [2010/03/18 16:37:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\Hoyle FaceCreator
    [2010/10/26 16:14:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\Hoyle Puzzle and Board Games
    [2010/10/16 18:55:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\PC Suite
    [2010/10/16 21:56:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\uTorrent
    [2010/03/17 16:45:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\Western Digital
    [2010/03/17 16:45:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\Western DigitalTemp

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.exe >


    < MD5 for: AGP440.SYS >
    [2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
    [2010/03/13 02:06:24 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
    [2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
    [2010/03/13 02:06:24 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
    [2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
    [2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
    [2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

    < MD5 for: ATAPI.SYS >
    [2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
    [2010/03/13 02:06:24 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
    [2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
    [2010/03/13 02:06:24 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
    [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\Qoobox\32788R22FWJFW\atapi.sys
    [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
    [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
    [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
    [2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

    < MD5 for: EVENTLOG.DLL >
    [2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
    [2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
    [2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

    < MD5 for: NETLOGON.DLL >
    [2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
    [2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
    [2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

    < MD5 for: NVATABUS.SYS >
    [2004/06/03 11:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation) MD5=46DEED4C6C5FA765F9A2C723BE60348D -- C:\Qoobox\32788R22FWJFW\nvatabus.sys
    [2004/06/03 11:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation) MD5=46DEED4C6C5FA765F9A2C723BE60348D -- C:\WINDOWS\system32\drivers\nvatabus.sys

    < MD5 for: SCECLI.DLL >
    [2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
    [2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
    [2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >
    [2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
    [2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

    < %systemroot%\System32\config\*.sav >
    [2010/03/12 11:32:29 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2010/03/12 11:32:29 | 000,630,784 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2010/03/12 11:32:29 | 000,425,984 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

    < End of report >
     
  10. loketar

    loketar TS Rookie Topic Starter Posts: 33

    OTL Extras logfile created on: 27/10/2010 8:34:19 PM - Run 1
    OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Brian & Kim\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

    1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 55.91 Gb Total Space | 43.21 Gb Free Space | 77.30% Space Free | Partition Type: NTFS
    Drive D: | 19.14 Gb Total Space | 12.95 Gb Free Space | 67.69% Space Free | Partition Type: NTFS
    Drive H: | 446.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
    Drive I: | 930.86 Gb Total Space | 888.53 Gb Free Space | 95.45% Space Free | Partition Type: NTFS

    Computer Name: OFFICE | User Name: Brian & Kim | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "AntiVirusDisableNotify" = 1
    "FirewallDisableNotify" = 1
    "UpdatesDisableNotify" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\uTorrent\uTorrent.exe" = C:\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP620_series" = Canon MP620 series MP Drivers
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 16
    "{2A304FDE-F4E3-446D-AA0D-31425C897B71}" = PrintMaster
    "{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer
    "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
    "{45FCADDB-0B29-457E-83A1-D245C62A716C}" = OLYMPUS Master 2
    "{46E1B1F2-A279-4356-9B17-029F9CC72EAE}" = Brother MFL-Pro Suite
    "{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
    "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7A8FF745-BBC5-482B-88E4-18D3178249A9}" = ScanSoft PaperPort 11
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
    "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
    "{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
    "{BF26E713-43CD-43AD-AF28-A905C1E26D8C}" = DVDneXtCOPY3
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CF097717-F174-4144-954A-FBC4BF301033}" = Nero 7 Ultra Edition
    "{D44A38DD-6F9A-4F12-ADA9-4C79BC71ECD0}" = WD SmartWare
    "{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "ATI Display Driver" = ATI Display Driver
    "AudioCS" = Creative Audio Console
    "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
    "Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
    "Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
    "CANONIJPLM100" = Inkjet Printer/Scanner Extended Survey Program
    "CanonMyPrinter" = Canon Utilities My Printer
    "CanonSolutionMenu" = Canon Utilities Solution Menu
    "CCleaner" = CCleaner
    "Creative Software AutoUpdate" = Creative Software AutoUpdate
    "doubleTwist" = doubleTwist
    "DVD Decrypter" = DVD Decrypter (Remove Only)
    "DVD Shrink_is1" = DVD Shrink 3.2
    "DVDneXtCOPY" = DVDneXtCOPY
    "Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
    "ENTERPRISE" = Microsoft Office Enterprise 2007
    "ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
    "Hoyle Puzzle & Board Games 2010" = Hoyle Puzzle & Board Games 2010 (remove only)
    "ie8" = Windows Internet Explorer 8
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.6.11)" = Mozilla Firefox (3.6.11)
    "MP Navigator EX 2.0" = Canon MP Navigator EX 2.0
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NVIDIA Drivers" = NVIDIA Drivers
    "PC Suite" = PC Suite
    "RegVac Registry Cleaner (Registered Version)_is1" = RegVac Registry Cleaner 5.01 (Registered Version)
    "Shockwave" = Shockwave
    "T4 Internet - T4 par Internet 10.0" = T4 Internet - T4 par Internet 10.0
    "TOD 012010" = TOD 012010
    "Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    "WebPost" = Microsoft Web Publishing Wizard 1.52
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "WinRAR archiver" = WinRAR archiver
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "uTorrent" = µTorrent

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 07/09/2010 8:12:43 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 07/09/2010 8:12:43 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The connection with the server was terminated abnormally

    Error - 07/09/2010 8:12:43 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 07/09/2010 8:12:43 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 08/09/2010 3:34:45 AM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The connection with the server was terminated abnormally

    Error - 08/09/2010 7:55:17 AM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The connection with the server was terminated abnormally

    Error - 08/09/2010 12:15:48 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The connection with the server was terminated abnormally

    Error - 08/09/2010 8:20:52 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The connection with the server was terminated abnormally

    Error - 08/09/2010 8:20:53 PM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 09/09/2010 12:41:31 AM | Computer Name = OFFICE | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The connection with the server was terminated abnormally

    [ System Events ]
    Error - 27/10/2010 7:26:45 PM | Computer Name = OFFICE | Source = Ftdisk | ID = 262189
    Description = The system could not sucessfully load the crash dump driver.

    Error - 27/10/2010 7:26:45 PM | Computer Name = OFFICE | Source = Ftdisk | ID = 262193
    Description = Configuring the Page file for crash dump failed. Make sure there is
    a page file on the boot partition and that is large enough to contain all physical
    memory.

    Error - 27/10/2010 7:38:44 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7031
    Description = The Windows Media Player Network Sharing Service service terminated
    unexpectedly. It has done this 1 time(s). The following corrective action will
    be taken in 30000 milliseconds: Restart the service.

    Error - 27/10/2010 7:39:15 PM | Computer Name = OFFICE | Source = WMPNetworkSvc | ID = 866312
    Description = A new media server was not initialized because WMCreateDeviceRegistration()
    encountered error '0xc00d2711'. The Windows Media DRM components on your computer
    might be corrupted. Verify that protected files play correctly in Windows Media
    Player, and then restart the WMPNetworkSvc service.

    Error - 27/10/2010 7:39:15 PM | Computer Name = OFFICE | Source = WMPNetworkSvc | ID = 866312
    Description = A new media server was not initialized because WMCreateDeviceRegistration()
    encountered error '0xc00d2711'. The Windows Media DRM components on your computer
    might be corrupted. Verify that protected files play correctly in Windows Media
    Player, and then restart the WMPNetworkSvc service.

    Error - 27/10/2010 7:40:32 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7031
    Description = The Windows Media Player Network Sharing Service service terminated
    unexpectedly. It has done this 1 time(s). The following corrective action will
    be taken in 30000 milliseconds: Restart the service.

    Error - 27/10/2010 7:45:01 PM | Computer Name = OFFICE | Source = WMPNetworkSvc | ID = 866312
    Description = A new media server was not initialized because WMCreateDeviceRegistration()
    encountered error '0xc00d2711'. The Windows Media DRM components on your computer
    might be corrupted. Verify that protected files play correctly in Windows Media
    Player, and then restart the WMPNetworkSvc service.

    Error - 27/10/2010 7:45:02 PM | Computer Name = OFFICE | Source = WMPNetworkSvc | ID = 866312
    Description = A new media server was not initialized because WMCreateDeviceRegistration()
    encountered error '0xc00d2711'. The Windows Media DRM components on your computer
    might be corrupted. Verify that protected files play correctly in Windows Media
    Player, and then restart the WMPNetworkSvc service.

    Error - 27/10/2010 7:45:21 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7031
    Description = The Windows Media Player Network Sharing Service service terminated
    unexpectedly. It has done this 1 time(s). The following corrective action will
    be taken in 30000 milliseconds: Restart the service.

    Error - 27/10/2010 8:17:43 PM | Computer Name = OFFICE | Source = Service Control Manager | ID = 7031
    Description = The Windows Media Player Network Sharing Service service terminated
    unexpectedly. It has done this 1 time(s). The following corrective action will
    be taken in 30000 milliseconds: Restart the service.


    < End of report >
     
  11. crunchie

    crunchie Malware Helper Posts: 728

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :Files
      c:\windows\system32\drivers\oopuhnpkpjv.sys
      :OTL
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
      :Commands
      [emptyflash]
      [emptytemp]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top.
    • Let the program run unhindered, reboot the PC when it is done.
    • Post log from this run.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  12. loketar

    loketar TS Rookie Topic Starter Posts: 33

    new problem!!!!

    wow, not sure whats going on now. I was reading posts from other people in the forum when my computer restarted all of a sudden on it's on. I let it run it course it rebooted find but after about 2 or 3 mins it rebooted again. It is doing this every time. I have gone into safe mode without networking and it seems to be stable there. Shall i try to boot into safe mode with networking and do the above mentioned procedure??
     
  13. loketar

    loketar TS Rookie Topic Starter Posts: 33

    one more quick note, i opened up msconfig to have a look and there seems to be a new entry there as follows:
    startup item: dumprep 0 -k command: %systemroot%\system32\dumprep 0 -k
    location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
  14. crunchie

    crunchie Malware Helper Posts: 728

    That entry is from the shutdown.

    Try the fix in safe mode and see how you go,
     
  15. loketar

    loketar TS Rookie Topic Starter Posts: 33

    got it to go in safe mode

    All processes killed
    ========== FILES ==========
    File\Folder c:\windows\system32\drivers\oopuhnpkpjv.sys not found.
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
    ========== COMMANDS ==========

    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Brian & Kim
    ->Flash cache emptied: 456 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Brian & Kim
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 5779462 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 6.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.17.1 log created on 10272010_231105

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  16. loketar

    loketar TS Rookie Topic Starter Posts: 33

    quick scan log

    OTL logfile created on: 27/10/2010 8:34:19 PM - Run 1
    OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Brian & Kim\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

    1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 55.91 Gb Total Space | 43.21 Gb Free Space | 77.30% Space Free | Partition Type: NTFS
    Drive D: | 19.14 Gb Total Space | 12.95 Gb Free Space | 67.69% Space Free | Partition Type: NTFS
    Drive H: | 446.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
    Drive I: | 930.86 Gb Total Space | 888.53 Gb Free Space | 95.45% Space Free | Partition Type: NTFS

    Computer Name: OFFICE | User Name: Brian & Kim | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010/10/27 20:31:24 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brian & Kim\Desktop\OTL.exe
    PRC - [2010/02/26 08:58:40 | 000,110,592 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    PRC - [2009/06/16 08:58:08 | 000,020,480 | ---- | M] (Memeo) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    PRC - [2009/02/14 16:29:14 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2008/01/22 01:35:52 | 000,103,808 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/10/27 20:31:24 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brian & Kim\Desktop\OTL.exe


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- C:\ComboFix\PEV.cfx -- (PEVSystemStart)
    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - [2010/10/23 16:46:24 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
    SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Disabled | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2010/02/26 08:58:40 | 000,110,592 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
    SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Disabled | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2009/06/16 08:58:08 | 000,020,480 | ---- | M] (Memeo) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe -- (WDSmartWareBackgroundService)
    SRV - [2009/02/14 16:29:14 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
    SRV - [2008/01/22 01:35:52 | 000,103,808 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
    SRV - [2007/06/29 20:16:56 | 000,800,040 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Nero 7\Nero BackItUp\NBService.exe -- (NBService)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\pccsmcfd.sys -- (pccsmcfd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\ivusb.sys -- (ivusb)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTSBLFX.DLL -- (CTSBLFX.DLL)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTERFXFX.DLL -- (CTERFXFX.DLL)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTAUDFX.DLL -- (CTAUDFX.DLL)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\COMMONFX.DLL -- (COMMONFX.DLL)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\BRIAN&~1\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/08/04 14:41:04 | 000,006,656 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\iPodDrv.sys -- (iPodDrv)
    DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2009/10/27 12:02:14 | 000,023,936 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
    DRV - [2009/07/08 10:12:06 | 000,106,240 | R--- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hwmob01.sys -- (hwmobilehsn)
    DRV - [2009/06/23 13:38:26 | 000,189,464 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
    DRV - [2009/06/23 13:38:16 | 000,162,840 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
    DRV - [2009/06/23 13:38:06 | 000,798,744 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
    DRV - [2009/06/23 13:37:54 | 000,092,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
    DRV - [2009/06/23 13:37:32 | 000,157,208 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
    DRV - [2009/06/23 13:37:22 | 000,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
    DRV - [2009/06/23 13:37:10 | 000,127,512 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
    DRV - [2009/06/23 13:36:36 | 000,347,080 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
    DRV - [2009/06/23 13:36:24 | 000,528,408 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
    DRV - [2009/06/23 13:36:14 | 000,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
    DRV - [2009/06/23 13:35:04 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTERFXFX.SYS -- (CTERFXFX.SYS)
    DRV - [2009/06/23 13:35:04 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTERFXFX.sys -- (CTERFXFX)
    DRV - [2009/06/23 13:34:52 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTSBLFX.SYS -- (CTSBLFX.SYS)
    DRV - [2009/06/23 13:34:52 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTSBLFX.sys -- (CTSBLFX)
    DRV - [2009/06/23 13:34:40 | 000,555,032 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTAUDFX.SYS -- (CTAUDFX.SYS)
    DRV - [2009/06/23 13:34:40 | 000,555,032 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTAUDFX.sys -- (CTAUDFX)
    DRV - [2009/06/23 13:34:30 | 000,099,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\COMMONFX.SYS -- (COMMONFX.SYS)
    DRV - [2009/06/23 13:34:30 | 000,099,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COMMONFX.sys -- (COMMONFX)
    DRV - [2009/05/18 10:42:12 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
    DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2009/02/13 11:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
    DRV - [2008/04/13 10:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
    DRV - [2007/04/12 08:10:26 | 000,164,608 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
    DRV - [2007/04/12 08:10:26 | 000,066,816 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
    DRV - [2007/04/12 08:10:24 | 001,317,632 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
    DRV - [2007/04/12 08:10:22 | 000,323,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
    DRV - [2007/04/12 08:10:22 | 000,128,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
    DRV - [2007/04/12 08:10:20 | 000,280,320 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
    DRV - [2007/04/12 08:10:18 | 000,168,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
    DRV - [2006/02/21 21:46:26 | 001,505,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2004/10/15 12:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
    DRV - [2004/06/03 11:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
    DRV - [2004/04/02 16:40:00 | 000,021,760 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
    DRV - [2004/01/29 02:45:50 | 000,093,764 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.736
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/21 16:36:41 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/21 16:36:39 | 000,000,000 | ---D | M]

    [2010/10/16 23:18:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\Mozilla\Extensions
    [2010/10/26 23:07:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\Mozilla\Firefox\Profiles\rba2lgg0.default\extensions
    [2010/10/16 23:23:58 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Brian & Kim\Application Data\Mozilla\Firefox\Profiles\rba2lgg0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/10/26 23:07:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/03/13 11:20:25 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru

    O1 HOSTS File: ([2010/10/26 18:33:30 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (PodcastBHO Class) - {65134FDF-F8A5-4B3D-91D9-CDF273CFD578} - C:\Program Files\Common Files\doubleTwist\IEPodcastPlugin.dll (doubleTwist Corporation)
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
    O4 - HKLM..\Run: [PPort11reminder] C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe (Nuance Communications, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 64.59.160.13 64.59.160.15 64.59.161.68
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/18 14:12:18 | 000,000,088 | R--- | M] () - H:\autorun.inf -- [ UDF ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16902109354000384)

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/10/27 20:31:22 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Brian & Kim\Desktop\OTL.exe
    [2010/10/27 17:17:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/10/27 17:17:28 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/10/27 17:17:28 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/10/27 17:17:28 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/10/27 17:17:21 | 000,000,000 | --SD | C] -- C:\ComboFix
    [2010/10/26 22:18:11 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Brian & Kim\Recent
    [2010/10/26 21:23:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\Desktop\logs
    [2010/10/26 21:19:39 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2010/10/26 17:35:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/10/26 17:35:06 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/10/25 19:47:06 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Brian & Kim\Desktop\TFC.exe
    [2010/10/25 01:57:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\peernet
    [2010/10/23 22:04:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
    [2010/10/23 22:03:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\Application Data\Avira
    [2010/10/23 21:58:19 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
    [2010/10/23 21:58:18 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2010/10/23 21:58:18 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2010/10/23 21:58:18 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
    [2010/10/23 21:58:18 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
    [2010/10/23 21:58:18 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2010/10/23 21:58:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
    [2010/10/23 16:46:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Creative Labs Shared
    [2010/10/23 00:58:17 | 000,106,240 | R--- | C] (QUALCOMM Incorporated) -- C:\WINDOWS\System32\drivers\hwmob01.sys
    [2010/10/21 17:35:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\My Documents\Subscriptions
    [2010/10/21 17:31:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\doubleTwist_Corporation
    [2010/10/21 17:22:06 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2010/10/21 17:15:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\doubleTwist Corporation
    [2010/10/21 17:14:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\doubleTwist
    [2010/10/21 17:14:55 | 000,060,273 | ---- | C] (Open Source Software community project) -- C:\WINDOWS\System32\pthreadGC2.dll
    [2010/10/21 17:14:55 | 000,000,000 | ---D | C] -- C:\Program Files\ffdshow
    [2010/10/21 17:14:16 | 000,000,000 | ---D | C] -- C:\Program Files\doubleTwist 2.0
    [2010/10/21 17:13:01 | 000,000,000 | ---D | C] -- C:\PC Suite
    [2010/10/17 17:26:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Samsung
    [2010/10/16 23:18:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\Application Data\Mozilla
    [2010/10/16 22:02:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Samsung_USB_Drivers
    [2010/10/16 22:02:36 | 000,233,472 | ---- | C] (Teruten) -- C:\WINDOWS\System32\FsUsbExService.Exe
    [2010/10/16 22:02:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\My Documents\My NPS Files
    [2010/10/16 18:55:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Suite
    [2010/10/16 18:55:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian & Kim\Application Data\PC Suite
    [2010/10/16 18:53:02 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
    [2010/10/16 18:52:47 | 000,090,624 | ---- | C] (Nokia) -- C:\WINDOWS\System32\nmwcdcls.dll
    [2010/10/16 18:51:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Installations
    [2010/10/12 22:20:31 | 000,023,936 | ---- | C] (Motorola) -- C:\WINDOWS\System32\drivers\motmodem.sys
    [2010/10/12 22:07:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Motorola Shared
    [2010/10/12 22:07:14 | 000,000,000 | ---D | C] -- C:\Program Files\Motorola
    [2010/10/12 22:06:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
    [2010/10/03 17:28:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
    [2009/06/23 11:49:14 | 000,010,752 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

    ========== Files - Modified Within 30 Days ==========

    [2010/10/27 20:35:57 | 000,762,880 | ---- | M] () -- C:\WINDOWS\System32\drivers\ucwfs.sys
    [2010/10/27 20:31:24 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brian & Kim\Desktop\OTL.exe
    [2010/10/27 19:33:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/10/27 19:32:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/10/27 17:14:21 | 000,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/27 17:14:21 | 000,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/27 17:14:21 | 000,027,408 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/27 17:14:21 | 000,027,408 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/27 17:14:21 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/27 17:01:25 | 000,000,211 | RHS- | M] () -- C:\boot.ini
    [2010/10/26 18:33:30 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/10/26 17:26:44 | 003,886,890 | R--- | M] () -- C:\Documents and Settings\Brian & Kim\Desktop\ComboFix.exe
    [2010/10/26 15:36:39 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Xriqecofe.dat
    [2010/10/26 00:00:50 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Dmoqupavidifexe.bin
    [2010/10/25 22:16:10 | 000,079,872 | ---- | M] () -- C:\WINDOWS\MBR.exe
    [2010/10/25 20:37:04 | 000,545,280 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Desktop\dds.scr
    [2010/10/25 20:14:31 | 000,294,912 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Desktop\9im9j18e.exe
    [2010/10/25 19:47:06 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brian & Kim\Desktop\TFC.exe
    [2010/10/25 01:34:47 | 000,000,010 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Application Data\install
    [2010/10/24 23:38:52 | 003,162,278 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-00511102}.CDF
    [2010/10/24 23:22:26 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/10/24 17:33:11 | 000,017,745 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\My Documents\A wild night.docx
    [2010/10/23 21:58:34 | 000,001,741 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2010/10/23 16:45:34 | 000,444,952 | ---- | M] (Creative Labs) -- C:\WINDOWS\System32\wrap_oal.dll
    [2010/10/23 01:24:26 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\default.pls
    [2010/10/23 01:24:21 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
    [2010/10/21 22:32:51 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/10/21 17:31:25 | 000,000,127 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
    [2010/10/21 17:14:57 | 000,001,780 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Application Data\Microsoft\Internet Explorer\Quick Launch\doubleTwist.lnk
    [2010/10/21 17:14:57 | 000,001,762 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\doubleTwist.lnk
    [2010/10/21 17:13:14 | 000,000,556 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PC Suite.lnk
    [2010/10/21 16:38:55 | 000,000,426 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
    [2010/10/19 15:31:35 | 000,435,568 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/10/19 15:31:35 | 000,068,272 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/10/18 18:56:35 | 000,012,708 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\My Documents\French project paragraphs.docx
    [2010/10/17 22:51:12 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\housecall.guid.cache
    [2010/10/16 23:18:12 | 000,001,654 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2010/10/16 23:18:12 | 000,001,636 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2010/10/16 22:02:18 | 000,002,528 | ---- | M] () -- C:\Documents and Settings\Brian & Kim\Application Data\$_hpcst$.hpc
    [2010/10/15 16:51:40 | 000,000,074 | ---- | M] () -- C:\WINDOWS\ImportClient.INI
    [2010/10/12 22:25:04 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_motmodem_01007.Wdf
    [2010/10/12 22:25:03 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

    ========== Files Created - No Company Name ==========

    [2010/10/27 17:17:28 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/10/27 17:17:28 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/10/27 17:17:28 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/10/27 17:17:28 | 000,079,872 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/10/27 17:17:28 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/10/26 17:26:43 | 003,886,890 | R--- | C] () -- C:\Documents and Settings\Brian & Kim\Desktop\ComboFix.exe
    [2010/10/25 20:37:04 | 000,545,280 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Desktop\dds.scr
    [2010/10/25 20:14:30 | 000,294,912 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Desktop\9im9j18e.exe
    [2010/10/25 01:34:47 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Application Data\install
    [2010/10/24 23:24:58 | 000,762,880 | ---- | C] () -- C:\WINDOWS\System32\drivers\ucwfs.sys
    [2010/10/24 17:13:18 | 000,017,745 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\My Documents\A wild night.docx
    [2010/10/23 21:58:34 | 000,001,741 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2010/10/23 16:47:58 | 000,027,408 | ---- | C] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/23 16:47:58 | 000,027,408 | ---- | C] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/23 16:47:58 | 000,011,564 | ---- | C] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
    [2010/10/23 16:45:47 | 003,162,278 | ---- | C] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-00511102}.CDF
    [2010/10/21 21:53:20 | 000,245,328 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2010/10/21 17:31:25 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
    [2010/10/21 17:14:57 | 000,001,780 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Application Data\Microsoft\Internet Explorer\Quick Launch\doubleTwist.lnk
    [2010/10/21 17:14:57 | 000,001,762 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\doubleTwist.lnk
    [2010/10/21 17:14:56 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2010/10/21 17:13:14 | 000,000,556 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PC Suite.lnk
    [2010/10/18 18:50:47 | 000,012,708 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\My Documents\French project paragraphs.docx
    [2010/10/17 22:51:12 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\housecall.guid.cache
    [2010/10/16 23:18:12 | 000,001,654 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2010/10/16 23:18:12 | 000,001,636 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2010/10/16 22:02:36 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
    [2010/10/16 22:02:36 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
    [2010/10/16 22:02:18 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Application Data\$_hpcst$.hpc
    [2010/10/12 22:25:04 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_motmodem_01007.Wdf
    [2010/10/12 22:25:03 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
    [2010/05/01 18:14:39 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
    [2010/05/01 18:11:23 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
    [2010/05/01 18:09:19 | 000,031,567 | ---- | C] () -- C:\WINDOWS\maxlink.ini
    [2010/03/14 13:27:12 | 000,000,074 | ---- | C] () -- C:\WINDOWS\ImportClient.INI
    [2010/03/14 13:10:37 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\PretzelSpellCheck.dll
    [2010/03/14 13:10:36 | 000,745,472 | ---- | C] () -- C:\WINDOWS\System32\PMAppBuilder.dll
    [2010/03/14 13:10:36 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\PMovieServer.dll
    [2010/03/13 16:16:14 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2010/03/13 13:09:27 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Brian & Kim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/03/13 12:36:18 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
    [2010/03/12 11:34:28 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2009/06/23 12:29:50 | 000,049,719 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
    [2009/06/23 12:29:48 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
    [2009/06/23 11:51:00 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
    [2007/10/25 17:26:10 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
    [2007/08/13 20:45:02 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
    [2007/04/12 09:10:28 | 000,105,728 | ---- | C] () -- C:\WINDOWS\System32\APOMgrH.dll
    [2006/10/02 17:25:18 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini

    ========== LOP Check ==========

    [2010/10/21 17:17:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
    [2010/03/13 12:44:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
    [2010/03/13 12:53:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMyPrinter
    [2010/09/13 16:23:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
    [2010/03/13 12:53:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJSolutionMenu
    [2010/10/16 18:51:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
    [2010/10/16 18:55:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
    [2010/10/17 17:26:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Samsung
    [2010/05/02 11:35:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
    [2010/10/25 02:51:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2010/03/12 20:31:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital
    [2010/03/18 16:37:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\Hoyle FaceCreator
    [2010/10/26 16:14:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\Hoyle Puzzle and Board Games
    [2010/10/16 18:55:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\PC Suite
    [2010/10/16 21:56:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\uTorrent
    [2010/03/17 16:45:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\Western Digital
    [2010/03/17 16:45:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brian & Kim\Application Data\Western DigitalTemp

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.exe >


    < MD5 for: AGP440.SYS >
    [2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
    [2010/03/13 02:06:24 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
    [2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
    [2010/03/13 02:06:24 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
    [2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
    [2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
    [2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

    < MD5 for: ATAPI.SYS >
    [2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
    [2010/03/13 02:06:24 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
    [2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
    [2010/03/13 02:06:24 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
    [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\Qoobox\32788R22FWJFW\atapi.sys
    [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
    [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
    [2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
    [2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

    < MD5 for: EVENTLOG.DLL >
    [2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
    [2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
    [2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

    < MD5 for: NETLOGON.DLL >
    [2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
    [2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
    [2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

    < MD5 for: NVATABUS.SYS >
    [2004/06/03 11:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation) MD5=46DEED4C6C5FA765F9A2C723BE60348D -- C:\Qoobox\32788R22FWJFW\nvatabus.sys
    [2004/06/03 11:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation) MD5=46DEED4C6C5FA765F9A2C723BE60348D -- C:\WINDOWS\system32\drivers\nvatabus.sys

    < MD5 for: SCECLI.DLL >
    [2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
    [2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
    [2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >
    [2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
    [2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

    < %systemroot%\System32\config\*.sav >
    [2010/03/12 11:32:29 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2010/03/12 11:32:29 | 000,630,784 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2010/03/12 11:32:29 | 000,425,984 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

    < End of report >
     
  17. loketar

    loketar TS Rookie Topic Starter Posts: 33

    I am still unable to use normal mode it just keeps rebooting after about 2 min. no matter how many time i try to un-select the above mentioned start up item it keeps coming back. I am sure if that is a shut down sequence that is whats causing my troubles. but i have no idea how to get rid of it out of the start up..
     
  18. crunchie

    crunchie Malware Helper Posts: 728

    If you boot into safe mode and go to Start > Run and type in msconfig and hit enter. Go to the startup Tab and uncheck that entry.
     
  19. loketar

    loketar TS Rookie Topic Starter Posts: 33

    that is what i have been doing. I go into safe mode and uncheck that entry. then I try to restart and run windows normal, every time i do it reappears and the computer shuts downs after 2 or 3 min. I am stumped.

    now how did the last logs look, I did get them to run in safe mode.
     
  20. loketar

    loketar TS Rookie Topic Starter Posts: 33

    Help!!!!!!!

    man this is very frustrating, like i said every 2 to 3 min the computer will reboot, i don't have time to try anything in normal mode. but safe mode seems stable. anyone have a suggestion on this one. I have the day off and would like to get this resolved so my wife will get off my back. if all else fails i guess i will have to reformat and reinstall everything..
    Crunchie if you are around I really need your help. If not any input would be great...
     
  21. crunchie

    crunchie Malware Helper Posts: 728

    Just woke up :).

    One suggestion would be to go in to safe mode and try a system restore to go back before this started happening.
    Give it a try and let me know.
     
  22. loketar

    loketar TS Rookie Topic Starter Posts: 33

    ouch!!

    well hope ya slept well... as you can tell i am not having much luck. I am still running in
    safe mode. also i had thought about the system restore but it has been disabled so no previous restore points are left.. i think i am screwed. what do you think?
     
  23. crunchie

    crunchie Malware Helper Posts: 728

    Going to get a 2nd opinion. Will get back to you.
    Exactly when did it start to happen? Was it before, or after running combofix or OTL?
     
  24. loketar

    loketar TS Rookie Topic Starter Posts: 33

    after combofix and before otl.

    it is really strange, safe mode runes fine. but as soon as i try to start windows normal mode, it will load to the desk top all icons are fine but the thing restarts after a couple of minutes.

    hope to here back from you soon
     
  25. crunchie

    crunchie Malware Helper Posts: 728

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    KillAll::
    
    File::
    c:\windows\system32\drivers\ucwfs.sys
    Driver::
    ucwfs
    
    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ucwfs]
    
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    ==

    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    • If an infected file is detected, the default action will be Cure, click on Continue.

    • If a suspicious file is detected, the default action will be Skip, click on Continue.

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

    ==

    Safe mode will be ok to do it in.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...