Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

wuauclt.exe infection?

Started by gwtwins , Oct 24 2010 12:59 PM

This topic is locked

#16
gwtwins

Posted 21 November 2010 - 01:33 PM

Member

Topic Starter
Member
90 posts

OK...here we go! I was finally able to get CA Anti-virus uninstalled. I got ComboFix updated and ran that. Logs are below:

OTS logfile created on: 11/14/2010 1:48:49 PM - Run 1
OTS by OldTimer - Version 3.1.40.1     Folder = C:\Documents and Settings\Fern\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
447.00 Mb Total Physical Memory | 97.00 Mb Available Physical Memory | 22.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 60.98 Gb Free Space | 81.82% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 980.72 Mb Total Space | 827.41 Mb Free Space | 84.37% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: ACER-E355056E8B
Current User Name: Fern
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 30 Days
Quick Scan
 
[Processes - Safe List]
ots.exe -> C:\Documents and Settings\Fern\Desktop\OTS.exe -> [2010/11/14 13:08:26 | 000,642,048 | ---- | M] (OldTimer Tools)
vetmsg.exe -> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe -> [2010/06/04 12:23:42 | 000,238,928 | ---- | M] (CA, Inc.)
cavrid.exe -> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe -> [2010/06/04 12:23:42 | 000,226,640 | ---- | M] (CA, Inc.)
cctray.exe -> C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe -> [2010/05/01 14:09:21 | 000,177,392 | ---- | M] (CA, Inc.)
qoeloader.exe -> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe -> [2010/05/01 14:08:38 | 000,014,088 | ---- | M] (CA)
wgatray.exe -> C:\WINDOWS\system32\WgaTray.exe -> [2009/03/10 21:18:14 | 000,934,792 | ---- | M] (Microsoft Corporation)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
isafe.exe -> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe -> [2007/08/20 12:27:26 | 000,144,960 | ---- | M] (Computer Associates International, Inc.)
cappactiveprotection.exe -> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe -> [2007/08/16 20:10:14 | 000,218,376 | ---- | M] (CA, Inc.)
awserv.exe -> C:\Acer\LANScope Agent\awServ.exe -> [2007/01/17 19:31:44 | 000,074,520 | ---- | M] (OSA Technologies Inc., An Avocent Company)
itmrtsvc.exe -> C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe -> [2007/01/04 11:10:22 | 000,280,080 | ---- | M] (CA, Inc.)
 
[Modules - Safe List]
ots.exe -> C:\Documents and Settings\Fern\Desktop\OTS.exe -> [2010/11/14 13:08:26 | 000,642,048 | ---- | M] (OldTimer Tools)
qoehook.dll -> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOEHook.dll -> [2010/05/01 14:08:38 | 000,083,208 | ---- | M] (CA)
 
[Win32 Services - Safe List]
(HidServ) Human Interface Device Access [Disabled | Stopped] -> C:\WINDOWS\System32\hidserv.dll -> File not found
(VETMSGNT) VET Message Service [Auto | Running] -> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe -> [2010/06/04 12:23:42 | 000,238,928 | ---- | M] (CA, Inc.)
(CaCCProvSP) CaCCProvSP [On_Demand | Stopped] -> C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe -> [2010/05/01 14:09:21 | 000,214,256 | ---- | M] (CA, Inc.)
(McComponentHostService) McAfee Security Scan Component Host Service [On_Demand | Stopped] -> C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -> [2010/01/15 07:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.)
(BcmSqlStartupSvc) Business Contact Manager SQL Server Startup Service [On_Demand | Stopped] -> C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -> [2009/02/20 08:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation)
(CAISafe) CAISafe [Auto | Running] -> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe -> [2007/08/20 12:27:26 | 000,144,960 | ---- | M] (Computer Associates International, Inc.)
(PPCtlPriv) PPCtlPriv [On_Demand | Start_Pending] -> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe -> [2007/08/16 20:10:16 | 000,189,704 | ---- | M] (CA, Inc.)
(AWService) AdminWorks Agent X6 [Auto | Running] -> C:\Acer\LANScope Agent\awServ.exe -> [2007/01/17 19:31:44 | 000,074,520 | ---- | M] (OSA Technologies Inc., An Avocent Company)
(ITMRTSVC) CA Pest Patrol Realtime Protection Service [Auto | Running] -> C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe -> [2007/01/04 11:10:22 | 000,280,080 | ---- | M] (CA, Inc.)
(IDriverT) InstallDriver Table Manager [On_Demand | Stopped] -> C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -> [2005/11/14 04:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation)
 
[Driver Services - Safe List]
(psdvdisk) psdvdisk [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\Drivers\psdvdisk.sys -> File not found
(psdfilter) psdfilter [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\Drivers\psdfilter.sys -> File not found
(catchme) catchme [Kernel | On_Demand | Stopped] -> C:\DOCUME~1\Fern\LOCALS~1\Temp\catchme.sys -> File not found
(VETEFILE) VET File Scan Engine [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\vetefile.sys -> [2010/06/03 09:49:15 | 000,746,216 | ---- | M] (Computer Associates International, Inc.)
(VETEBOOT) VET Boot Scan Engine [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\drivers\veteboot.sys -> [2010/06/03 09:49:15 | 000,130,280 | ---- | M] (Computer Associates International, Inc.)
(VETMONNT) VET File Monitor [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\vetmonnt.sys -> [2010/05/01 14:09:20 | 000,032,240 | ---- | M] (Computer Associates International, Inc.)
(VET-FILT) VET File System Filter [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\vet-filt.sys -> [2010/05/01 14:09:20 | 000,026,352 | ---- | M] (Computer Associates International, Inc.)
(VETFDDNT) VET Floppy Boot Sector Monitor [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\vetfddnt.sys -> [2010/05/01 14:09:20 | 000,021,488 | ---- | M] (Computer Associates International, Inc.)
(VET-REC) VET File System Recognizer [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\vet-rec.sys -> [2010/05/01 14:09:20 | 000,021,104 | ---- | M] (Computer Associates International, Inc.)
(k) k [Kernel | Auto | Running] -> C:\WINDOWS\system32\o.sys -> [2010/04/15 14:59:24 | 000,004,736 | ---- | M] ()
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\hdaudbus.sys -> [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(SiSkp) SiSkp [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\srvkp.sys -> [2007/02/28 08:57:20 | 000,017,280 | ---- | M] (Silicon Integrated Systems Corporation)
(SiS315) SiS315 [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\sisgrp.sys -> [2007/02/28 08:36:00 | 000,318,464 | ---- | M] (Silicon Integrated Systems Corporation)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\RtkHDAud.sys -> [2007/01/30 13:57:50 | 004,474,368 | ---- | M] (Realtek Semiconductor Corp.)
(OsaFsLoc) OsaFsLoc [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\OsaFsLoc.sys -> [2007/01/03 18:33:24 | 000,019,783 | ---- | M] (OSA Technologies)
(SiSGbeXP) SiS191/SiS190 Ethernet Device NDIS 5.1 Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\SiSGbeXP.sys -> [2006/12/20 07:00:00 | 000,041,600 | ---- | M] (Silicon Integrated Systems Corp.)
(netlock) netlock [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\NetLock.sys -> [2006/12/11 14:12:56 | 000,007,680 | ---- | M] (OSA Technologies, An Avocent Company)
(osanbm) osanbm [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\osanbm.sys -> [2006/11/09 00:13:06 | 000,010,944 | ---- | M] (Windows (R) Server 2003 DDK provider)
(osaio) osaio [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\osaio.sys -> [2006/10/27 22:18:26 | 000,006,784 | ---- | M] (OSA Technologies, An Avocent Company)
(netlimiter) netlimiter [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\NetLimiter.sys -> [2006/10/03 14:03:14 | 000,018,072 | ---- | M] ()
(UBHelper) UBHelper [Kernel | Boot | Running] -> C:\WINDOWS\System32\drivers\UBHelper.sys -> [2006/08/28 05:30:04 | 000,013,952 | ---- | M] ()
(NTIDrvr) Upper Class Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\NTIDrvr.sys -> [2006/01/02 02:03:26 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> about:blank -> 
HKEY_CURRENT_USER\: SearchURL\\"" -> http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com -> 
HKEY_CURRENT_USER\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar] -> File not found
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Fern\Application Data\Mozilla\FireFox\Profiles\0pdqitlw.default\prefs.js -> 
browser.startup.homepage -> "about:blank" ->
extensions.enabledItems -> [email protected]:1.0 ->
extensions.enabledItems -> {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1 ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components -> C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2010/09/14 11:22:22 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins -> C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2010/09/14 11:22:22 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
  -> C:\Documents and Settings\Fern\Application Data\Mozilla\Extensions -> [2010/05/01 15:39:59 | 000,000,000 | ---D | M]
  -> C:\Documents and Settings\Fern\Application Data\Mozilla\Firefox\Profiles\0pdqitlw.default\extensions -> [2010/09/07 17:22:25 | 000,000,000 | ---D | M]
Microsoft .NET Framework Assistant   -> C:\Documents and Settings\Fern\Application Data\Mozilla\Firefox\Profiles\0pdqitlw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} -> [2010/06/18 13:27:48 | 000,000,000 | ---D | M]
Adblock Plus   -> C:\Documents and Settings\Fern\Application Data\Mozilla\Firefox\Profiles\0pdqitlw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} -> [2010/07/20 18:30:28 | 000,000,000 | ---D | M]
< FireFox Extensions [Program Folders] > -> 
  -> C:\Program Files\Mozilla Firefox\extensions -> [2010/05/01 15:39:20 | 000,000,000 | ---D | M]
< HOSTS File > ([2010/11/14 13:31:53 | 000,000,098 | ---- | M] - 2 lines) -> C:\WINDOWS\system32\drivers\etc\Hosts -> 
Reset Hosts
127.0.0.1       localhost
::1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> [2004/12/14 04:56:50 | 000,063,136 | ---- | M] (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> C:\Program Files\Java\jre6\bin\ssv.dll [SSVHelper Class] -> [2010/04/20 19:48:44 | 000,321,312 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"CAVRID" -> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe ["C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"] -> [2010/06/04 12:23:42 | 000,226,640 | ---- | M] (CA, Inc.)
"cctray" -> C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe ["C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"] -> [2010/05/01 14:09:21 | 000,177,392 | ---- | M] (CA, Inc.)
"KernelFaultCheck" ->  [%systemroot%\system32\dumprep 0 -k] -> File not found
"QOELOADER" -> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe ["C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"] -> [2010/05/01 14:08:38 | 000,014,088 | ---- | M] (CA)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< Fern Startup Folder > -> C:\Documents and Settings\Fern\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" ->  [1] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_20.dll [Menu: Sun Java Console] -> [2010/04/20 19:48:44 | 000,136,992 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_20.dll [Sun Java Console] -> [2010/04/20 19:48:44 | 000,136,992 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [HKLM] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253391220187 [MUWebControl Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.0.1 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{042C9ED8-6FA9-47C3-8AA1-39CB29896B2A}\\DhcpNameServer -> 192.168.0.1   (SiS191 Ethernet Controller) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Program Files\CyberLink\PowerDVD\OLRSubmission\OLRSubmission.exe" -> C:\Program Files\CyberLink\PowerDVD\OLRSubmission\OLRSubmission.exe [C:\Program Files\CyberLink\PowerDVD\OLRSubmission\OLRSubmission.exe:*:Enabled:OLRSubmission] -> [2006/11/14 01:57:10 | 000,355,936 | ---- | M] ()
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" -> C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe [C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD] -> [2007/01/08 18:43:10 | 000,529,968 | ---- | M] (CyberLink Corp.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2006/01/02 01:24:40 | 000,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< AppCertDlls [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = comfile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
 
 
[Files/Folders - Created Within 30 Days]
 _OTS -> C:\_OTS -> [2010/11/14 13:31:48 | 000,000,000 | ---D | C]
 OTS.exe -> C:\Documents and Settings\Fern\Desktop\OTS.exe -> [2010/11/14 13:08:33 | 000,642,048 | ---- | C] (OldTimer Tools)
 OTL.exe -> C:\Documents and Settings\Fern\Desktop\OTL.exe -> [2010/10/24 12:44:44 | 000,575,488 | ---- | C] (OldTimer Tools)
 
[Files/Folders - Modified Within 30 Days]
 wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2010/11/14 13:49:10 | 000,001,158 | ---- | M] ()
 bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2010/11/14 13:45:47 | 000,002,048 | --S- | M] ()
 hiberfil.sys -> C:\hiberfil.sys -> [2010/11/14 13:45:44 | 469,291,008 | -HS- | M] ()
 Hosts -> C:\WINDOWS\System32\drivers\etc\Hosts -> [2010/11/14 13:31:53 | 000,000,098 | ---- | M] ()
 ComboFix.exe -> C:\Documents and Settings\Fern\Desktop\ComboFix.exe -> [2010/11/14 13:09:00 | 003,909,734 | ---- | M] ()
 OTS.exe -> C:\Documents and Settings\Fern\Desktop\OTS.exe -> [2010/11/14 13:08:26 | 000,642,048 | ---- | M] (OldTimer Tools)
 perfh009.dat -> C:\WINDOWS\System32\perfh009.dat -> [2010/11/14 12:58:00 | 000,492,078 | ---- | M] ()
 perfc009.dat -> C:\WINDOWS\System32\perfc009.dat -> [2010/11/14 12:58:00 | 000,090,098 | ---- | M] ()
 OTL.exe -> C:\Documents and Settings\Fern\Desktop\OTL.exe -> [2010/10/24 12:44:50 | 000,575,488 | ---- | M] (OldTimer Tools)
 gmer.exe -> C:\Documents and Settings\Fern\Desktop\gmer.exe -> [2010/10/19 15:00:08 | 000,294,912 | ---- | M] ()
 429 C:\Documents and Settings\Fern\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Fern\Local Settings\temp\*.tmp -> 
 
[Files - No Company Name]
 ComboFix.exe -> C:\Documents and Settings\Fern\Desktop\ComboFix.exe -> [2010/11/14 13:14:46 | 003,909,734 | ---- | C] ()
 gmer.exe -> C:\Documents and Settings\Fern\Desktop\gmer.exe -> [2010/10/19 15:00:08 | 000,294,912 | ---- | C] ()
 hiberfil.sys -> C:\hiberfil.sys -> [2010/10/16 18:32:48 | 469,291,008 | -HS- | C] ()
 2wUN2x572Urj -> C:\Documents and Settings\Fern\Local Settings\Application Data\2wUN2x572Urj -> [2010/04/21 20:26:44 | 000,012,002 | -HS- | C] ()
 2wUN2x572Urj -> C:\Documents and Settings\All Users\Application Data\2wUN2x572Urj -> [2010/04/21 20:26:44 | 000,012,002 | -HS- | C] ()
 1LKwMuQ -> C:\Documents and Settings\Fern\Local Settings\Application Data\1LKwMuQ -> [2010/04/18 17:59:12 | 000,014,050 | -HS- | C] ()
 1LKwMuQ -> C:\Documents and Settings\All Users\Application Data\1LKwMuQ -> [2010/04/18 17:59:12 | 000,014,050 | -HS- | C] ()
 t62kNvy -> C:\Documents and Settings\Fern\Local Settings\Application Data\t62kNvy -> [2010/04/18 13:29:09 | 000,015,468 | -HS- | C] ()
 t62kNvy -> C:\Documents and Settings\All Users\Application Data\t62kNvy -> [2010/04/18 11:56:47 | 000,015,468 | -HS- | C] ()
 t62kNvy -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\t62kNvy -> [2010/04/18 11:56:47 | 000,015,318 | -HS- | C] ()
 o.sys -> C:\WINDOWS\System32\o.sys -> [2010/04/15 14:59:24 | 000,004,736 | ---- | C] ()
 4ML87 -> C:\Documents and Settings\Fern\Local Settings\Application Data\4ML87 -> [2010/04/13 19:22:04 | 000,012,354 | -HS- | C] ()
 3976734565 -> C:\Documents and Settings\All Users\Application Data\3976734565 -> [2010/04/13 19:22:04 | 000,012,180 | -HS- | C] ()
 4ML87 -> C:\Documents and Settings\All Users\Application Data\4ML87 -> [2010/04/13 16:26:28 | 000,012,354 | -HS- | C] ()
 4ML87 -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\4ML87 -> [2010/04/13 16:26:28 | 000,012,176 | -HS- | C] ()
 o82Ak400MM24 -> C:\Documents and Settings\Fern\Local Settings\Application Data\o82Ak400MM24 -> [2010/04/12 20:03:35 | 000,000,000 | -HS- | C] ()
 o82Ak400MM24 -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\o82Ak400MM24 -> [2010/04/12 16:11:29 | 000,014,406 | -HS- | C] ()
 o82Ak400MM24 -> C:\Documents and Settings\All Users\Application Data\o82Ak400MM24 -> [2010/04/12 16:11:29 | 000,014,406 | -HS- | C] ()
 327m1K.dat -> C:\Documents and Settings\All Users\Application Data\327m1K.dat -> [2010/04/12 14:17:37 | 000,000,112 | ---- | C] ()
 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Fern\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2009/12/25 15:02:09 | 000,005,120 | ---- | C] ()
 commercial.ini -> C:\WINDOWS\commercial.ini -> [2008/08/16 16:20:45 | 000,000,050 | ---- | C] ()
 fusioncache.dat -> C:\Documents and Settings\Fern\Local Settings\Application Data\fusioncache.dat -> [2008/08/16 16:14:47 | 000,000,127 | ---- | C] ()
 ALaunch.ini -> C:\WINDOWS\ALaunch.ini -> [2007/03/07 12:43:12 | 000,000,083 | ---- | C] ()
 NetLimiter.sys -> C:\WINDOWS\System32\drivers\NetLimiter.sys -> [2006/10/03 14:03:14 | 000,018,072 | ---- | C] ()
 UBHelper.sys -> C:\WINDOWS\System32\drivers\UBHelper.sys -> [2006/08/28 05:30:04 | 000,013,952 | ---- | C] ()
 smscfg.ini -> C:\WINDOWS\smscfg.ini -> [2006/01/02 02:28:20 | 000,000,061 | ---- | C] ()
 NTIBUN4.dll -> C:\WINDOWS\System32\NTIBUN4.dll -> [2006/01/02 02:04:26 | 000,001,024 | RH-- | C] ()
 NTIMPEG2.dll -> C:\WINDOWS\System32\NTIMPEG2.dll -> [2006/01/02 02:03:30 | 000,001,024 | RH-- | C] ()
 NTIMP3.dll -> C:\WINDOWS\System32\NTIMP3.dll -> [2006/01/02 02:03:30 | 000,001,024 | RH-- | C] ()
 NTICDMK7.dll -> C:\WINDOWS\System32\NTICDMK7.dll -> [2006/01/02 02:03:30 | 000,001,024 | RH-- | C] ()
 ODBCINST.INI -> C:\WINDOWS\ODBCINST.INI -> [2006/01/02 01:24:20 | 000,004,161 | ---- | C] ()
 OEMINFO.INI -> C:\WINDOWS\System32\OEMINFO.INI -> [2005/10/25 03:25:28 | 000,008,073 | ---- | C] ()
 fxsperf.ini -> C:\WINDOWS\System32\fxsperf.ini -> [2004/08/04 00:00:00 | 000,001,793 | ---- | C] ()
 multiplex_vcd.dll -> C:\WINDOWS\System32\multiplex_vcd.dll -> [2001/12/26 18:12:30 | 000,065,536 | ---- | C] ()
 Hmpg12.dll -> C:\WINDOWS\System32\Hmpg12.dll -> [2001/09/04 01:46:38 | 000,110,592 | ---- | C] ()
 HMPV2_ENC.dll -> C:\WINDOWS\System32\HMPV2_ENC.dll -> [2001/07/30 18:33:56 | 000,118,784 | ---- | C] ()
 HMPV2_ENC_MMX.dll -> C:\WINDOWS\System32\HMPV2_ENC_MMX.dll -> [2001/07/24 00:04:36 | 000,118,784 | ---- | C] ()
 
[File - Lop Check]
 avG -> C:\Documents and Settings\All Users\Application Data\avG -> [2010/04/12 20:03:35 | 000,000,000 | ---D | M]
 Avocent AdminWorks -> C:\Documents and Settings\All Users\Application Data\Avocent AdminWorks -> [2008/08/16 18:40:19 | 000,000,000 | ---D | M]
 CA -> C:\Documents and Settings\All Users\Application Data\CA -> [2010/05/01 14:18:14 | 000,000,000 | ---D | M]
 eSobi -> C:\Documents and Settings\All Users\Application Data\eSobi -> [2008/08/18 09:05:48 | 000,000,000 | ---D | M]
 {623D32E9-0C62-4453-AD44-98B31F52A5E1} -> C:\Documents and Settings\All Users\Application Data\{623D32E9-0C62-4453-AD44-98B31F52A5E1} -> [2008/08/16 18:40:28 | 000,000,000 | ---D | M]
 {92E7A367-8E12-4830-AA70-29C32E331A81} -> C:\Documents and Settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81} -> [2009/06/21 15:46:17 | 000,000,000 | -H-D | M]
 Avocent AdminWorks -> C:\Documents and Settings\Fern\Application Data\Avocent AdminWorks -> [2008/08/16 18:39:48 | 000,000,000 | ---D | M]
 eSobi -> C:\Documents and Settings\Fern\Application Data\eSobi -> [2008/08/18 09:06:27 | 000,000,000 | ---D | M]
 OpenOffice.org -> C:\Documents and Settings\Fern\Application Data\OpenOffice.org -> [2009/02/08 15:51:54 | 000,000,000 | ---D | M]
 
[File - Purity Scan]
 
< End of report >

ComboFix 10-11-20.07 - Fern 11/21/2010 14:14:55.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.85 [GMT -5:00]
Running from: c:\documents and settings\Fern\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-10-21 to 2010-11-21 )))))))))))))))))))))))))))))))
.

2010-11-14 18:31 . 2010-11-14 18:31 -------- d-----w- C:\_OTS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Fern^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Fern\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdminWorks Tray]
2007-01-20 04:10 1441792 ----a-w- c:\acer\LANScope Agent\awtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 18:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-04 05:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 05:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 05:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 05:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-14 06:33 52832 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-01-30 18:54 16116224 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
2007-02-28 13:33 53248 ----a-w- c:\windows\system32\SiSPower.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 18:04 2879488 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\OLRSubmission\\OLRSubmission.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 k;k;c:\windows\system32\o.sys [4/15/2010 2:59 PM 4736]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [10/3/2006 2:03 PM 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [12/11/2006 2:12 PM 7680]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Fern\Application Data\Mozilla\Firefox\Profiles\0pdqitlw.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-21 14:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,22,7b,61,14,03,90,40,b8,58,92,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,22,7b,61,14,03,90,40,b8,58,92,\

[HKEY_USERS\S-1-5-21-807482871-3152086768-3419283683-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(22380)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-21 14:23:04
ComboFix-quarantined-files.txt 2010-11-21 19:23
ComboFix2.txt 2010-11-21 19:08
ComboFix3.txt 2010-04-25 00:17

Pre-Run: 66,432,249,856 bytes free
Post-Run: 66,420,453,376 bytes free

- - End Of File - - 2227CF65FF8018F28B64A17A140CE715

#17
Essexboy

Posted 21 November 2010 - 03:09 PM

GeekU Moderator

Retired Staff
69,964 posts

OK I see them - first I will try to get them all with OTS but then follow up with combofix to be sure as one is a kernel driver

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Driver Services - Safe List]
YY -> (k) k [Kernel | Auto | Running] -> C:\WINDOWS\system32\o.sys
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar]
[Files - No Company Name]
NY -> 2wUN2x572Urj -> C:\Documents and Settings\Fern\Local Settings\Application Data\2wUN2x572Urj
NY -> 2wUN2x572Urj -> C:\Documents and Settings\All Users\Application Data\2wUN2x572Urj
NY -> 1LKwMuQ -> C:\Documents and Settings\Fern\Local Settings\Application Data\1LKwMuQ
NY -> 1LKwMuQ -> C:\Documents and Settings\All Users\Application Data\1LKwMuQ
NY -> t62kNvy -> C:\Documents and Settings\Fern\Local Settings\Application Data\t62kNvy
NY -> t62kNvy -> C:\Documents and Settings\All Users\Application Data\t62kNvy
NY -> t62kNvy -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\t62kNvy
NY -> o.sys -> C:\WINDOWS\System32\o.sys
NY -> 4ML87 -> C:\Documents and Settings\Fern\Local Settings\Application Data\4ML87
NY -> 3976734565 -> C:\Documents and Settings\All Users\Application Data\3976734565
NY -> 4ML87 -> C:\Documents and Settings\All Users\Application Data\4ML87
NY -> 4ML87 -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\4ML87
NY -> o82Ak400MM24 -> C:\Documents and Settings\Fern\Local Settings\Application Data\o82Ak400MM24
NY -> o82Ak400MM24 -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\o82Ak400MM24
NY -> o82Ak400MM24 -> C:\Documents and Settings\All Users\Application Data\o82Ak400MM24
NY -> 327m1K.dat -> C:\Documents and Settings\All Users\Application Data\327m1K.dat
[File - Lop Check]
NY -> avG -> C:\Documents and Settings\All Users\Application Data\avG
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

THEN

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\o.sys

Driver::
k

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new OTS log.

#18
gwtwins

Posted 21 November 2010 - 03:25 PM

Member

Topic Starter
Member
90 posts

I really hate to do this again but the website was down for a while and I am back home again

I only have to work tomorrow so I will be back over there first thing Tuesday morning! I have to get up to put the kids on the school bus and then I will head over to my mothers. I will do these fixes then and post back once I'm done. I really apologize for this being such a pain. I've never experienced something that locks a machine down so badly before. I'm very persistent and want to get this fixed without a reformat / re-install if possible. Will you still be watching this thread then or should I PM you first that I'm ready to start again?

#19
Essexboy

Posted 21 November 2010 - 03:27 PM

GeekU Moderator

Retired Staff
69,964 posts

No problem on the timing - again give me a quick PM when you start in case I lose notifications. Is it running any better yet ?

#20
gwtwins

Posted 21 November 2010 - 03:34 PM

Member

Topic Starter
Member
90 posts

Seems to be a little??? I starts up a little faster but it still won't access the internet very good. I tried to Install MS Security Essential after uninstalling CA just because I didn't want the machine online unprotected. Now that won't update and the machine was unprotected anyway. Was that a mistake? The machine is protected now!! I turned it off...

I will PM you Tuesday morning to let you know I'm back at it! Thanks for the help and the patience!!

#21
Essexboy

Posted 21 November 2010 - 03:36 PM

GeekU Moderator

Retired Staff
69,964 posts

CA can mess up the internet connection - I will give a fix for that when you are ready

#22
gwtwins

Posted 21 November 2010 - 04:00 PM

Member

Topic Starter
Member
90 posts

All right! We'll tackle that Tuesday as well! Thanks again!

#23
gwtwins

Posted 23 November 2010 - 09:50 AM

Member

Topic Starter
Member
90 posts

OK...I ran the fix for OST. Here is the log:

All Processes Killed
[Driver Services - Safe List]
Error: Unable to stop service k!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\k deleted successfully.
C:\WINDOWS\system32\o.sys moved successfully.
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
[Files - No Company Name]
C:\Documents and Settings\Fern\Local Settings\Application Data\2wUN2x572Urj moved successfully.
C:\Documents and Settings\All Users\Application Data\2wUN2x572Urj moved successfully.
C:\Documents and Settings\Fern\Local Settings\Application Data\1LKwMuQ moved successfully.
C:\Documents and Settings\All Users\Application Data\1LKwMuQ moved successfully.
C:\Documents and Settings\Fern\Local Settings\Application Data\t62kNvy moved successfully.
C:\Documents and Settings\All Users\Application Data\t62kNvy moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\t62kNvy moved successfully.
File C:\WINDOWS\System32\o.sys not found!
C:\Documents and Settings\Fern\Local Settings\Application Data\4ML87 moved successfully.
C:\Documents and Settings\All Users\Application Data\3976734565 moved successfully.
C:\Documents and Settings\All Users\Application Data\4ML87 moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\4ML87 moved successfully.
C:\Documents and Settings\Fern\Local Settings\Application Data\o82Ak400MM24 moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\o82Ak400MM24 moved successfully.
C:\Documents and Settings\All Users\Application Data\o82Ak400MM24 moved successfully.
C:\Documents and Settings\All Users\Application Data\327m1K.dat moved successfully.
[File - Lop Check]
C:\Documents and Settings\All Users\Application Data\avG folder moved successfully.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Fern
->Temp folder emptied: 11884 bytes
->Temporary Internet Files folder emptied: 1525579 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 37287582 bytes
->Flash cache emptied: 434 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 18912 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 13 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 68507 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1842448 bytes

Total Files Cleaned = 39.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: Fern
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.40.1 fix logfile created on 11232010_082047

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

I created the ComboFix script as you suggested and dragged it into ComboFix. ComboFix started and said it needed to be updated so I said yes. Then it ran and I had a [bleep] of a time getting MS Security Essentials to stop interfering with it but I finally think I did. ComboFix ran 50 stages which took the better part of an hour. Now it is attempting to create the log file and that has taken 30 minutes so far. Is this normal?? I'm almost afraid to run an OST quick scan for you but I will. As soon as I have the ComboFix log and the fresh OST log I will post them. Lets hope it doesn't take hours for the OST log. I'm logging way too many hours on this. I could have just wiped the OS / hard drive and re-installed 2 or 3 times by now!!

#24
gwtwins

Posted 23 November 2010 - 10:24 AM

Member

Topic Starter
Member
90 posts

OK..after several hours of frustration I went into task manager and manually shutdown wuauclt.exe and this time it didn't come back!! As soon as I shut it down and freed up the 99% cpu it was hogging the ComboFix log popped right up. I then ran an OST quick scan and that ran fast too! Progress? I sure hope so! Below are the logs from ComboFix and OST after ComboFix:

ComboFix 10-11-22.05 - Fern 11/23/2010 9:22.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.250 [GMT -5:00]
Running from: c:\documents and settings\Fern\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Fern\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\system32\o.sys"
.

((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
.

2010-11-23 13:13 . 2010-11-16 17:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8E9C1B4D-706F-457E-973E-9B31E304FEC3}\mpengine.dll
2010-11-23 13:13 . 2010-10-19 15:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-21 19:46 . 2010-11-21 19:48 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-14 18:31 . 2010-11-14 18:31 -------- d-----w- C:\_OTS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Fern^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Fern\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdminWorks Tray]
2007-01-20 04:10 1441792 ----a-w- c:\acer\LANScope Agent\awtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 18:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2004-08-04 05:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 05:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-09-15 09:34 1094224 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 05:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 05:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-14 06:33 52832 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-01-30 18:54 16116224 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
2007-02-28 13:33 53248 ----a-w- c:\windows\system32\SiSPower.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 18:04 2879488 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\OLRSubmission\\OLRSubmission.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [10/3/2006 2:03 PM 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [12/11/2006 2:12 PM 7680]
.
Contents of the 'Scheduled Tasks' folder

2010-11-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Fern\Application Data\Mozilla\Firefox\Profiles\0pdqitlw.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-23 10:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,22,7b,61,14,03,90,40,b8,58,92,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,22,7b,61,14,03,90,40,b8,58,92,\

[HKEY_USERS\S-1-5-21-807482871-3152086768-3419283683-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2456)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\jscript.dll
.
Completion time: 2010-11-23 11:13:53
ComboFix-quarantined-files.txt 2010-11-23 16:13
ComboFix2.txt 2010-11-21 19:08
ComboFix3.txt 2010-04-25 00:17

Pre-Run: 66,318,790,656 bytes free
Post-Run: 66,316,267,520 bytes free

- - End Of File - - 27F0D7FDD5F731100ECCEE3A8CC93D24

OTS logfile created on: 11/23/2010 11:15:24 AM - Run 2
OTS by OldTimer - Version 3.1.40.1     Folder = C:\Documents and Settings\Fern\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
447.00 Mb Total Physical Memory | 188.00 Mb Available Physical Memory | 42.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 61.78 Gb Free Space | 82.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 980.72 Mb Total Space | 827.34 Mb Free Space | 84.36% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: ACER-E355056E8B
Current User Name: Fern
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 30 Days
Quick Scan
 
[Processes - Safe List]
ots.exe -> C:\Documents and Settings\Fern\Desktop\OTS.exe -> [2010/11/14 13:08:26 | 000,642,048 | ---- | M] (OldTimer Tools)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
 
[Modules - Safe List]
ots.exe -> C:\Documents and Settings\Fern\Desktop\OTS.exe -> [2010/11/14 13:08:26 | 000,642,048 | ---- | M] (OldTimer Tools)
 
[Win32 Services - Safe List]
(HidServ) Human Interface Device Access [Disabled | Stopped] -> C:\WINDOWS\System32\hidserv.dll -> File not found
(MsMpSvc) Microsoft Antimalware Service [Auto | Stopped] -> c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -> [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation)
(BcmSqlStartupSvc) Business Contact Manager SQL Server Startup Service [On_Demand | Stopped] -> C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -> [2009/02/20 08:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation)
(AWService) AdminWorks Agent X6 [Auto | Stopped] -> C:\Acer\LANScope Agent\awServ.exe -> [2007/01/17 19:31:44 | 000,074,520 | ---- | M] (OSA Technologies Inc., An Avocent Company)
(IDriverT) InstallDriver Table Manager [On_Demand | Stopped] -> C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -> [2005/11/14 04:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation)
 
[Driver Services - Safe List]
(psdvdisk) psdvdisk [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\Drivers\psdvdisk.sys -> File not found
(psdfilter) psdfilter [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\Drivers\psdfilter.sys -> File not found
(catchme) catchme [Kernel | On_Demand | Running] -> C:\DOCUME~1\Fern\LOCALS~1\Temp\catchme.sys -> File not found
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\hdaudbus.sys -> [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(SiSkp) SiSkp [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\srvkp.sys -> [2007/02/28 08:57:20 | 000,017,280 | ---- | M] (Silicon Integrated Systems Corporation)
(SiS315) SiS315 [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\sisgrp.sys -> [2007/02/28 08:36:00 | 000,318,464 | ---- | M] (Silicon Integrated Systems Corporation)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\RtkHDAud.sys -> [2007/01/30 13:57:50 | 004,474,368 | ---- | M] (Realtek Semiconductor Corp.)
(OsaFsLoc) OsaFsLoc [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\OsaFsLoc.sys -> [2007/01/03 18:33:24 | 000,019,783 | ---- | M] (OSA Technologies)
(SiSGbeXP) SiS191/SiS190 Ethernet Device NDIS 5.1 Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\SiSGbeXP.sys -> [2006/12/20 07:00:00 | 000,041,600 | ---- | M] (Silicon Integrated Systems Corp.)
(netlock) netlock [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\NetLock.sys -> [2006/12/11 14:12:56 | 000,007,680 | ---- | M] (OSA Technologies, An Avocent Company)
(osanbm) osanbm [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\osanbm.sys -> [2006/11/09 00:13:06 | 000,010,944 | ---- | M] (Windows (R) Server 2003 DDK provider)
(osaio) osaio [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\osaio.sys -> [2006/10/27 22:18:26 | 000,006,784 | ---- | M] (OSA Technologies, An Avocent Company)
(netlimiter) netlimiter [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\NetLimiter.sys -> [2006/10/03 14:03:14 | 000,018,072 | ---- | M] ()
(UBHelper) UBHelper [Kernel | Boot | Running] -> C:\WINDOWS\System32\drivers\UBHelper.sys -> [2006/08/28 05:30:04 | 000,013,952 | ---- | M] ()
(NTIDrvr) Upper Class Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\NTIDrvr.sys -> [2006/01/02 02:03:26 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> about:blank -> 
HKEY_CURRENT_USER\: SearchURL\\"" -> http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com -> 
HKEY_CURRENT_USER\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Fern\Application Data\Mozilla\FireFox\Profiles\0pdqitlw.default\prefs.js -> 
browser.startup.homepage -> "about:blank" ->
extensions.enabledItems -> [email protected]:1.0 ->
extensions.enabledItems -> {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1 ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components -> C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2010/09/14 11:22:22 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins -> C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2010/09/14 11:22:22 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
  -> C:\Documents and Settings\Fern\Application Data\Mozilla\Extensions -> [2010/05/01 15:39:59 | 000,000,000 | ---D | M]
  -> C:\Documents and Settings\Fern\Application Data\Mozilla\Firefox\Profiles\0pdqitlw.default\extensions -> [2010/09/07 17:22:25 | 000,000,000 | ---D | M]
Microsoft .NET Framework Assistant   -> C:\Documents and Settings\Fern\Application Data\Mozilla\Firefox\Profiles\0pdqitlw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} -> [2010/06/18 13:27:48 | 000,000,000 | ---D | M]
Adblock Plus   -> C:\Documents and Settings\Fern\Application Data\Mozilla\Firefox\Profiles\0pdqitlw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} -> [2010/07/20 18:30:28 | 000,000,000 | ---D | M]
< FireFox Extensions [Program Folders] > -> 
  -> C:\Program Files\Mozilla Firefox\extensions -> [2010/05/01 15:39:20 | 000,000,000 | ---D | M]
< HOSTS File > ([2010/11/14 13:31:53 | 000,000,098 | ---- | M] - 2 lines) -> C:\WINDOWS\system32\drivers\etc\Hosts -> 
Reset Hosts
127.0.0.1       localhost
::1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> [2004/12/14 04:56:50 | 000,063,136 | ---- | M] (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> C:\Program Files\Java\jre6\bin\ssv.dll [SSVHelper Class] -> [2010/04/20 19:48:44 | 000,321,312 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< Fern Startup Folder > -> C:\Documents and Settings\Fern\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" ->  [1] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_20.dll [Menu: Sun Java Console] -> [2010/04/20 19:48:44 | 000,136,992 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_20.dll [Sun Java Console] -> [2010/04/20 19:48:44 | 000,136,992 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [HKLM] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253391220187 [MUWebControl Class] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.0.1 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{042C9ED8-6FA9-47C3-8AA1-39CB29896B2A}\\DhcpNameServer -> 192.168.0.1   (SiS191 Ethernet Controller) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Program Files\CyberLink\PowerDVD\OLRSubmission\OLRSubmission.exe" -> C:\Program Files\CyberLink\PowerDVD\OLRSubmission\OLRSubmission.exe [C:\Program Files\CyberLink\PowerDVD\OLRSubmission\OLRSubmission.exe:*:Enabled:OLRSubmission] -> [2006/11/14 01:57:10 | 000,355,936 | ---- | M] ()
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" -> C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe [C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD] -> [2007/01/08 18:43:10 | 000,529,968 | ---- | M] (CyberLink Corp.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2006/01/02 01:24:40 | 000,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = ComFile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
 
 
[Files/Folders - Created Within 30 Days]
 RECYCLER -> C:\RECYCLER -> [2010/11/23 11:09:15 | 000,000,000 | -HSD | C]
 ComboFix -> C:\ComboFix -> [2010/11/23 09:17:50 | 000,000,000 | ---D | C]
 Microsoft Security Essentials -> C:\Program Files\Microsoft Security Essentials -> [2010/11/21 14:46:54 | 000,000,000 | ---D | C]
 SWXCACLS.exe -> C:\WINDOWS\SWXCACLS.exe -> [2010/11/21 13:52:43 | 000,212,480 | ---- | C] (SteelWerX)
 SWREG.exe -> C:\WINDOWS\SWREG.exe -> [2010/11/21 13:52:43 | 000,161,792 | ---- | C] (SteelWerX)
 SWSC.exe -> C:\WINDOWS\SWSC.exe -> [2010/11/21 13:52:43 | 000,136,704 | ---- | C] (SteelWerX)
 NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2010/11/21 13:52:43 | 000,031,232 | ---- | C] (NirSoft)
 Recent -> C:\Documents and Settings\Fern\Recent -> [2010/11/21 13:37:07 | 000,000,000 | RH-D | C]
 Qoobox -> C:\Qoobox -> [2010/11/14 15:29:03 | 000,000,000 | ---D | C]
 _OTS -> C:\_OTS -> [2010/11/14 13:31:48 | 000,000,000 | ---D | C]
 OTS.exe -> C:\Documents and Settings\Fern\Desktop\OTS.exe -> [2010/11/14 13:08:33 | 000,642,048 | ---- | C] (OldTimer Tools)
 OTL.exe -> C:\Documents and Settings\Fern\Desktop\OTL.exe -> [2010/10/24 12:44:44 | 000,575,488 | ---- | C] (OldTimer Tools)
 
[Files/Folders - Modified Within 30 Days]
 MP Scheduled Scan.job -> C:\WINDOWS\tasks\MP Scheduled Scan.job -> [2010/11/23 11:13:53 | 000,000,408 | -H-- | M] ()
 boot.ini -> C:\boot.ini -> [2010/11/23 09:12:14 | 000,000,281 | RHS- | M] ()
 ComboFix.exe -> C:\Documents and Settings\Fern\Desktop\ComboFix.exe -> [2010/11/23 08:45:14 | 003,914,095 | R--- | M] ()
 wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2010/11/23 08:35:24 | 000,001,158 | ---- | M] ()
 bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2010/11/23 08:32:44 | 000,002,048 | --S- | M] ()
 hiberfil.sys -> C:\hiberfil.sys -> [2010/11/23 08:32:43 | 469,291,008 | -HS- | M] ()
 Microsoft Security Essentials.lnk -> C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk -> [2010/11/21 14:47:02 | 000,000,874 | ---- | M] ()
 Hosts -> C:\WINDOWS\System32\drivers\etc\Hosts -> [2010/11/14 13:31:53 | 000,000,098 | ---- | M] ()
 OTS.exe -> C:\Documents and Settings\Fern\Desktop\OTS.exe -> [2010/11/14 13:08:26 | 000,642,048 | ---- | M] (OldTimer Tools)
 perfh009.dat -> C:\WINDOWS\System32\perfh009.dat -> [2010/11/14 12:58:00 | 000,492,078 | ---- | M] ()
 perfc009.dat -> C:\WINDOWS\System32\perfc009.dat -> [2010/11/14 12:58:00 | 000,090,098 | ---- | M] ()
 MBR.exe -> C:\WINDOWS\MBR.exe -> [2010/11/08 01:20:24 | 000,089,088 | ---- | M] ()
 OTL.exe -> C:\Documents and Settings\Fern\Desktop\OTL.exe -> [2010/10/24 12:44:50 | 000,575,488 | ---- | M] (OldTimer Tools)
 
[Files - No Company Name]
 hiberfil.sys -> C:\hiberfil.sys -> [2010/11/21 15:10:34 | 469,291,008 | -HS- | C] ()
 MP Scheduled Scan.job -> C:\WINDOWS\tasks\MP Scheduled Scan.job -> [2010/11/21 14:53:20 | 000,000,408 | -H-- | C] ()
 Microsoft Security Essentials.lnk -> C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk -> [2010/11/21 14:47:02 | 000,000,874 | ---- | C] ()
 PEV.exe -> C:\WINDOWS\PEV.exe -> [2010/11/21 13:52:43 | 000,256,512 | ---- | C] ()
 sed.exe -> C:\WINDOWS\sed.exe -> [2010/11/21 13:52:43 | 000,098,816 | ---- | C] ()
 MBR.exe -> C:\WINDOWS\MBR.exe -> [2010/11/21 13:52:43 | 000,089,088 | ---- | C] ()
 grep.exe -> C:\WINDOWS\grep.exe -> [2010/11/21 13:52:43 | 000,080,412 | ---- | C] ()
 zip.exe -> C:\WINDOWS\zip.exe -> [2010/11/21 13:52:43 | 000,068,096 | ---- | C] ()
 ComboFix.exe -> C:\Documents and Settings\Fern\Desktop\ComboFix.exe -> [2010/11/14 13:14:46 | 003,914,095 | R--- | C] ()
 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Fern\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2009/12/25 15:02:09 | 000,005,120 | ---- | C] ()
 commercial.ini -> C:\WINDOWS\commercial.ini -> [2008/08/16 16:20:45 | 000,000,050 | ---- | C] ()
 fusioncache.dat -> C:\Documents and Settings\Fern\Local Settings\Application Data\fusioncache.dat -> [2008/08/16 16:14:47 | 000,000,127 | ---- | C] ()
 ALaunch.ini -> C:\WINDOWS\ALaunch.ini -> [2007/03/07 12:43:12 | 000,000,083 | ---- | C] ()
 NetLimiter.sys -> C:\WINDOWS\System32\drivers\NetLimiter.sys -> [2006/10/03 14:03:14 | 000,018,072 | ---- | C] ()
 UBHelper.sys -> C:\WINDOWS\System32\drivers\UBHelper.sys -> [2006/08/28 05:30:04 | 000,013,952 | ---- | C] ()
 smscfg.ini -> C:\WINDOWS\smscfg.ini -> [2006/01/02 02:28:20 | 000,000,061 | ---- | C] ()
 NTIBUN4.dll -> C:\WINDOWS\System32\NTIBUN4.dll -> [2006/01/02 02:04:26 | 000,001,024 | RH-- | C] ()
 NTIMPEG2.dll -> C:\WINDOWS\System32\NTIMPEG2.dll -> [2006/01/02 02:03:30 | 000,001,024 | RH-- | C] ()
 NTIMP3.dll -> C:\WINDOWS\System32\NTIMP3.dll -> [2006/01/02 02:03:30 | 000,001,024 | RH-- | C] ()
 NTICDMK7.dll -> C:\WINDOWS\System32\NTICDMK7.dll -> [2006/01/02 02:03:30 | 000,001,024 | RH-- | C] ()
 ODBCINST.INI -> C:\WINDOWS\ODBCINST.INI -> [2006/01/02 01:24:20 | 000,004,161 | ---- | C] ()
 OEMINFO.INI -> C:\WINDOWS\System32\OEMINFO.INI -> [2005/10/25 03:25:28 | 000,008,073 | ---- | C] ()
 fxsperf.ini -> C:\WINDOWS\System32\fxsperf.ini -> [2004/08/04 00:00:00 | 000,001,793 | ---- | C] ()
 multiplex_vcd.dll -> C:\WINDOWS\System32\multiplex_vcd.dll -> [2001/12/26 18:12:30 | 000,065,536 | ---- | C] ()
 Hmpg12.dll -> C:\WINDOWS\System32\Hmpg12.dll -> [2001/09/04 01:46:38 | 000,110,592 | ---- | C] ()
 HMPV2_ENC.dll -> C:\WINDOWS\System32\HMPV2_ENC.dll -> [2001/07/30 18:33:56 | 000,118,784 | ---- | C] ()
 HMPV2_ENC_MMX.dll -> C:\WINDOWS\System32\HMPV2_ENC_MMX.dll -> [2001/07/24 00:04:36 | 000,118,784 | ---- | C] ()
 
[File - Lop Check]
 Avocent AdminWorks -> C:\Documents and Settings\All Users\Application Data\Avocent AdminWorks -> [2008/08/16 18:40:19 | 000,000,000 | ---D | M]
 eSobi -> C:\Documents and Settings\All Users\Application Data\eSobi -> [2008/08/18 09:05:48 | 000,000,000 | ---D | M]
 {623D32E9-0C62-4453-AD44-98B31F52A5E1} -> C:\Documents and Settings\All Users\Application Data\{623D32E9-0C62-4453-AD44-98B31F52A5E1} -> [2008/08/16 18:40:28 | 000,000,000 | ---D | M]
 {92E7A367-8E12-4830-AA70-29C32E331A81} -> C:\Documents and Settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81} -> [2009/06/21 15:46:17 | 000,000,000 | -H-D | M]
 Avocent AdminWorks -> C:\Documents and Settings\Fern\Application Data\Avocent AdminWorks -> [2008/08/16 18:39:48 | 000,000,000 | ---D | M]
 eSobi -> C:\Documents and Settings\Fern\Application Data\eSobi -> [2008/08/18 09:06:27 | 000,000,000 | ---D | M]
 OpenOffice.org -> C:\Documents and Settings\Fern\Application Data\OpenOffice.org -> [2009/02/08 15:51:54 | 000,000,000 | ---D | M]
 MP Scheduled Scan.job -> C:\WINDOWS\Tasks\MP Scheduled Scan.job -> [2010/11/23 11:13:53 | 000,000,408 | -H-- | M] ()
 
[File - Purity Scan]
 
< End of report >

#25
gwtwins

Posted 23 November 2010 - 11:44 AM

Member

Topic Starter
Member
90 posts

Just when I thought we might be making progress I restarted the computer and the wuauclt.exe app is consuming 99% of the CPU again.

I'm open to your suggestions at this point but I am leaning towards a re-install of windows.

#26
Essexboy

Posted 23 November 2010 - 01:59 PM

GeekU Moderator

Retired Staff
69,964 posts

Well it does not appear to be infected, so it is probably corrupted. If you have anything that needs to be backed up, do that now to cut the amount of time spent trying to determine how many files are corrupted. Then re-install

We have a tutorial here which should make it as painless as possible. But 'tis your choice we can continue to investigate or go for the easy option

#27
gwtwins

Posted 23 November 2010 - 05:02 PM

Member

Topic Starter
Member
90 posts

I thank you for your patience and help! Since it's not infected it must be corrupted. Oh well at least we tried. I'm going to do a re-install this weekend. I'll let you know how it goes.

#28
Essexboy

Posted 24 November 2010 - 12:42 PM

GeekU Moderator

Retired Staff
69,964 posts

With the travelling element this is probably the best option for you

#29
Essexboy

Posted 30 November 2010 - 02:47 PM

GeekU Moderator

Retired Staff
69,964 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.