Cannot remove .SYS File Identified as Rootkit.Agent

strife · December 30, 2009

Hello,

having trouble removing a single file marked as a Rootkit.Agent by MBAM. The program indicates it will be deleted at reboot but it never is. Tried to manually remove it and a couple other things, but to no avail. Any help would be appreciated. The file is C:\WINDOWS\System32\Drivers\uqznti.SYS...

DDS (Ver_09-12-01.01) - NTFSx86

Run by Matthew W. Norris at 18:49:46.42 on Tue 12/29/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.387 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\System32\GEARSec.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Matthew W. Norris\Desktop\Defogger.exe

C:\Documents and Settings\Matthew W. Norris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: turbotax.com

Trusted Zone: musicmatch.com\online

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 198.40.27.51 AICAS400

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matthe~1.nor\applic~1\mozilla\firefox\profiles\a877o3rc.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Food Network - Recipes

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\java\jre6\bin\npdeploytk.dll

FF - plugin: c:\program files\java\jre6\bin\npjava11.dll

FF - plugin: c:\program files\java\jre6\bin\npjava12.dll

FF - plugin: c:\program files\java\jre6\bin\npjava13.dll

FF - plugin: c:\program files\java\jre6\bin\npjava14.dll

FF - plugin: c:\program files\java\jre6\bin\npjava32.dll

FF - plugin: c:\program files\java\jre6\bin\npjpi160_05.dll

FF - plugin: c:\program files\java\jre6\bin\npoji610.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {498F39FC-173C-404F-A43E-939B20310033} - c:\documents and settings\matthew w. norris\local settings\application

data\{498F39FC-173C-404F-A43E-939B20310033}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-6-18 565248]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-5-10 822424]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-3 29744]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-12-30 00:49:09 0 ----a-w- c:\documents and settings\matthew w. norris\defogger_reenable

2009-12-29 01:57:59 0 d-----w- c:\docume~1\matthe~1.nor\applic~1\Malwarebytes

2009-12-28 23:41:22 120 ----a-w- c:\windows\Msunafabi.dat

2009-12-28 23:41:22 0 ----a-w- c:\windows\Wzuyuruyaxu.bin

2009-12-28 03:55:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-28 03:55:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-12-28 03:55:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-28 03:55:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-28 03:40:09 0 d-----w- c:\windows\pss

2009-12-28 03:03:35 714752 ----a-w- c:\windows\system32\drivers\uqznti.sys

2009-12-28 03:02:58 0 --sha-w- c:\windows\nvDrv.sy

==================== Find3M ====================

2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe

2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll

2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll

2006-06-10 01:04:17 56 --sh--r- c:\windows\system32\0E270CBDFB.sys

2008-05-10 21:54:39 88 --sh--r- c:\windows\system32\FBBD0C270E.sys

2008-05-10 21:54:41 4392 --sha-w- c:\windows\system32\KGyGaAvL.sys

2008-09-18 02:58:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008091720080918\index.dat

============= FINISH: 18:50:19.21 ===============

SpySentinel · December 30, 2009

Hi strife, Welcome to Malwarebytes

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

strife · December 30, 2009

Thanks for the reply, I tried to run combo fix, but it hung when saving my output. It did identify the file in question as a rootkit.agent started at boot. Can we continue on without it or do I need to give it another try?

SpySentinel · December 30, 2009

Please navigate to C:\ComboFix and see if it created a log file. If so please post it here.

strife · December 31, 2009

No luck on the log. I tried the new edition of Combo-Fix as you suggest but I twice received the blue screen of death. Any idea on how to prevent this file from loading at startup so I can delete it?

SpySentinel · January 1, 2010

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

netsvcs

%SYSTEMDRIVE%\*.exe

/md5start

eventlog.dll

scecli.dll

netlogon.dll

cngaudit.dll

sceclt.dll

ntelogon.dll

logevent.dll

iaStor.sys

nvstor.sys

atapi.sys

IdeChnDr.sys

viasraid.sys

AGP440.sys

vaxscsi.sys

nvatabus.sys

viamraid.sys

nvata.sys

nvgts.sys

iastorv.sys

ViPrt.sys

eNetHook.dll

ahcix86.sys

KR10N.sys

nvstor32.sys

ahcix86s.sys

nvrd32.sys

/md5stop

%systemroot%\*. /mp /s

CREATERESTOREPOINT

%systemroot%\system32\*.dll /lockedfiles

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

strife · January 1, 2010

OTL

OTL logfile created on: 12/31/2009 8:43:52 PM - Run 1

OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Matthew W. Norris\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 403.00 Mb Available Physical Memory | 39.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 171.44 Gb Total Space | 121.28 Gb Free Space | 70.74% Space Free | Partition Type: NTFS

Drive D: | 57.95 Gb Total Space | 0.26 Gb Free Space | 0.45% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DIMENSION5150

Current User Name: Matthew W. Norris

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/31 20:42:27 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Matthew W. Norris\Desktop\OTL.exe

PRC - [2009/05/29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PRC - [2009/05/21 09:55:32 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe

PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe

PRC - [2008/08/13 17:32:40 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe

PRC - [2008/06/19 17:08:44 | 01,528,608 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

PRC - [2008/05/26 22:19:14 | 00,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe

PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2008/02/02 13:52:42 | 00,147,456 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe

PRC - [2007/09/05 08:53:48 | 00,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

PRC - [2007/06/18 14:51:50 | 00,565,248 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

PRC - [2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe

PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe

PRC - [2006/05/10 07:32:34 | 00,822,424 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

PRC - [2005/09/30 18:22:50 | 00,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe

PRC - [2005/08/16 19:21:54 | 02,061,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe

PRC - [2005/08/16 19:05:38 | 00,053,248 | ---- | M] (GEAR Software) -- C:\WINDOWS\system32\gearsec.exe

PRC - [2005/08/04 03:02:58 | 00,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe

PRC - [2005/06/17 06:55:58 | 00,086,140 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

PRC - [2004/12/13 14:30:10 | 00,165,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

PRC - [2004/12/13 14:30:04 | 00,198,256 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

PRC - [1999/12/13 00:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE

========== Modules (SafeList) ==========

MOD - [2009/12/31 20:42:27 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Matthew W. Norris\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)

SRV - [2009/05/29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) [Disabled | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Disabled | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)

SRV - [2008/09/03 13:16:52 | 00,029,744 | ---- | M] (Google) [Disabled | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-061008-081103)

SRV - [2008/08/13 17:32:40 | 00,201,968 | ---- | M] (SupportSoft, Inc.) [Disabled | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)

SRV - [2008/06/19 17:08:44 | 01,528,608 | ---- | M] (Cisco Systems, Inc.) [Disabled | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)

SRV - [2008/02/02 13:52:42 | 00,147,456 | ---- | M] (Sun Microsystems, Inc.) [Disabled | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)

SRV - [2007/09/05 08:53:48 | 00,020,480 | ---- | M] (Intuit) [Disabled | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)

SRV - [2007/06/18 14:51:50 | 00,565,248 | ---- | M] (Lavasoft AB) [Disabled | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)

SRV - [2007/05/24 06:08:44 | 00,061,440 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)

SRV - [2007/03/07 14:47:46 | 00,076,848 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)

SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) [Disabled | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)

SRV - [2006/05/10 07:32:34 | 00,822,424 | ---- | M] (Symantec Corporation) [Disabled | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)

SRV - [2006/05/08 03:24:54 | 00,069,632 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)

SRV - [2006/04/27 16:35:16 | 00,053,337 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)

SRV - [2006/04/27 16:27:06 | 00,049,241 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)

SRV - [2006/04/27 16:16:28 | 00,069,718 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)

SRV - [2005/09/30 18:22:50 | 00,096,341 | ---- | M] (Canon Inc.) [Disabled | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)

SRV - [2005/08/16 19:21:54 | 02,061,928 | ---- | M] (Symantec Corporation) [Disabled | Running] -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe -- (Norton Ghost)

SRV - [2005/08/16 19:05:38 | 00,053,248 | ---- | M] (GEAR Software) [Disabled | Running] -- C:\WINDOWS\system32\gearsec.exe -- (GEARSecurity)

SRV - [2005/08/04 03:02:58 | 00,380,928 | ---- | M] (ATI Technologies Inc.) [Disabled | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)

SRV - [2005/06/17 06:55:58 | 00,086,140 | ---- | M] (Intel Corporation) [Disabled | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe -- (IAANTMon) Intel®

SRV - [2004/12/13 14:30:10 | 00,165,488 | ---- | M] (Symantec Corporation) [Disabled | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)

SRV - [2004/12/13 14:30:08 | 00,079,472 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)

SRV - [2004/12/13 14:30:04 | 00,198,256 | ---- | M] (Symantec Corporation) [Disabled | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)

SRV - [2004/11/19 10:26:40 | 00,147,456 | ---- | M] (Intel® Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc)

SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)

SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

SRV - [2002/02/04 04:20:00 | 00,053,296 | ---- | M] (IBM Corporation) [Disabled | Stopped] -- C:\WINDOWS\cwbrxd.exe -- (Cwbrxd)

SRV - [1999/12/13 00:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) [Disabled | Running] -- C:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"

FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="

FF - prefs.js..browser.search.selectedEngine: "Food Network - Recipes"

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {498F39FC-173C-404F-A43E-939B20310033}:1.9.1

FF - HKLM\software\mozilla\Firefox\extensions\\{5AB8CE88-5E23-4069-8315-43CDC8300634}: C:\Documents and Settings\Deb\Local Settings\Application Data\{5AB8CE88-5E23-4069-8315-43CDC8300634} [2009/12/27 21:43:43 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\extensions\\{498F39FC-173C-404F-A43E-939B20310033}: C:\Documents and Settings\Matthew W. Norris\Local Settings\Application Data\{498F39FC-173C-404F-A43E-939B20310033} [2009/12/27 21:12:07 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/24 07:28:37 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/24 07:28:37 | 00,000,000 | ---D | M]

[2008/09/07 17:27:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matthew W. Norris\Application Data\Mozilla\Extensions

[2009/12/29 21:51:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matthew W. Norris\Application Data\Mozilla\Firefox\Profiles\a877o3rc.default\extensions

[2009/12/29 18:41:18 | 00,005,500 | ---- | M] () -- C:\Documents and Settings\Matthew W. Norris\Application Data\Mozilla\Firefox\Profiles\a877o3rc.default\searchplugins\foodtv.xml

[2009/12/29 21:51:39 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2007/12/19 06:57:38 | 00,310,272 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

[2008/08/27 16:44:38 | 00,376,832 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll

[2009/04/01 19:36:36 | 00,221,184 | ---- | M] (CNN) -- C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll

[2008/09/03 13:16:52 | 00,000,686 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\GoogleDesktopMozilla.png

[2008/09/03 13:16:52 | 00,000,531 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\GoogleDesktopMozilla.src

O1 HOSTS File: (757 bytes) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 198.40.27.51 AICAS400

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)

O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()

O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_05.dll (Sun Microsystems, Inc.)

O9 - Extra Button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)

O15 - HKLM\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)

O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134

O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/08/10 12:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/10 11:52:56 | 00,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)

NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (16892003295952896)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/31 20:42:24 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Matthew W. Norris\Desktop\OTL.exe

[2009/12/31 20:17:38 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/12/31 19:57:16 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender

[2009/12/31 19:55:14 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Matthew W. Norris\PrivacIE

[2009/12/31 19:51:11 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Matthew W. Norris\IETldCache

[2009/12/31 17:41:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates

[2009/12/31 17:40:21 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8

[2009/12/31 17:40:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe

[2009/12/31 17:39:16 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2009/12/31 17:37:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matthew W. Norris\Application Data\Windows Desktop Search

[2009/12/31 17:37:13 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Desktop Search

[2009/12/31 17:37:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy

[2009/12/31 17:03:34 | 00,000,000 | RHSD | C] -- C:\cmdcons

[2009/12/31 17:02:50 | 00,000,000 | --SD | C] -- C:\Combo-Fix

[2009/12/31 16:29:26 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2009/12/31 16:29:26 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2009/12/31 16:29:26 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2009/12/31 16:29:26 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2009/12/31 16:29:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2009/12/31 16:28:54 | 00,000,000 | ---D | C] -- C:\Qoobox

[2009/12/28 19:57:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matthew W. Norris\Application Data\Malwarebytes

[2009/12/27 21:55:46 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2009/12/27 21:55:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2009/12/27 21:55:44 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2009/12/27 21:55:44 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2009/12/27 21:40:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss

[2009/12/27 21:12:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matthew W. Norris\Local Settings\Application Data\{498F39FC-173C-404F-A43E-939B20310033}

[2009/12/15 19:02:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\SupportSoft

[2009/12/07 22:21:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2008/09/17 20:58:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2007/11/10 00:24:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit

[2007/07/28 09:23:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple

[2006/05/13 14:03:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall

[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/31 20:44:58 | 00,714,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\uqznti.sys

[2009/12/31 20:42:58 | 00,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\lerscg.sys

[2009/12/31 20:42:27 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Matthew W. Norris\Desktop\OTL.exe

[2009/12/31 20:11:57 | 00,001,127 | ---- | M] () -- C:\WINDOWS\win.ini

[2009/12/31 20:11:57 | 00,000,327 | ---- | M] () -- C:\WINDOWS\system.ini

[2009/12/31 20:11:57 | 00,000,211 | RHS- | M] () -- C:\boot.ini

[2009/12/31 20:00:19 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2009/12/31 19:56:49 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2009/12/31 17:49:48 | 00,557,242 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2009/12/31 17:49:48 | 00,466,414 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2009/12/31 17:49:48 | 00,079,630 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2009/12/31 17:45:44 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2009/12/31 17:45:41 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2009/12/31 17:45:38 | 10,717,88032 | -HS- | M] () -- C:\hiberfil.sys

[2009/12/31 17:44:23 | 04,456,448 | -H-- | M] () -- C:\Documents and Settings\Matthew W. Norris\NTUSER.DAT

[2009/12/31 17:44:23 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Matthew W. Norris\ntuser.ini

[2009/12/31 17:41:44 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2009/12/31 17:20:50 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\hpprintdrv.sys

[2009/12/31 16:27:36 | 03,879,622 | R--- | M] () -- C:\Documents and Settings\Matthew W. Norris\Desktop\Combo-Fix.exe

[2009/12/29 21:51:19 | 00,000,211 | ---- | M] () -- C:\Boot.bak

[2009/12/29 19:14:47 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Matthew W. Norris\Desktop\xrm1ewe4.exe

[2009/12/29 18:49:31 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Matthew W. Norris\Desktop\dds.scr

[2009/12/29 18:48:42 | 00,050,621 | ---- | M] () -- C:\Documents and Settings\Matthew W. Norris\Desktop\Defogger.exe

[2009/12/29 17:25:23 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Wzuyuruyaxu.bin

[2009/12/29 17:25:22 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Msunafabi.dat

[2009/12/27 21:55:49 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/12/27 21:10:33 | 00,000,000 | -HS- | M] () -- C:\WINDOWS\nvDrv.sy

[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/31 20:42:58 | 00,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\lerscg.sys

[2009/12/31 20:00:19 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2009/12/31 17:20:50 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\hpprintdrv.sys

[2009/12/31 17:03:39 | 00,000,211 | ---- | C] () -- C:\Boot.bak

[2009/12/31 17:03:36 | 00,260,272 | ---- | C] () -- C:\cmldr

[2009/12/31 16:29:26 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2009/12/31 16:29:26 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2009/12/31 16:29:26 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2009/12/31 16:29:26 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2009/12/31 16:29:26 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2009/12/31 16:27:35 | 03,879,622 | R--- | C] () -- C:\Documents and Settings\Matthew W. Norris\Desktop\Combo-Fix.exe

[2009/12/29 19:14:47 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Matthew W. Norris\Desktop\xrm1ewe4.exe

[2009/12/29 18:49:31 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Matthew W. Norris\Desktop\dds.scr

[2009/12/29 18:48:42 | 00,050,621 | ---- | C] () -- C:\Documents and Settings\Matthew W. Norris\Desktop\Defogger.exe

[2009/12/29 18:27:39 | 10,717,88032 | -HS- | C] () -- C:\hiberfil.sys

[2009/12/28 17:41:22 | 00,000,120 | ---- | C] () -- C:\WINDOWS\Msunafabi.dat

[2009/12/28 17:41:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Wzuyuruyaxu.bin

[2009/12/27 21:55:49 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/12/27 21:03:35 | 00,714,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\uqznti.sys

[2009/12/27 21:02:58 | 00,000,000 | -HS- | C] () -- C:\WINDOWS\nvDrv.sy

[2009/12/07 22:23:02 | 00,006,144 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/09/14 19:22:56 | 00,125,632 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2008/09/14 09:31:33 | 00,000,251 | ---- | C] () -- C:\WINDOWS\System32\drivers\hlldrvr.sys

[2008/09/14 09:30:25 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\qxdaedrs.dll

[2008/09/14 09:30:23 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\cwbrw.dll

[2008/09/14 09:30:23 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\cwbsv.dll

[2008/09/14 09:30:23 | 00,020,528 | ---- | C] () -- C:\WINDOWS\System32\cwbwiz.dll

[2008/09/14 09:30:23 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbsy.dll

[2008/09/14 09:30:23 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbnl.dll

[2008/09/14 09:30:23 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbco.dll

[2008/09/14 09:30:23 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\cwbnldlg.dll

[2008/09/14 09:30:23 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\cwbad.dll

[2008/06/19 17:08:52 | 00,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll

[2008/06/19 17:08:44 | 00,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll

[2008/05/11 16:38:23 | 00,000,419 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI

[2008/04/28 11:37:03 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll

[2008/03/29 07:31:26 | 00,003,072 | ---- | C] () -- C:\Documents and Settings\Matthew W. Norris\Application Data\dvd.bmk

[2007/09/27 10:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini

[2007/09/27 10:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini

[2007/09/27 10:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

[2007/07/24 22:09:26 | 00,078,848 | ---- | C] () -- C:\Documents and Settings\Matthew W. Norris\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007/07/01 11:50:16 | 00,064,976 | ---- | C] () -- C:\WINDOWS\System32\PDFreDirectMonNT.dll

[2006/07/25 16:21:50 | 00,000,088 | RHS- | C] () -- C:\WINDOWS\System32\FBBD0C270E.sys

[2006/07/12 16:32:57 | 00,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll

[2006/07/02 11:59:42 | 00,001,367 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

[2006/06/14 16:04:56 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL

[2006/06/14 16:04:56 | 00,000,175 | ---- | C] () -- C:\WINDOWS\KPCMS.INI

[2006/06/14 15:48:17 | 00,000,488 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2006/06/14 15:48:17 | 00,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini

[2006/05/22 13:02:54 | 00,061,678 | ---- | C] () -- C:\Documents and Settings\Matthew W. Norris\Application Data\PFP120JPR.{PB

[2006/05/22 13:02:54 | 00,012,358 | ---- | C] () -- C:\Documents and Settings\Matthew W. Norris\Application Data\PFP120JCM.{PB

[2006/05/21 11:23:51 | 00,004,392 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys

[2006/05/21 11:23:51 | 00,000,056 | RHS- | C] () -- C:\WINDOWS\System32\0E270CBDFB.sys

[2006/05/14 11:33:43 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\PdRegSrv.dll

[2006/05/14 11:33:43 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\PdeSrvps.dll

[2006/05/13 14:09:28 | 00,000,140 | ---- | C] () -- C:\Documents and Settings\Matthew W. Norris\Local Settings\Application Data\fusioncache.dat

[2006/05/10 07:39:36 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2006/05/10 07:37:04 | 00,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2006/05/10 07:32:43 | 00,712,704 | ---- | C] () -- C:\WINDOWS\System32\DellSystemRestore.dll

[2006/05/10 07:08:24 | 00,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2005/11/10 07:56:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2004/08/10 12:12:05 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2004/08/10 12:01:18 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[1999/01/22 12:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2007/11/24 14:37:08 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ

[2007/11/03 13:50:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES

[2008/05/11 16:38:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft

[2008/05/30 16:52:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft

[2006/05/10 07:28:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

[2009/03/13 20:22:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

[2009/09/14 17:58:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2009/04/24 17:55:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

[2008/07/11 17:43:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matthew W. Norris\Application Data\Canon

[2008/12/07 18:32:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matthew W. Norris\Application Data\Helios

[2006/06/17 14:15:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matthew W. Norris\Application Data\Leadertech

[2006/05/17 21:05:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matthew W. Norris\Application Data\My Battle for Middle-earth II Files

[2008/02/18 08:09:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matthew W. Norris\Application Data\PDF reDirect

[2008/01/05 13:42:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matthew W. Norris\Application Data\Ruckus Network

[2009/12/31 17:37:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matthew W. Norris\Application Data\Windows Desktop Search

[2009/12/31 20:00:19 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >

[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

[2004/08/03 22:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS

[2004/08/03 22:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >

[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

[2004/08/03 21:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys

[2004/08/03 21:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

[2004/08/03 21:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >

[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

[2004/08/04 04:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll

[2004/08/04 04:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >

[2005/06/17 11:33:40 | 00,872,064 | ---- | M] (Intel Corporation) MD5=9A65E42664D1534B68512CAAD0EFE963 -- C:\drivers\storage\sata\onboard\iastor.sys

[2005/06/17 11:33:40 | 00,872,064 | ---- | M] (Intel Corporation) MD5=9A65E42664D1534B68512CAAD0EFE963 -- C:\i386\iaStor.sys

[2005/06/17 11:33:40 | 00,872,064 | ---- | M] (Intel Corporation) MD5=9A65E42664D1534B68512CAAD0EFE963 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >

[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

[2004/08/04 04:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll

[2004/08/04 04:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >

[2004/08/04 04:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll

[2004/08/04 04:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< End of report >

-------------------------------

Extras

OTL Extras logfile created on: 12/31/2009 8:43:52 PM - Run 1

OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Matthew W. Norris\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 403.00 Mb Available Physical Memory | 39.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 171.44 Gb Total Space | 121.28 Gb Free Space | 70.74% Space Free | Partition Type: NTFS

Drive D: | 57.95 Gb Total Space | 0.26 Gb Free Space | 0.45% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DIMENSION5150

Current User Name: Matthew W. Norris

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found

"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found

"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found

"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found

"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- (America Online, Inc.)

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)

"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)

"C:\Program Files\Electronic Arts\The Battle for Middle Earth II\game.dat" = C:\Program Files\Electronic Arts\The Battle for Middle Earth II\game.dat:*:Enabled:The Battle for Middle-earth II -- (Electronic Arts Inc.)

"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)

"C:\Program Files\QuickTime\QuickTimePlayer.exe" = C:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player -- (Apple Inc.)

"C:\Program Files\Ruckus Player\Ruckus.exe" = C:\Program Files\Ruckus Player\Ruckus.exe:*:Enabled:Ruckus -- ( )

"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.)

"C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)

"C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)

"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)

"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)

"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)

"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE

"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement

"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP600" = Canon MP600

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA

"{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in

"{14374619-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Simple Start Special Edition

"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE

"{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3}" = OpenMG AAC Add-on Module 1.0.00

"{26A24AE4-039D-4CA4-87B4-2F84A32160FF}" = Java 6 Family

"{29D851C2-048C-4B5E-8D1F-25D473342BB5}" = ScanSoft OmniPage SE 4.0

"{2A9F95AB-65A3-432c-8631-B8BC5BF7477A}" = The Battle for Middle-earth II

"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager

"{32F720F5-2D0D-4245-A2B0-9EB3CECF8101}" = Norton Ghost 10.0

"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3633BA28-67CE-4AC8-A677-3406CA84C3D8}" = OpenMG Secure Module 4.5.01

"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel

"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support

"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer

"{46AC899A-9ECB-43DC-85DE-272E0D116A1E}" = Ad-Aware 2007

"{56DF5C9E-6392-46D3-B366-297B14E1DAAF}" = Bonjour Core for Windows

"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool

"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service

"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6DE13770-01B7-4366-8DA6-48237793F445}" = VoiceOver Kit

"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer

"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore

"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English

"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport

"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel® PROSet for Wired Connections

"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5

"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch

SpySentinel · January 1, 2010

Run OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files
C:\WINDOWS\System32\drivers\uqznti.sys
C:\WINDOWS\System32\drivers\lerscg.sys
C:\WINDOWS\Wzuyuruyaxu.bin
C:\WINDOWS\Msunafabi.dat
C:\WINDOWS\nvDrv.sy
C:\WINDOWS\System32\drivers\lerscg.sys
C:\Documents and Settings\Matthew W. Norris\Desktop\xrm1ewe4.exe
C:\WINDOWS\System32\FBBD0C270E.sys
C:\WINDOWS\System32\0E270CBDFB.sys
C:\Documents and Settings\All Users\Application Data\Viewpoint

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Java

strife · January 1, 2010

First off, thanks for all the help, it is really appreciated. Unfortunately, this uqznti.sys file is quite intractable. I'm gonna' post the log below. Do you think deleting this single file from the Recovery Console would work? Have any other idea. Again, thanks for all your help!

--------------

All processes killed

========== FILES ==========

File move failed. C:\WINDOWS\System32\drivers\uqznti.sys scheduled to be moved on reboot.

File\Folder C:\WINDOWS\System32\drivers\lerscg.sys not found.

C:\WINDOWS\Wzuyuruyaxu.bin moved successfully.

C:\WINDOWS\Msunafabi.dat moved successfully.

C:\WINDOWS\nvDrv.sy moved successfully.

File\Folder C:\WINDOWS\System32\drivers\lerscg.sys not found.

C:\Documents and Settings\Matthew W. Norris\Desktop\xrm1ewe4.exe moved successfully.

C:\WINDOWS\System32\FBBD0C270E.sys moved successfully.

C:\WINDOWS\System32\0E270CBDFB.sys moved successfully.

C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9Plus folder moved successfully.

C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9 folder moved successfully.

C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell folder moved successfully.

C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\Welcome\BH00 folder moved successfully.

C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\Welcome folder moved successfully.

C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 folder moved successfully.

C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 folder moved successfully.

C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 folder moved successfully.

C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 folder moved successfully.

C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources folder moved successfully.

C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology folder moved successfully.

C:\Documents and Settings\All Users\Application Data\Viewpoint folder moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 311296 bytes

->Temporary Internet Files folder emptied: 38632 bytes

User: All Users

User: Deb

->Temp folder emptied: 510989691 bytes

->Temporary Internet Files folder emptied: 252123619 bytes

->Java cache emptied: 930101 bytes

->FireFox cache emptied: 48433318 bytes

->Apple Safari cache emptied: 1112145 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 316510 bytes

User: Matthew W. Norris

->Temp folder emptied: 831371951 bytes

->Temporary Internet Files folder emptied: 75409808 bytes

->Java cache emptied: 2534256 bytes

->FireFox cache emptied: 48064930 bytes

User: NetworkService

->Temp folder emptied: 970 bytes

->Temporary Internet Files folder emptied: 158008458 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 1162769 bytes

Windows Temp folder emptied: 59457935 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23944858 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 238082 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,921.00 mb

OTL by OldTimer - Version 3.1.20.1 log created on 01012010_125222

Files\Folders moved on Reboot...

File move failed. C:\WINDOWS\System32\drivers\uqznti.sys scheduled to be moved on reboot.

Registry entries deleted on Reboot...

SpySentinel · January 1, 2010

You're welcome. No lets see if we can find that file first.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Launch Malwarebytes' Anti-Malware

If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
2. Click on to download the ESET Smart Installer. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push
  
  You can refer to this animation by neomage if needed.

strife · January 2, 2010

Think I'm really in trouble now. I ran GMER as suggested, it took all night and my machine was quite sluggish responding during. I saved the log anf then tried to log off, and my machine hung. Now I cannot get it to start. I attempted to start in safe mode and I can see it is halting at the driver load right around where the root kit would load. My stupid hard drive isn't recognized by the recovery console disks and I don't have a floppy drive to load the drivers. I've probably pushed the limits of my ability to get help on a forum now. Thanks again for spending time helping, I am very appreciative.

Matt

SpySentinel · January 3, 2010

Hi Matt,

You are not able to load into windows normally or in Safe mode?

strife · January 3, 2010

That is correct. I get past the bios load, I'm presented with the boot menu but the computer halts while loading drivers. Looks like the HD driver is the last one loaded.

M

SpySentinel · January 5, 2010

Are you able to do a reinstall of Windows?

SpySentinel · January 17, 2010

Due to lack of feedback this topic has been closed.

If you need this topic reopened, please contact a staff member.

Everyone else please start a new topic.

Cannot remove .SYS File Identified as Rootkit.Agent

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information