Jump to content

WHIE SMOKE VIRUS


Recommended Posts

Hello, my name is Matt

Okay so I clicked a link last night and got this "White Smoke" translator that automatically downloaded onto my computer. I also notice that after about 10 minutes of my computer running it says win 32 something failed. Bing was made my homepage and now occupies itself in a side search bar on firefox. My internet has been crapping out after about 10 minutes of initial login to the computer. I run malwarebytes and got about 500 infections. It could remove all but one: Trojan.Bubnix. I'm at my wits end on this guys, need some serious help. I also noticed when I restarted because the sound stopped working my cd drive sounded like it was spinning loudly.

PLEEEEASE HELP.

also, Ive tried to download combofix and it wont run if avg is installed. avg will not uninstall it has some sort of error when I try

Link to post
Share on other sites

Hello MatthewComan

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Link to post
Share on other sites

OTL logfile created on: 1/19/2011 10:16:06 AM - Run 1

OTL by OldTimer - Version 3.2.20.2 Folder = D:\Documents and Settings\Matt & Katie\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 67.00% Paging File free

Paging file location(s): D:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files

Drive C: | 8.56 Gb Total Space | 0.31 Gb Free Space | 3.57% Space Free | Partition Type: FAT32

Drive D: | 140.48 Gb Total Space | 1.84 Gb Free Space | 1.31% Space Free | Partition Type: NTFS

Computer Name: MATTCHEW | User Name: Matt & Katie | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - D:\Documents and Settings\Matt & Katie\Desktop\OTL.exe (OldTimer Tools)

PRC - D:\Program Files\Mozilla Firefox\plugin-container.exe (Mozilla Corporation)

PRC - D:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

PRC - D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

PRC - D:\Program Files\Windows NT\Accessories\wordpad.exe (Microsoft Corporation)

PRC - D:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)

PRC - D:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)

PRC - D:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe (Adobe Systems Incorporated)

PRC - D:\WINDOWS\system32\msfeedssync.exe (Microsoft Corporation)

PRC - D:\Program Files\iTunes\iTunes.exe (Apple Inc.)

PRC - D:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

PRC - D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG)

PRC - D:\Program Files\Belkin\F5D9050\Belkinwcui.exe (Belkin)

========== Modules (SafeList) ==========

MOD - D:\Documents and Settings\Matt & Katie\Desktop\OTL.exe (OldTimer Tools)

MOD - D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

MOD - D:\WINDOWS\system32\wbsys.dll (Stardock.Net, Inc)

========== Win32 Services (SafeList) ==========

SRV - (wuauserv) -- File not found

SRV - (HidServ) -- File not found

========== Driver Services (SafeList) ==========

DRV - (catchme) -- File not found

DRV - (MBAMSwissArmy) -- D:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)

DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- D:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)

DRV - (SCDEmu) -- D:\WINDOWS\System32\drivers\scdemu.sys (PowerISO Computing, Inc.)

DRV - (nv) -- D:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

DRV - (nvgts) -- D:\WINDOWS\system32\DRIVERS\nvgts.sys (NVIDIA Corporation)

DRV - (usbaudio) USB Audio Driver (WDM) -- D:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)

DRV - (HDAudBus) -- D:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (RT73) -- D:\WINDOWS\system32\drivers\rt73.sys (Ralink Technology, Corp.)

DRV - (nvata) -- D:\WINDOWS\system32\DRIVERS\nvata.sys (NVIDIA Corporation)

DRV - (StreamSurge) StreamSurge Driver (miniport) -- D:\WINDOWS\system32\drivers\ss.sys (WikiTek Inc.)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.entru.com/?s=21982

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=ZUGO&form=ZGAPHP

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://search.entru.com/?s=21982

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Bing"

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}:6.0.19

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - prefs.js..extensions.enabledItems: searchtoolbar@zugo.com:1.2

FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.76

FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313

FF - prefs.js..extensions.enabledItems: plugin@yontoo.com:1.10.01

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.13

FF - prefs.js..extensions.enabledItems: {c1dffba0-628e-11d9-9669-0800200c9a66}:3.6.3

FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=ZUGO&form=ZGAADF&q="

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: d:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 02:00:31 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: D:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/11 21:08:38 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2011/01/18 14:35:16 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2011/01/18 14:35:16 | 000,000,000 | ---D | M]

[2009/09/18 08:54:26 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Matt & Katie\Application Data\Mozilla\Extensions

[2008/12/08 20:10:16 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Matt & Katie\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2009/09/18 08:54:26 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Matt & Katie\Application Data\Mozilla\Extensions\mozswing@mozswing.org

[2011/01/18 14:37:13 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Matt & Katie\Application Data\Mozilla\Firefox\Profiles\sraz4s3o.default\extensions

[2009/09/03 06:32:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- D:\Documents and Settings\Matt & Katie\Application Data\Mozilla\Firefox\Profiles\sraz4s3o.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2011/01/18 14:37:13 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- D:\Documents and Settings\Matt & Katie\Application Data\Mozilla\Firefox\Profiles\sraz4s3o.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2011/01/18 14:37:12 | 000,000,000 | ---D | M] ("StumbleUpon") -- D:\Documents and Settings\Matt & Katie\Application Data\Mozilla\Firefox\Profiles\sraz4s3o.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

[2011/01/18 14:37:12 | 000,000,000 | ---D | M] (PitchDark) -- D:\Documents and Settings\Matt & Katie\Application Data\Mozilla\Firefox\Profiles\sraz4s3o.default\extensions\{c1dffba0-628e-11d9-9669-0800200c9a66}

[2011/01/17 08:48:08 | 000,000,000 | ---D | M] (Yontoo Layers) -- D:\Documents and Settings\Matt & Katie\Application Data\Mozilla\Firefox\Profiles\sraz4s3o.default\extensions\plugin@yontoo.com

[2011/01/17 08:48:24 | 000,000,000 | ---D | M] (Search Toolbar) -- D:\Documents and Settings\Matt & Katie\Application Data\Mozilla\Firefox\Profiles\sraz4s3o.default\extensions\searchtoolbar@zugo.com

[2011/01/17 08:48:25 | 000,001,919 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Application Data\Mozilla\Firefox\Profiles\sraz4s3o.default\searchplugins\bing-zugo.xml

[2011/01/18 14:25:08 | 000,000,000 | ---D | M] (No name found) -- D:\Program Files\Mozilla Firefox\extensions

[2011/01/18 14:35:00 | 000,000,000 | ---D | M] (Default) -- D:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2009/01/11 21:08:53 | 000,000,000 | ---D | M] (Java Console) -- D:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

[2009/04/29 15:38:34 | 000,000,000 | ---D | M] (Java Console) -- D:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

[2009/08/10 15:32:58 | 000,000,000 | ---D | M] (Java Console) -- D:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

[2010/04/07 15:58:15 | 000,000,000 | ---D | M] (Java Console) -- D:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

[2010/07/09 17:35:09 | 000,000,000 | ---D | M] (Java Console) -- D:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2010/04/21 23:20:17 | 000,000,000 | ---D | M] (Move Media Player) -- D:\DOCUMENTS AND SETTINGS\MATT & KATIE\APPLICATION DATA\MOVE NETWORKS

[2009/01/11 21:08:38 | 000,000,000 | ---D | M] (Java Quick Starter) -- D:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

[2011/01/18 14:34:58 | 000,025,048 | ---- | M] (Mozilla Foundation) -- D:\Program Files\Mozilla Firefox\components\browserdirprovider.dll

[2011/01/18 14:34:58 | 000,140,248 | ---- | M] (Mozilla Foundation) -- D:\Program Files\Mozilla Firefox\components\brwsrcmp.dll

[2008/09/03 18:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- D:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll

[2010/04/12 16:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

[2009/11/13 18:47:38 | 000,098,304 | ---- | M] (DivX, Inc) -- D:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll

[2008/06/27 18:03:12 | 001,446,440 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll

[2011/01/18 14:35:01 | 000,066,520 | ---- | M] (mozilla.org) -- D:\Program Files\Mozilla Firefox\plugins\npnul32.dll

[2006/10/26 20:12:16 | 000,016,192 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL

[2008/06/11 22:45:28 | 000,103,792 | ---- | M] (Adobe Systems Inc.) -- D:\Program Files\Mozilla Firefox\plugins\nppdf32.dll

[2009/02/17 13:44:17 | 000,143,360 | ---- | M] (Apple Inc.) -- D:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll

[2009/02/17 13:44:17 | 000,143,360 | ---- | M] (Apple Inc.) -- D:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll

[2009/02/17 13:44:17 | 000,143,360 | ---- | M] (Apple Inc.) -- D:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll

[2009/02/17 13:44:17 | 000,143,360 | ---- | M] (Apple Inc.) -- D:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll

[2009/02/17 13:44:17 | 000,143,360 | ---- | M] (Apple Inc.) -- D:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll

[2009/02/17 13:44:17 | 000,143,360 | ---- | M] (Apple Inc.) -- D:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll

[2009/02/17 13:44:17 | 000,143,360 | ---- | M] (Apple Inc.) -- D:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

[2011/01/18 14:35:08 | 000,001,394 | ---- | M] () -- D:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml

[2011/01/18 14:35:09 | 000,002,193 | ---- | M] () -- D:\Program Files\Mozilla Firefox\searchplugins\answers.xml

[2011/01/17 10:49:03 | 000,001,919 | ---- | M] () -- D:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml

[2011/01/18 14:35:09 | 000,001,534 | ---- | M] () -- D:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml

[2011/01/18 14:35:09 | 000,002,344 | ---- | M] () -- D:\Program Files\Mozilla Firefox\searchplugins\eBay.xml

[2011/01/18 14:35:09 | 000,002,371 | ---- | M] () -- D:\Program Files\Mozilla Firefox\searchplugins\google.xml

[2011/01/18 14:35:09 | 000,001,178 | ---- | M] () -- D:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml

[2011/01/18 14:35:09 | 000,001,096 | ---- | M] () -- D:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2011/01/17 17:28:20 | 000,000,027 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - File not found

O2 - BHO: (SBCONVERT Class) - {A1056498-D09A-41E4-864B-505EDD640D9E} - D:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll ()

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - D:\Program Files\Yontoo Layers Client\YontooIEClient.dll (Yontoo Technology, Inc.)

O2 - BHO: (DAPIELoader Class) - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - D:\Program Files\DAP\dapieloader.dll (SpeedBit Ltd.)

O2 - BHO: (GrabberObj Class) - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - D:\Program Files\SpeedBit Video Downloader\Toolbar\Grabber.dll (Speedbit Ltd.)

O3 - HKLM\..\Toolbar: (SpeedBit Video Downloader) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - D:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll ()

O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - D:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (SpeedBit Video Downloader) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - D:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll ()

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)

O4 - HKLM..\Run: [F5D9050] D:\Program Files\Belkin\F5D9050\Belkinwcui.exe (Belkin)

O4 - HKLM..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)

O4 - HKLM..\Run: [NvCplDaemon] D:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] D:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] D:\WINDOWS\System32\nwiz.exe ()

O4 - HKLM..\Run: [QuickTime Task] D:\Program Files\QuickTime\qttask.exe (Apple Inc.)

O4 - HKLM..\Run: [RTHDCPL] D:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [sunJavaUpdateSched] D:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

O4 - HKCU..\Run: [bitTorrent DNA] D:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)

O4 - HKCU..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = D:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = D:\WINDOWS\Resources\Themes\Royale.theme ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm ()

O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm ()

O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm ()

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - D:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - D:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - D:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - D:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - D:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - D:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - D:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - D:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - D:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - D:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - D:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - D:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - d:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - D:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - D:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - D:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - D:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - D:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - D:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - D:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - D:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - D:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - D:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - D:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - AppInit_DLLs: (D:\WINDOWS\system32\wbsys.dll) - D:\WINDOWS\system32\wbsys.dll (Stardock.Net, Inc)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (D:\WINDOWS\system32\userinit.exe) - D:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UIHost - (LogonUI.EXE) - D:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - D:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - D:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - D:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - D:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - D:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - D:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - D:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - D:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - D:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - D:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - D:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - D:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - D:\Program Files\Common Files\stardock\MCPCore.dll (Stardock)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - D:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - D:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - D:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - D:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - D:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - D:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O24 - Desktop WallPaper: D:\Documents and Settings\Matt & Katie\Desktop\44.PNG

O24 - Desktop BackupWallPaper: D:\Documents and Settings\Matt & Katie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - D:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - D:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - D:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - D:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - D:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - D:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - D:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - D:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - D:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - D:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2001/07/27 08:07:38 | 000,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/01/19 10:15:25 | 000,602,112 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Matt & Katie\Desktop\OTL.exe

[2011/01/18 14:40:20 | 000,000,000 | ---D | C] -- D:\Documents and Settings\LocalService\Application Data\Macromedia

[2011/01/18 14:40:20 | 000,000,000 | ---D | C] -- D:\Documents and Settings\LocalService\Application Data\Adobe

[2011/01/17 17:40:59 | 000,000,000 | -HSD | C] -- D:\RECYCLER

[2011/01/17 17:10:37 | 000,000,000 | ---D | C] -- D:\AVGTemp

[2011/01/17 17:01:40 | 000,000,000 | ---D | C] -- D:\WINDOWS\CSC

[2011/01/17 16:47:25 | 000,000,000 | RH-D | C] -- D:\Documents and Settings\Matt & Katie\Recent

[2011/01/17 14:36:12 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\SafeReturner

[2011/01/17 11:00:05 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Sun

[2011/01/17 10:50:42 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Mozilla

[2011/01/17 10:48:56 | 000,000,000 | ---D | C] -- D:\WINDOWS\System32\%APPDATA%

[2011/01/17 08:48:04 | 000,000,000 | ---D | C] -- D:\Program Files\Yontoo Layers Client

[2011/01/17 08:48:04 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Tarma Installer

[2011/01/17 02:39:38 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Macromedia

[2011/01/17 02:39:37 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Adobe

[2011/01/16 03:15:29 | 000,000,000 | ---D | C] -- D:\Program Files\FLAC

[2011/01/16 03:15:29 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Start Menu\Programs\FLAC

[2011/01/13 18:07:36 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Matt & Katie\Desktop\S_Trem

[2011/01/04 20:35:28 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Matt & Katie\Gabrielized Loops

[2011/01/03 20:31:14 | 000,000,000 | ---D | C] -- D:\DrumCore Data

[2011/01/03 18:59:41 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Matt & Katie\Desktop\temp

[2011/01/03 18:38:01 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Matt & Katie\Desktop\Carpe Noctem

[2011/01/03 17:49:58 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Matt & Katie\Desktop\mp3

[2011/01/01 00:19:36 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Submersible

[2010/12/31 19:46:21 | 000,000,000 | ---D | C] -- D:\DrumCore Data.old

[2010/12/31 15:36:10 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Matt & Katie\Desktop\EP

[2010/12/30 22:40:04 | 000,040,960 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ndproxy.sys

[2010/12/30 22:26:29 | 000,045,568 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\wab.exe

[2010/12/30 22:24:47 | 000,974,848 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\mfc42.dll

[2010/12/30 22:24:47 | 000,953,856 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\mfc40u.dll

[5 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]

[1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/19 10:18:26 | 000,761,344 | ---- | M] () -- D:\WINDOWS\System32\drivers\geqttm.sys

[2011/01/19 10:16:38 | 000,296,448 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\y68m67i6.exe

[2011/01/19 10:16:10 | 000,000,436 | -H-- | M] () -- D:\WINDOWS\tasks\User_Feed_Synchronization-{37F52C48-EE75-4830-8F76-4C4F757B1D8C}.job

[2011/01/19 10:15:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Matt & Katie\Desktop\OTL.exe

[2011/01/18 22:52:56 | 000,097,365 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\166348_1620279461716_1078313851_31449070_7574573_n.jpg

[2011/01/18 22:35:45 | 008,233,032 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\09 Ballad Of A Cynic.mp3

[2011/01/18 21:51:55 | 000,000,032 | ---- | M] () -- D:\WINDOWS\System32\w3data.vss

[2011/01/18 21:51:55 | 000,000,032 | ---- | M] () -- D:\WINDOWS\System32\msvcsv60.dll

[2011/01/18 21:51:55 | 000,000,032 | ---- | M] () -- D:\WINDOWS\msocreg32.dat

[2011/01/18 20:44:16 | 000,026,461 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\bohemian_grove2.jpg

[2011/01/18 19:40:19 | 000,010,593 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\Assignments.docx

[2011/01/18 13:40:53 | 000,054,016 | ---- | M] () -- D:\WINDOWS\System32\drivers\qmqb.sys

[2011/01/18 03:16:59 | 001,230,907 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\44.PNG

[2011/01/18 03:13:51 | 000,425,777 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\222.png

[2011/01/18 03:12:00 | 000,508,741 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\11.png

[2011/01/18 03:09:24 | 001,253,946 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\4.png

[2011/01/18 03:08:40 | 001,325,649 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\3.png

[2011/01/18 03:06:21 | 000,917,343 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\2.png

[2011/01/18 03:05:07 | 000,838,158 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\100_3003_PopArt_7.png

[2011/01/17 19:47:59 | 000,083,466 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\Desktop\12.JPG

[2011/01/17 17:35:32 | 000,054,016 | ---- | M] () -- D:\WINDOWS\System32\drivers\pdcqgjh.sys

[2011/01/17 17:28:28 | 000,201,106 | ---- | M] () -- D:\WINDOWS\System32\nvapps.xml

[2011/01/17 17:28:20 | 000,000,027 | ---- | M] () -- D:\WINDOWS\System32\drivers\etc\hosts

[2011/01/17 17:28:06 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat

[2011/01/17 17:00:21 | 000,000,163 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\default.pls

[2011/01/17 16:51:50 | 000,410,288 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT

[2011/01/17 16:46:49 | 000,197,934 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\My Documents\Registry Jan 17th.reg

[2011/01/17 16:27:47 | 000,000,120 | ---- | M] () -- D:\WINDOWS\Kyelikerevaf.dat

[2011/01/17 15:12:50 | 000,000,664 | ---- | M] () -- D:\WINDOWS\System32\d3d9caps.dat

[2011/01/17 10:49:52 | 000,069,632 | RHS- | M] () -- D:\WINDOWS\System32\sndrec32E.dll

[2011/01/17 08:49:37 | 000,000,000 | ---- | M] () -- D:\WINDOWS\Iyidites.bin

[2011/01/16 03:15:29 | 000,001,525 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\FLAC Frontend.lnk

[2011/01/14 12:52:02 | 000,000,284 | ---- | M] () -- D:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2011/01/10 05:21:00 | 000,000,116 | ---- | M] () -- D:\WINDOWS\NeroDigital.ini

[2011/01/03 20:32:08 | 000,233,472 | ---- | M] (Propellerhead Software AB) -- D:\WINDOWS\System32\REX Shared Library.dll

[2011/01/03 17:49:41 | 000,379,041 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\My Documents\Record Static-SoundBible.com-306727640.mp3

[2011/01/02 21:08:44 | 000,570,698 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\My Documents\095 AW ND.rx2

[2011/01/02 21:00:38 | 000,018,546 | ---- | M] () -- D:\Documents and Settings\Matt & Katie\gmon.out

[2010/12/31 03:04:40 | 000,435,700 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat

[2010/12/31 03:04:39 | 000,068,214 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat

[2010/12/30 15:35:02 | 000,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl

[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys

[5 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]

[1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/19 10:16:37 | 000,296,448 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\y68m67i6.exe

[2011/01/18 22:52:56 | 000,097,365 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\166348_1620279461716_1078313851_31449070_7574573_n.jpg

[2011/01/18 22:35:33 | 008,233,032 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\09 Ballad Of A Cynic.mp3

[2011/01/18 20:44:16 | 000,026,461 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\bohemian_grove2.jpg

[2011/01/18 19:40:19 | 000,010,593 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\Assignments.docx

[2011/01/18 13:40:53 | 000,054,016 | ---- | C] () -- D:\WINDOWS\System32\drivers\qmqb.sys

[2011/01/18 03:16:59 | 001,230,907 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\44.PNG

[2011/01/18 03:13:50 | 000,425,777 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\222.png

[2011/01/18 03:11:59 | 000,508,741 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\11.png

[2011/01/18 03:09:23 | 001,253,946 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\4.png

[2011/01/18 03:08:39 | 001,325,649 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\3.png

[2011/01/18 03:06:21 | 000,917,343 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\2.png

[2011/01/18 03:05:07 | 000,838,158 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\100_3003_PopArt_7.png

[2011/01/17 19:31:21 | 000,083,466 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Desktop\12.JPG

[2011/01/17 17:44:53 | 000,000,032 | ---- | C] () -- D:\WINDOWS\System32\msvcsv60.dll

[2011/01/17 17:35:32 | 000,054,016 | ---- | C] () -- D:\WINDOWS\System32\drivers\pdcqgjh.sys

[2011/01/17 17:17:10 | 000,256,512 | ---- | C] () -- D:\WINDOWS\PEV.exe

[2011/01/17 17:17:10 | 000,089,088 | ---- | C] () -- D:\WINDOWS\MBR.exe

[2011/01/17 16:46:40 | 000,197,934 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\My Documents\Registry Jan 17th.reg

[2011/01/17 10:49:52 | 000,069,632 | RHS- | C] () -- D:\WINDOWS\System32\sndrec32E.dll

[2011/01/17 08:49:37 | 000,000,120 | ---- | C] () -- D:\WINDOWS\Kyelikerevaf.dat

[2011/01/17 08:49:37 | 000,000,000 | ---- | C] () -- D:\WINDOWS\Iyidites.bin

[2011/01/17 08:48:03 | 000,761,344 | ---- | C] () -- D:\WINDOWS\System32\drivers\geqttm.sys

[2011/01/16 03:15:29 | 000,001,525 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\FLAC Frontend.lnk

[2011/01/03 17:49:40 | 000,379,041 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\My Documents\Record Static-SoundBible.com-306727640.mp3

[2011/01/02 21:08:44 | 000,570,698 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\My Documents\095 AW ND.rx2

[2011/01/02 21:00:38 | 000,018,546 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\gmon.out

[2010/07/09 18:48:46 | 000,000,017 | ---- | C] () -- D:\WINDOWS\PCMGMP.INI

[2010/06/29 20:18:47 | 000,040,960 | ---- | C] () -- D:\WINDOWS\System32\F5D9050.dll

[2010/04/07 00:16:40 | 000,015,802 | -HS- | C] () -- D:\Documents and Settings\Matt & Katie\Local Settings\Application Data\C6158646

[2010/04/07 00:16:40 | 000,015,802 | -HS- | C] () -- D:\Documents and Settings\All Users\Application Data\C6158646

[2010/02/23 20:54:15 | 000,013,094 | -HS- | C] () -- D:\Documents and Settings\Matt & Katie\Local Settings\Application Data\Xi7h20PI0

[2010/02/19 14:37:32 | 000,061,678 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Application Data\PFP110JPR.{PB

[2010/02/19 14:37:32 | 000,012,358 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Application Data\PFP110JCM.{PB

[2009/12/27 23:07:49 | 000,000,040 | -HS- | C] () -- D:\Documents and Settings\All Users\Application Data\.zreglib

[2009/03/20 01:35:41 | 000,000,024 | ---- | C] () -- D:\WINDOWS\LogonStudio.ini

[2009/03/20 01:34:27 | 000,187,392 | ---- | C] () -- D:\WINDOWS\System32\JPGUtils.dll

[2009/01/22 15:26:15 | 000,000,000 | ---- | C] () -- D:\WINDOWS\WB.ini

[2008/12/23 20:28:10 | 000,000,116 | ---- | C] () -- D:\WINDOWS\NeroDigital.ini

[2008/12/18 15:38:08 | 000,064,000 | ---- | C] () -- D:\Documents and Settings\Matt & Katie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/12/07 07:35:27 | 000,004,161 | ---- | C] () -- D:\WINDOWS\ODBCINST.INI

[2008/11/21 15:47:52 | 003,596,288 | ---- | C] () -- D:\WINDOWS\System32\qt-dx331.dll

[2008/09/17 09:55:00 | 001,724,416 | ---- | C] () -- D:\WINDOWS\System32\nvwdmcpl.dll

[2008/09/17 09:55:00 | 001,507,328 | ---- | C] () -- D:\WINDOWS\System32\nview.dll

[2008/09/17 09:55:00 | 001,101,824 | ---- | C] () -- D:\WINDOWS\System32\nvwimg.dll

[2008/09/17 09:55:00 | 000,466,944 | ---- | C] () -- D:\WINDOWS\System32\nvshell.dll

[2008/09/17 09:55:00 | 000,286,720 | ---- | C] () -- D:\WINDOWS\System32\nvnt4cpl.dll

[2006/01/20 11:56:58 | 000,086,016 | ---- | C] () -- D:\WINDOWS\System32\Machinist2.dll

[2002/10/15 16:54:04 | 000,153,088 | ---- | C] () -- D:\WINDOWS\System32\unrar.dll

[2002/02/28 17:30:13 | 000,089,600 | ---- | C] () -- D:\WINDOWS\System32\mp4fil32.dll

========== LOP Check ==========

[2010/01/06 21:29:11 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Avery

[2009/01/22 13:11:06 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Grisoft

[2009/01/14 21:52:29 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\LOUD Technologies

[2008/12/09 11:38:47 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\NexonUS

[2008/12/07 16:17:51 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters

[2011/01/17 14:36:12 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\SafeReturner

[2009/12/27 23:07:49 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\SlySoft

[2010/06/10 20:07:31 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\SpeedBit

[2011/01/01 00:19:36 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Submersible

[2011/01/17 08:48:04 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Tarma Installer

[2011/01/08 19:18:24 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\TEMP

[2011/01/18 21:55:06 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Tracktion 3

[2009/02/02 12:24:37 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

[2009/04/17 16:43:34 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{B912DA22-7AAD-474B-8C8F-D82FF0C33BF5}

[2010/06/22 07:41:24 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Matt & Katie\Application Data\Antares

[2011/01/19 02:03:12 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Matt & Katie\Application Data\BitTorrent

[2011/01/19 10:12:32 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Matt & Katie\Application Data\DNA

[2009/10/01 17:17:47 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Matt & Katie\Application Data\FinalBurner Video DVD

[2009/02/02 00:25:32 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Matt & Katie\Application Data\GetRightToGo

[2008/12/07 13:57:51 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Matt & Katie\Application Data\Grisoft

[2009/10/01 17:13:31 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Matt & Katie\Application Data\ImgBurn

[2008/12/23 19:49:44 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Matt & Katie\Application Data\InfraRecorder

[2010/08/28 23:16:05 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Matt & Katie\Application Data\LimeWire

[2010/01/06 21:03:24 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Matt & Katie\Application Data\Office Depot Labels Software

[2009/03/05 13:31:25 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Matt & Katie\Application Data\Submersible

[2011/01/18 21:55:07 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Matt & Katie\Application Data\Tracktion 3

[2011/01/19 10:16:10 | 000,000,436 | -H-- | M] () -- D:\WINDOWS\Tasks\User_Feed_Synchronization-{37F52C48-EE75-4830-8F76-4C4F757B1D8C}.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0

< End of report >

OTL Extras logfile created on: 1/19/2011 10:16:06 AM - Run 1

OTL by OldTimer - Version 3.2.20.2 Folder = D:\Documents and Settings\Matt & Katie\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 67.00% Paging File free

Paging file location(s): D:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files

Drive C: | 8.56 Gb Total Space | 0.31 Gb Free Space | 3.57% Space Free | Partition Type: FAT32

Drive D: | 140.48 Gb Total Space | 1.84 Gb Free Space | 1.31% Space Free | Partition Type: NTFS

Computer Name: MATTCHEW | User Name: Matt & Katie | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.exe [@ = exefile] -- Reg Error: Key error. File not found

.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

https [open] -- Reg Error: Key error.

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "D:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- "D:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusOverride" = 1

"FirewallOverride" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"D:\Nexon\Combat Arms\CombatArms.exe" = D:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe

"D:\Nexon\Combat Arms\Engine.exe" = D:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"D:\Program Files\iTunes\iTunes.exe" = D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"D:\Program Files\DNA\btdna.exe" = D:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)

"D:\Program Files\BitTorrent\bittorrent.exe" = D:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)

"D:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = D:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)

"D:\Program Files\Bonjour\mDNSResponder.exe" = D:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)

"D:\Program Files\Mozilla Firefox\firefox.exe" = D:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)

"D:\Program Files\Java\jre6\bin\rmiregistry.exe" = D:\Program Files\Java\jre6\bin\rmiregistry.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR

"{11E5BA77-46D3-491C-988A-6B1E7FB78BB2}" = 183086

"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime

"{246B1C35-590F-4B2F-B1B3-6CF57E752EE7}" = GEAR driver installer for x86 and x64

"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java 6 Update 20

"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies

"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)

"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{70DBE9DF-EB33-4B56-BCB5-08D5A400A79A}" = SampleTank 2.x SE

"{71F6DF7D-B639-4FAD-BA93-E6DF267AA44D}" = DesignPro 5.4 Limited Edition

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{7BA8D8DE-C7DF-4E65-9099-05475BB53663}" = AmpliTube 1.x LE

"{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = Yontoo Layers Client 1.10.01

"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour

"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player

"{8DAA0D4D-C955-4294-8BAA-F127118B5F5E}" = 183317

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0019-0000-0000-0000000FF1CE}" = Microsoft Office Publisher 2007

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-001B-0000-0000-0000000FF1CE}" = Microsoft Office Word 2007

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9922FE96-6803-498D-A6AD-4EB5A3B956A5}" = Belkin Wireless G Plus MIMO USB Network Adapter

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser

"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components

"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder

"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter

"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9

"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder

"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player

"{BB05D173-9681-4812-A7FA-BD4042A3DA00}" = Alky for Applications (Windows XP)

"{BF26E713-43CD-43AD-AF28-A905C1E26D8C}" = DVDneXtCOPY3

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CCB3F587-BAD0-4F32-99FC-301E6F9ABAB4}" = MIDI Yoke

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer

"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F14B8ECC-BDA0-4987-9201-D7B7DBE11033}" = Nero 7 Ultra Edition

"{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}" = iTunes

"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Photoshop 7.0" = Adobe Photoshop 7.0

"AnalogX AutoTune" = AnalogX AutoTune

"Antares Autotune VST_is1" = Antares Autotune VST v5.09

"AviSynth" = AviSynth 2.5

"BitTorrent" = BitTorrent

"CCleaner" = CCleaner (remove only)

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters

"Download Accelerator Plus (DAP)" = Download Accelerator Plus (DAP)

"DVDneXtCOPY" = DVDneXtCOPY

"FLAC" = FLAC 1.2.1b (remove only)

"Garritan GPO Tracktion 3 Edition" = Garritan GPO Tracktion 3 Edition

"ie8" = Windows Internet Explorer 8

"InstallShield_{71F6DF7D-B639-4FAD-BA93-E6DF267AA44D}" = DesignPro 5.4 Limited Edition

"Lexicon" = Lexicon

"Link.USB" = Link.USB

"Machinist2DLL" = Machinist2DLL

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft SQL Server 2005" = Microsoft SQL Server 2005

"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"NVIDIA Drivers" = NVIDIA Drivers

"PowerISO" = PowerISO

"PUBLISHER" = Microsoft Office Publisher 2007

"SpeedBit Video Downloader" = SpeedBit Video Downloader

"Tracktion 3.0_is1" = Tracktion 3.0.4.8

"VLC media player" = VLC media player 1.0.1

"VobSub" = VobSub v2.23 (Remove Only)

"Win AVI HelixSDK_is1" = Win AVI HelixSDK

"WinAVI Video Converter_is1" = WinAVI Video Converter

"WindowBlinds" = WindowBlinds

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinRAR archiver" = WinRAR archiver

"WORD" = Microsoft Office Word 2007

"YouTube Downloader App" = YouTube Downloader App 1.03

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"BitTorrent" = BitTorrent

"BitTorrent DNA" = DNA

"Move Media Player" = Move Media Player

"World of Warcraft Trial" = World of Warcraft Trial

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 1/17/2011 6:16:37 PM | Computer Name = MATTCHEW | Source = Application Error | ID = 1000

Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting

module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

Error - 1/17/2011 6:31:50 PM | Computer Name = MATTCHEW | Source = EventSystem | ID = 4609

Description = The COM+ Event System detected a bad return code during its internal

processing. HRESULT was 80110472 from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.

Please contact Microsoft Product Support Services to report this erro

Error - 1/17/2011 6:31:50 PM | Computer Name = MATTCHEW | Source = VSS | ID = 8193

Description = Volume Shadow Copy Service error: Unexpected error calling routine

CoCreateInstance. hr = 0x80040206.

Error - 1/17/2011 6:57:25 PM | Computer Name = MATTCHEW | Source = EventSystem | ID = 4609

Description = The COM+ Event System detected a bad return code during its internal

processing. HRESULT was 80110472 from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.

Please contact Microsoft Product Support Services to report this erro

Error - 1/17/2011 6:57:25 PM | Computer Name = MATTCHEW | Source = VSS | ID = 8193

Description = Volume Shadow Copy Service error: Unexpected error calling routine

CoCreateInstance. hr = 0x80040206.

Error - 1/17/2011 7:25:25 PM | Computer Name = MATTCHEW | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 1/17/2011 7:25:25 PM | Computer Name = MATTCHEW | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 1/17/2011 7:25:29 PM | Computer Name = MATTCHEW | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: A connection with the server could not be established

Error - 1/17/2011 7:25:38 PM | Computer Name = MATTCHEW | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 1/17/2011 7:25:39 PM | Computer Name = MATTCHEW | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

[ OSession Events ]

Error - 2/19/2010 4:48:23 PM | Computer Name = MATTCHEW | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 0, Application Name: Microsoft Office Word, Application Version:

12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 108

seconds with 60 seconds of active time. This session ended with a crash.

[ System Events ]

Error - 1/13/2011 12:02:18 AM | Computer Name = MATTCHEW | Source = Dhcp | ID = 1002

Description = The IP address lease 192.168.1.9 for the Network Card with network

address 00173F74E5C9 has been denied by the DHCP server 192.168.2.1 (The DHCP Server

sent a DHCPNACK message).

Error - 1/16/2011 4:48:28 PM | Computer Name = MATTCHEW | Source = Dhcp | ID = 1002

Description = The IP address lease 192.168.1.9 for the Network Card with network

address 00173F74E5C9 has been denied by the DHCP server 192.168.2.1 (The DHCP Server

sent a DHCPNACK message).

Error - 1/16/2011 4:49:33 PM | Computer Name = MATTCHEW | Source = Dhcp | ID = 1001

Description = Your computer was not assigned an address from the network (by the

DHCP Server) for the Network Card with network address 00173F74E5C9. The following

error occurred: %%1223. Your computer will continue to try and obtain an address

on its own from the network address (DHCP) server.

Error - 1/17/2011 5:15:33 AM | Computer Name = MATTCHEW | Source = Service Control Manager | ID = 7032

Description = The Service Control Manager tried to take a corrective action (Restart

the service) after the unexpected termination of the Windows Management Instrumentation

service, but this action failed with the following error: %%1056

Error - 1/17/2011 10:48:03 AM | Computer Name = MATTCHEW | Source = Service Control Manager | ID = 7000

Description = The Microsoft Kernel Acoustic Echo Canceller service failed to start

due to the following error: %%31

Error - 1/17/2011 1:50:56 PM | Computer Name = MATTCHEW | Source = Dhcp | ID = 1001

Description = Your computer was not assigned an address from the network (by the

DHCP Server) for the Network Card with network address 00173F74E5C9. The following

error occurred: %%1223. Your computer will continue to try and obtain an address

on its own from the network address (DHCP) server.

Error - 1/17/2011 1:51:04 PM | Computer Name = MATTCHEW | Source = Service Control Manager | ID = 7023

Description = The MicroSoft AutoThemes Manager service terminated with the following

error: %%126

Error - 1/17/2011 1:51:08 PM | Computer Name = MATTCHEW | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

nvata

Error - 1/17/2011 1:51:56 PM | Computer Name = MATTCHEW | Source = Service Control Manager | ID = 7023

Description = The iPod Service service terminated with the following error: %%2147549465

Error - 1/17/2011 1:52:22 PM | Computer Name = MATTCHEW | Source = DCOM | ID = 10010

Description = The server {063D34A4-BF84-4B8D-B699-E8CA06504DDE} did not register

with DCOM within the required timeout.

< End of report >

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2011-01-19 14:50:22

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0 ST316081 rev.3.AH

Running: y68m67i6.exe; Driver: D:\DOCUME~1\MATT&K~1\LOCALS~1\Temp\pwloypow.sys

---- Kernel code sections - GMER 1.0.15 ----

.text geqttm.sys B9EAB000 7 Bytes JMP B9EDB2F5 geqttm.sys

.text geqttm.sys B9EAB008 10 Bytes JMP 64DFB49A

.text geqttm.sys B9EAB013 77 Bytes [8B, 45, 00, 66, 0F, BE, D3, ...]

.text geqttm.sys B9EAB062 9 Bytes [60, F9, 83, C5, 02, E9, B4, ...]

.text geqttm.sys B9EAB06C 29 Bytes [0F, 8D, 12, 0C, 00, 00, 60, ...]

.text ...

? D:\WINDOWS\system32\drivers\geqttm.sys A device attached to the system is not functioning.

PAGE Ntfs.sys B9D46E55 4 Bytes CALL 8A4958E1

.text D:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8551360, 0x35363F, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A51D950

Device \Driver\Tcpip \Device\Ip 8A14A418

Device \Driver\Tcpip \Device\Tcp 8A14A418

Device \Driver\Tcpip \Device\Udp 8A14A418

Device \Driver\Tcpip \Device\RawIp 8A14A418

Device \Driver\Tcpip \Device\IPMULTICAST 8A14A418

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [bOOT] geqttm <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\geqttm@hshxgtt -1705773241

Reg HKLM\SYSTEM\ControlSet002\Services\geqttm@Type 1

Reg HKLM\SYSTEM\ControlSet002\Services\geqttm@Start 0

Reg HKLM\SYSTEM\ControlSet002\Services\geqttm@ErrorControl 0

Reg HKLM\SYSTEM\ControlSet002\Services\geqttm@Group Boot Bus Extender

Reg HKLM\SYSTEM\CurrentControlSet\Services\geqttm@hshxgtt -1705773241

Reg HKLM\SYSTEM\CurrentControlSet\Services\geqttm@Type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\geqttm@Start 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\geqttm@ErrorControl 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\geqttm@Group Boot Bus Extender

And also, I git avg to uninstall and ran combofix. Every program that I've used to detect and remove it says it will be removed upon reboot, but no such luck. I always pick it up with malwarebytes again.

Link to post
Share on other sites

Do you have a combofix log?

If so post it but do refrain from doing anything further unless instructed to do so.

Please submit the following files to one of these online file scanners.

(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

D:\WINDOWS\System32\drivers\geqttm.sys

D:\WINDOWS\System32\drivers\qmqb.sys

D:\WINDOWS\System32\drivers\pdcqgjh.sys

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

Link to post
Share on other sites

ComboFix 11-01-17.01 - Matt & Katie 01/17/2011 17:20:59.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1560 [GMT -6:00]

Running from: d:\documents and settings\Matt & Katie\Desktop\HootiePooPants123.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

d:\documents and settings\Matt & Katie\Local Settings\Application Data\{AA075470-955E-42FB-A177-049E28F485CC}

d:\documents and settings\Matt & Katie\Local Settings\Application Data\{AA075470-955E-42FB-A177-049E28F485CC}\chrome.manifest

d:\documents and settings\Matt & Katie\Local Settings\Application Data\{AA075470-955E-42FB-A177-049E28F485CC}\chrome\content\_cfg.js

d:\documents and settings\Matt & Katie\Local Settings\Application Data\{AA075470-955E-42FB-A177-049E28F485CC}\chrome\content\overlay.xul

d:\documents and settings\Matt & Katie\Local Settings\Application Data\{AA075470-955E-42FB-A177-049E28F485CC}\install.rdf

d:\program files\filesubmit

d:\program files\filesubmit\183086\183086.zip

d:\program files\filesubmit\183317\183317.zip

d:\program files\filesubmit\183317\Installation.txt

d:\program files\Search Toolbar

d:\program files\Search Toolbar\icon.ico

d:\program files\Search Toolbar\SearchToolbar.dll

d:\program files\Search Toolbar\SearchToolbarUninstall.exe

d:\program files\Search Toolbar\SearchToolbarUpdater.exe

d:\program files\SpeedBit Video Downloader\Toolbar\tbhelper.dll

D:\readme.txt

d:\windows\system32\msvcsv60.dll

d:\windows\utogigus.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2010-12-17 to 2011-01-17 )))))))))))))))))))))))))))))))

.

2011-01-17 23:10 . 2011-01-17 23:10 -------- d-----w- D:\AVGTemp

2011-01-17 23:01 . 2011-01-17 23:13 -------- d-----w- d:\documents and settings\Administrator

2011-01-17 20:36 . 2011-01-17 20:36 -------- d-----w- d:\documents and settings\All Users\Application Data\SafeReturner

2011-01-17 20:36 . 2011-01-17 22:57 -------- d-----w- d:\program files\Safe Returner

2011-01-17 16:49 . 2011-01-17 16:49 69632 --sha-r- d:\windows\system32\sndrec32E.dll

2011-01-17 16:48 . 2011-01-17 16:48 -------- d-----w- d:\windows\system32\%APPDATA%

2011-01-17 14:49 . 2011-01-17 14:49 0 ----a-w- d:\windows\Iyidites.bin

2011-01-17 14:48 . 2011-01-17 14:48 -------- d-----w- d:\program files\Yontoo Layers Client

2011-01-17 14:48 . 2011-01-17 14:48 -------- d-----w- d:\documents and settings\All Users\Application Data\Tarma Installer

2011-01-17 14:48 . 2011-01-17 23:29 761344 ----a-w- d:\windows\system32\drivers\geqttm.sys

2011-01-16 09:15 . 2011-01-16 18:55 -------- d-----w- d:\program files\FLAC

2011-01-05 02:35 . 2011-01-05 02:35 -------- d-----w- d:\documents and settings\Matt & Katie\Gabrielized Loops

2011-01-04 02:31 . 2011-01-05 02:56 -------- d-----w- D:\DrumCore Data

2011-01-01 06:19 . 2011-01-01 06:19 -------- d-----w- d:\documents and settings\All Users\Application Data\Submersible

2010-12-31 04:40 . 2010-11-02 15:17 40960 -c----w- d:\windows\system32\dllcache\ndproxy.sys

2010-12-31 04:26 . 2010-10-11 14:59 45568 -c----w- d:\windows\system32\dllcache\wab.exe

2010-12-31 04:24 . 2010-09-18 06:53 974848 -c----w- d:\windows\system32\dllcache\mfc42.dll

2010-12-31 04:24 . 2010-09-18 06:53 953856 -c----w- d:\windows\system32\dllcache\mfc40u.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-04 02:32 . 2009-01-14 21:23 233472 ----a-w- d:\windows\system32\REX Shared Library.dll

2010-12-21 00:09 . 2009-04-29 19:20 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 00:08 . 2009-04-29 19:20 20952 ----a-w- d:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2008-12-07 21:42 81920 ----a-w- d:\windows\system32\isign32.dll

2010-11-09 14:52 . 2004-08-10 12:00 249856 ----a-w- d:\windows\system32\odbc32.dll

2010-11-06 00:26 . 2004-08-10 12:00 916480 ----a-w- d:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-10 12:00 43520 ----a-w- d:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-10 12:00 1469440 ----a-w- d:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-10 12:00 385024 ----a-w- d:\windows\system32\html.iec

2010-11-02 15:17 . 2004-08-10 12:00 40960 ----a-w- d:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2004-08-10 12:00 290048 ----a-w- d:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2004-08-10 12:00 1853312 ----a-w- d:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

2010-12-20 18:09 191488 ------w- d:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="d:\program files\DNA\btdna.exe" [2009-10-07 323392]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="d:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-12-26 13680640]

"nwiz"="nwiz.exe" [2008-12-26 1657376]

"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-12-26 86016]

"RTHDCPL"="RTHDCPL.EXE" [2009-05-14 17881088]

"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"F5D9050"="d:\program files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 1585152]

d:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-7 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=d:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=myokent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 --sh--w- d:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2009-03-15 10:15 180224 ----a-w- d:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\Program Files\\DNA\\btdna.exe"=

"d:\\Program Files\\BitTorrent\\bittorrent.exe"=

"d:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"d:\\Program Files\\Java\\jre6\\bin\\rmiregistry.exe"=

R3 StreamSurge;StreamSurge Driver (miniport);d:\windows\system32\drivers\ss.sys [6/29/2010 8:18 PM 19968]

S3 RegKernelHelp;RegKernelHelp;\??\d:\program files\Safe Returner\RegKernelHelp.sys --> d:\program files\Safe Returner\RegKernelHelp.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - geqttm

.

Contents of the 'Scheduled Tasks' folder

2011-01-14 d:\windows\Tasks\AppleSoftwareUpdate.job

- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-01-17 d:\windows\Tasks\User_Feed_Synchronization-{37F52C48-EE75-4830-8F76-4C4F757B1D8C}.job

- d:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP

mStart Page = hxxp://search.entru.com/?s=21982

IE: &Clean Traces - d:\program files\DAP\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - d:\program files\DAP\dapextie.htm

IE: Download &all with DAP - d:\program files\DAP\dapextie2.htm

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)

HKLM-Run-Ekixixenibek - d:\windows\utogigus.dll

MSConfigStartUp-DesktopX - d:\program files\Stardock\Object Desktop\DesktopX\DesktopX Builder.exe

MSConfigStartUp-LogonStudio - d:\program files\WinCustomize\LogonStudio\logonstudio.exe

MSConfigStartUp-SpeedBitVideoAccelerator - d:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe

MSConfigStartUp-SUPERAntiSpyware - d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

AddRemove-Search Toolbar - d:\program files\Search Toolbar\SearchToolbarUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-17 17:28

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geqttm]

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,59,95,c2,b0,a2,e6,0c,48,b7,a6,91,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,59,95,c2,b0,a2,e6,0c,48,b7,a6,91,\

[HKEY_USERS\S-1-5-21-1659004503-1326574676-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:c1,25,6d,eb,b5,ff,db,7f,71,6b,35,4a,95,03,6e,2d,c7,f1,1c,68,95,

0a,a1,13,81,16,fd,d4,d0,86,4a,38,b7,0d,7a,ad,00,d0,20,b3,74,37,71,89,de,54,\

"rkeysecu"=hex:54,bd,84,d7,d8,17,05,e5,38,9a,d5,ad,7b,3f,d7,14

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)

d:\windows\system32\myokent.dll

- - - - - - - > 'lsass.exe'(652)

d:\windows\system32\myokent.dll

- - - - - - - > 'explorer.exe'(1744)

d:\windows\system32\WININET.dll

d:\windows\system32\myokent.dll

d:\windows\system32\webcheck.dll

d:\windows\system32\IEFRAME.dll

d:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

d:\windows\system32\mshtml.dll

d:\windows\system32\msls31.dll

d:\progra~1\COMMON~1\stardock\MCPCore.dll

.

------------------------ Other Running Processes ------------------------

.

d:\windows\system32\rundll32.exe

d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

d:\program files\Bonjour\mDNSResponder.exe

d:\windows\eHome\ehRecvr.exe

d:\windows\eHome\ehSched.exe

d:\program files\Java\jre6\bin\jqs.exe

d:\windows\system32\nvsvc32.exe

d:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

d:\windows\system32\dllhost.exe

d:\windows\system32\RUNDLL32.EXE

d:\windows\RTHDCPL.EXE

d:\windows\eHome\ehmsas.exe

d:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

d:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-01-17 17:32:28 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-17 23:32

ComboFix2.txt 2009-04-29 23:21

Pre-Run: 5,082,963,968 bytes free

Post-Run: 5,388,267,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 28613839EB7A7B06F2E448B63A049362

Link to post
Share on other sites

D:\WINDOWS\System32\drivers\geqttm.sys - Jottis malware scan says "File is empty (0 bytes)!"

D:\WINDOWS\System32\drivers\qmqb.sys - I cannot find this file

D:\WINDOWS\System32\drivers\pdcqgjh.sys - I cannot find this file

I uploaded "gegttm" to virus total though im unsure how to receive the analysis. I did make an account.

Link to post
Share on other sites

You don't need an account just copy and paste the results.

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.
For you this means Bit Torrent please uninstall that program from add and remove programs.

==========

It has been a few days since you ran Combofix please do the following.

Delete your version and visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

Ok, ive uninstalled bit torrent.

ComboFix 11-01-19.01 - Matt & Katie 01/19/2011 20:36:33.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1542 [GMT -6:00]

Running from: d:\documents and settings\Matt & Katie\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

d:\windows\system32\drivers\jwbgaysj.sys

d:\windows\system32\msvcsv60.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_sqqa

((((((((((((((((((((((((( Files Created from 2010-12-20 to 2011-01-20 )))))))))))))))))))))))))))))))

.

2011-01-19 16:34 . 2011-01-19 16:16 296448 ----a-w- D:\y68m67i6.exe

2011-01-18 20:40 . 2011-01-18 20:40 -------- d-sh--w- d:\documents and settings\LocalService\PrivacIE

2011-01-18 20:35 . 2011-01-18 20:35 719832 ----a-w- d:\program files\Mozilla Firefox\mozcpp19.dll

2011-01-18 20:35 . 2011-01-18 20:35 16856 ----a-w- d:\program files\Mozilla Firefox\plugin-container.exe

2011-01-17 23:10 . 2011-01-17 23:10 -------- d-----w- D:\AVGTemp

2011-01-17 23:01 . 2011-01-17 23:13 -------- d-----w- d:\documents and settings\Administrator

2011-01-17 20:36 . 2011-01-17 20:36 -------- d-----w- d:\documents and settings\All Users\Application Data\SafeReturner

2011-01-17 16:49 . 2011-01-17 16:49 69632 --sha-r- d:\windows\system32\sndrec32E.dll

2011-01-17 16:48 . 2011-01-17 16:48 -------- d-----w- d:\windows\system32\%APPDATA%

2011-01-17 14:49 . 2011-01-17 14:49 0 ----a-w- d:\windows\Iyidites.bin

2011-01-17 14:48 . 2011-01-17 14:48 -------- d-----w- d:\program files\Yontoo Layers Client

2011-01-17 14:48 . 2011-01-17 14:48 -------- d-----w- d:\documents and settings\All Users\Application Data\Tarma Installer

2011-01-17 14:48 . 2011-01-20 02:43 761344 ----a-w- d:\windows\system32\drivers\geqttm.sys

2011-01-16 09:15 . 2011-01-16 18:55 -------- d-----w- d:\program files\FLAC

2011-01-05 02:35 . 2011-01-05 02:35 -------- d-----w- d:\documents and settings\Matt & Katie\Gabrielized Loops

2011-01-04 02:31 . 2011-01-05 02:56 -------- d-----w- D:\DrumCore Data

2011-01-01 06:19 . 2011-01-01 06:19 -------- d-----w- d:\documents and settings\All Users\Application Data\Submersible

2010-12-31 04:40 . 2010-11-02 15:17 40960 -c----w- d:\windows\system32\dllcache\ndproxy.sys

2010-12-31 04:26 . 2010-10-11 14:59 45568 -c----w- d:\windows\system32\dllcache\wab.exe

2010-12-31 04:24 . 2010-09-18 06:53 974848 -c----w- d:\windows\system32\dllcache\mfc42.dll

2010-12-31 04:24 . 2010-09-18 06:53 953856 -c----w- d:\windows\system32\dllcache\mfc40u.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-19 22:16 . 2011-01-19 22:16 124 ----a-w- d:\windows\Fonts\hxjmqml

2011-01-04 02:32 . 2009-01-14 21:23 233472 ----a-w- d:\windows\system32\REX Shared Library.dll

2010-12-21 00:09 . 2009-04-29 19:20 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 00:08 . 2009-04-29 19:20 20952 ----a-w- d:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2008-12-07 21:42 81920 ----a-w- d:\windows\system32\isign32.dll

2010-11-09 14:52 . 2004-08-10 12:00 249856 ----a-w- d:\windows\system32\odbc32.dll

2010-11-06 00:26 . 2004-08-10 12:00 916480 ----a-w- d:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-10 12:00 43520 ----a-w- d:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-10 12:00 1469440 ----a-w- d:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-10 12:00 385024 ----a-w- d:\windows\system32\html.iec

2010-11-02 15:17 . 2004-08-10 12:00 40960 ----a-w- d:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2004-08-10 12:00 290048 ----a-w- d:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2004-08-10 12:00 1853312 ----a-w- d:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((( SnapShot@2011-01-17_23.28.34 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-01-20 02:43 . 2011-01-20 02:43 32768 d:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat

- 2011-01-17 23:28 . 2011-01-17 23:28 32768 d:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat

+ 2011-01-20 02:42 . 2011-01-20 02:42 16384 d:\windows\Temp\Perflib_Perfdata_650.dat

+ 2011-01-20 02:43 . 2011-01-20 02:43 16384 d:\windows\Temp\History\History.IE5\index.dat

- 2011-01-17 23:28 . 2011-01-17 23:28 16384 d:\windows\Temp\History\History.IE5\index.dat

+ 2011-01-20 02:43 . 2011-01-20 02:43 16384 d:\windows\Temp\Cookies\index.dat

- 2011-01-17 23:28 . 2011-01-17 23:28 16384 d:\windows\Temp\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

2010-12-20 18:09 191488 ------w- d:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="d:\program files\DNA\btdna.exe" [2009-10-07 323392]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="d:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-12-26 13680640]

"nwiz"="nwiz.exe" [2008-12-26 1657376]

"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-12-26 86016]

"RTHDCPL"="RTHDCPL.EXE" [2009-05-14 17881088]

"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"F5D9050"="d:\program files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 1585152]

d:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-7 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Taskman"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=d:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=myokent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 --sh--w- d:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2009-03-15 10:15 180224 ----a-w- d:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\Program Files\\DNA\\btdna.exe"=

"d:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"d:\\Program Files\\Java\\jre6\\bin\\rmiregistry.exe"=

R3 StreamSurge;StreamSurge Driver (miniport);d:\windows\system32\drivers\ss.sys [6/29/2010 8:18 PM 19968]

S3 RegKernelHelp;RegKernelHelp;\??\d:\program files\Safe Returner\RegKernelHelp.sys --> d:\program files\Safe Returner\RegKernelHelp.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - geqttm

.

Contents of the 'Scheduled Tasks' folder

2011-01-14 d:\windows\Tasks\AppleSoftwareUpdate.job

- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-01-20 d:\windows\Tasks\User_Feed_Synchronization-{37F52C48-EE75-4830-8F76-4C4F757B1D8C}.job

- d:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP

mStart Page = hxxp://search.entru.com/?s=21982

IE: &Clean Traces - d:\program files\DAP\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - d:\program files\DAP\dapextie.htm

IE: Download &all with DAP - d:\program files\DAP\dapextie2.htm

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-19 20:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geqttm]

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,59,95,c2,b0,a2,e6,0c,48,b7,a6,91,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,59,95,c2,b0,a2,e6,0c,48,b7,a6,91,\

[HKEY_USERS\S-1-5-21-1659004503-1326574676-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:c1,25,6d,eb,b5,ff,db,7f,71,6b,35,4a,95,03,6e,2d,c7,f1,1c,68,95,

0a,a1,13,81,16,fd,d4,d0,86,4a,38,b7,0d,7a,ad,00,d0,20,b3,74,37,71,89,de,54,\

"rkeysecu"=hex:54,bd,84,d7,d8,17,05,e5,38,9a,d5,ad,7b,3f,d7,14

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)

d:\windows\system32\myokent.dll

- - - - - - - > 'lsass.exe'(660)

d:\windows\system32\myokent.dll

- - - - - - - > 'explorer.exe'(1724)

d:\windows\system32\WININET.dll

d:\windows\system32\myokent.dll

d:\windows\system32\webcheck.dll

d:\windows\system32\IEFRAME.dll

d:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

d:\windows\system32\mshtml.dll

d:\windows\system32\msls31.dll

d:\windows\system32\ImgUtil.dll

d:\windows\system32\pngfilt.dll

d:\progra~1\COMMON~1\stardock\MCPCore.dll

d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

d:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll

d:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

.

------------------------ Other Running Processes ------------------------

.

d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

d:\program files\Bonjour\mDNSResponder.exe

d:\windows\eHome\ehRecvr.exe

d:\windows\eHome\ehSched.exe

d:\program files\Java\jre6\bin\jqs.exe

d:\windows\system32\nvsvc32.exe

d:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

d:\windows\system32\dllhost.exe

d:\windows\eHome\ehmsas.exe

d:\windows\system32\RUNDLL32.EXE

d:\windows\RTHDCPL.EXE

d:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

d:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-01-19 20:47:08 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-20 02:46

ComboFix2.txt 2011-01-17 23:32

ComboFix3.txt 2009-04-29 23:21

Pre-Run: 472,887,296 bytes free

Post-Run: 451,035,136 bytes free

- - End Of File - - 5BE688AF2664D45C59CC487776276740

Link to post
Share on other sites

Looking at your system now, one or more of the identified infections is a backdoor Trojan\Rootkit.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

==============

1. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=72948

Driver::
geqttm

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\geqttm]

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Collect::
D:\WINDOWS\System32\drivers\geqttm.sys
D:\WINDOWS\System32\drivers\qmqb.sys
D:\WINDOWS\System32\drivers\pdcqgjh.sys

2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

4. During this run Combofix will collect and automatically upload some sample files.

You will see it say Combofix needs to upload some samples.

If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

I uploaded the submit zip file at bleeping computer. I did not see any prompt to do so when running combofix, but I did make the notepad file and drag and drop it on to combofix.

ComboFix 11-01-19.01 - Matt & Katie 01/19/2011 21:07:26.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1537 [GMT -6:00]

Running from: d:\documents and settings\Matt & Katie\Desktop\ComboFix.exe

Command switches used :: d:\documents and settings\Matt & Katie\Desktop\CFScript.txt

file zipped: d:\windows\System32\drivers\geqttm.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

d:\windows\System32\drivers\geqttm.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_GEQTTM

-------\Service_geqttm

((((((((((((((((((((((((( Files Created from 2010-12-20 to 2011-01-20 )))))))))))))))))))))))))))))))

.

2011-01-19 16:34 . 2011-01-19 16:16 296448 ----a-w- D:\y68m67i6.exe

2011-01-18 20:40 . 2011-01-18 20:40 -------- d-sh--w- d:\documents and settings\LocalService\PrivacIE

2011-01-18 20:35 . 2011-01-18 20:35 719832 ----a-w- d:\program files\Mozilla Firefox\mozcpp19.dll

2011-01-18 20:35 . 2011-01-18 20:35 16856 ----a-w- d:\program files\Mozilla Firefox\plugin-container.exe

2011-01-17 23:10 . 2011-01-17 23:10 -------- d-----w- D:\AVGTemp

2011-01-17 23:01 . 2011-01-17 23:13 -------- d-----w- d:\documents and settings\Administrator

2011-01-17 20:36 . 2011-01-17 20:36 -------- d-----w- d:\documents and settings\All Users\Application Data\SafeReturner

2011-01-17 16:49 . 2011-01-17 16:49 69632 --sha-r- d:\windows\system32\sndrec32E.dll

2011-01-17 16:48 . 2011-01-17 16:48 -------- d-----w- d:\windows\system32\%APPDATA%

2011-01-17 14:49 . 2011-01-17 14:49 0 ----a-w- d:\windows\Iyidites.bin

2011-01-17 14:48 . 2011-01-17 14:48 -------- d-----w- d:\program files\Yontoo Layers Client

2011-01-17 14:48 . 2011-01-17 14:48 -------- d-----w- d:\documents and settings\All Users\Application Data\Tarma Installer

2011-01-16 09:15 . 2011-01-16 18:55 -------- d-----w- d:\program files\FLAC

2011-01-05 02:35 . 2011-01-05 02:35 -------- d-----w- d:\documents and settings\Matt & Katie\Gabrielized Loops

2011-01-04 02:31 . 2011-01-05 02:56 -------- d-----w- D:\DrumCore Data

2011-01-01 06:19 . 2011-01-01 06:19 -------- d-----w- d:\documents and settings\All Users\Application Data\Submersible

2010-12-31 04:40 . 2010-11-02 15:17 40960 -c----w- d:\windows\system32\dllcache\ndproxy.sys

2010-12-31 04:26 . 2010-10-11 14:59 45568 -c----w- d:\windows\system32\dllcache\wab.exe

2010-12-31 04:24 . 2010-09-18 06:53 974848 -c----w- d:\windows\system32\dllcache\mfc42.dll

2010-12-31 04:24 . 2010-09-18 06:53 953856 -c----w- d:\windows\system32\dllcache\mfc40u.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-19 22:16 . 2011-01-19 22:16 124 ----a-w- d:\windows\Fonts\hxjmqml

2011-01-04 02:32 . 2009-01-14 21:23 233472 ----a-w- d:\windows\system32\REX Shared Library.dll

2010-12-21 00:09 . 2009-04-29 19:20 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 00:08 . 2009-04-29 19:20 20952 ----a-w- d:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2008-12-07 21:42 81920 ----a-w- d:\windows\system32\isign32.dll

2010-11-09 14:52 . 2004-08-10 12:00 249856 ----a-w- d:\windows\system32\odbc32.dll

2010-11-06 00:26 . 2004-08-10 12:00 916480 ----a-w- d:\windows\system32\wininet.dll

2010-11-06 00:26 . 2004-08-10 12:00 43520 ----a-w- d:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2004-08-10 12:00 1469440 ----a-w- d:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2004-08-10 12:00 385024 ----a-w- d:\windows\system32\html.iec

2010-11-02 15:17 . 2004-08-10 12:00 40960 ----a-w- d:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2004-08-10 12:00 290048 ----a-w- d:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2004-08-10 12:00 1853312 ----a-w- d:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((( SnapShot@2011-01-17_23.28.34 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-01-20 03:14 . 2011-01-20 03:14 16384 d:\windows\Temp\Perflib_Perfdata_608.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

2010-12-20 18:09 191488 ------w- d:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="d:\program files\DNA\btdna.exe" [2009-10-07 323392]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="d:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-12-26 13680640]

"nwiz"="nwiz.exe" [2008-12-26 1657376]

"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-12-26 86016]

"RTHDCPL"="RTHDCPL.EXE" [2009-05-14 17881088]

"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"F5D9050"="d:\program files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 1585152]

d:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-7 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=d:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=myokent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 --sh--w- d:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2009-03-15 10:15 180224 ----a-w- d:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\Program Files\\DNA\\btdna.exe"=

"d:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"d:\\Program Files\\Java\\jre6\\bin\\rmiregistry.exe"=

R3 StreamSurge;StreamSurge Driver (miniport);d:\windows\system32\drivers\ss.sys [6/29/2010 8:18 PM 19968]

S3 RegKernelHelp;RegKernelHelp;\??\d:\program files\Safe Returner\RegKernelHelp.sys --> d:\program files\Safe Returner\RegKernelHelp.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2011-01-14 d:\windows\Tasks\AppleSoftwareUpdate.job

- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-01-20 d:\windows\Tasks\User_Feed_Synchronization-{37F52C48-EE75-4830-8F76-4C4F757B1D8C}.job

- d:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP

mStart Page = hxxp://search.entru.com/?s=21982

IE: &Clean Traces - d:\program files\DAP\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - d:\program files\DAP\dapextie.htm

IE: Download &all with DAP - d:\program files\DAP\dapextie2.htm

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-19 21:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-1326574676-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:c1,25,6d,eb,b5,ff,db,7f,71,6b,35,4a,95,03,6e,2d,c7,f1,1c,68,95,

0a,a1,13,81,16,fd,d4,d0,86,4a,38,b7,0d,7a,ad,00,d0,20,b3,74,37,71,89,de,54,\

"rkeysecu"=hex:54,bd,84,d7,d8,17,05,e5,38,9a,d5,ad,7b,3f,d7,14

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)

d:\windows\system32\myokent.dll

- - - - - - - > 'lsass.exe'(640)

d:\windows\system32\myokent.dll

- - - - - - - > 'explorer.exe'(1216)

d:\windows\system32\WININET.dll

d:\windows\system32\myokent.dll

d:\windows\system32\webcheck.dll

d:\windows\system32\IEFRAME.dll

d:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

d:\windows\system32\mshtml.dll

d:\windows\system32\msls31.dll

d:\windows\system32\ImgUtil.dll

d:\windows\system32\pngfilt.dll

d:\progra~1\COMMON~1\stardock\MCPCore.dll

.

------------------------ Other Running Processes ------------------------

.

d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

d:\program files\Bonjour\mDNSResponder.exe

d:\windows\eHome\ehRecvr.exe

d:\windows\eHome\ehSched.exe

d:\program files\Java\jre6\bin\jqs.exe

d:\windows\system32\nvsvc32.exe

d:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

d:\windows\system32\dllhost.exe

d:\windows\system32\RUNDLL32.EXE

d:\windows\RTHDCPL.EXE

d:\windows\eHome\ehmsas.exe

d:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

d:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-01-19 21:22:31 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-20 03:22

ComboFix2.txt 2011-01-20 02:47

ComboFix3.txt 2011-01-17 23:32

ComboFix4.txt 2009-04-29 23:21

Pre-Run: 481,198,080 bytes free

Post-Run: 454,205,440 bytes free

- - End Of File - - 3DDF34916DA5195F8A0709D8DE6CF373

Link to post
Share on other sites

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    [2010/04/07 00:16:40 | 000,015,802 | -HS- | C] () -- D:\Documents and Settings\Matt & Katie\Local Settings\Application Data\C6158646
    [2010/04/07 00:16:40 | 000,015,802 | -HS- | C] () -- D:\Documents and Settings\All Users\Application Data\C6158646
    [2010/02/23 20:54:15 | 000,013,094 | -HS- | C] () -- D:\Documents and Settings\Matt & Katie\Local Settings\Application Data\Xi7h20PI0
    [2011/01/18 13:40:53 | 000,054,016 | ---- | C] () -- D:\WINDOWS\System32\drivers\qmqb.sys
    [2011/01/17 17:35:32 | 000,054,016 | ---- | C] () -- D:\WINDOWS\System32\drivers\pdcqgjh.sys
    [2011/01/17 08:49:37 | 000,000,120 | ---- | C] () -- D:\WINDOWS\Kyelikerevaf.dat
    [2011/01/17 08:49:37 | 000,000,000 | ---- | C] () -- D:\WINDOWS\Iyidites.bin


    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

================================Malwarebytes' Anti-Malware=================================

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

================================Online scan=================================

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5560

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/20/2011 11:29:00 AM

mbam-log-2011-01-20 (11-29-00).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 291929

Time elapsed: 50 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

d:\Qoobox\quarantine\D\WINDOWS\system32\drivers\geqttm.sys.vir (Trojan.Bubnix.Gen) -> Quarantined and deleted successfully.

d:\system volume information\_restore{48a57f70-d5cb-477f-94c4-4212822f1f92}\RP11\A0004844.sys (Trojan.Bubnix.Gen) -> Quarantined and deleted successfully.

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Flash cache emptied: 405 bytes

User: Matt & Katie

->Temp folder emptied: 49306 bytes

->Java cache emptied: 1667401 bytes

->FireFox cache emptied: 77346949 bytes

->Google Chrome cache emptied: 5897177 bytes

->Flash cache emptied: 18489 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Java cache emptied: 23432 bytes

->Flash cache emptied: 42055 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 1225527 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes

RecycleBin emptied: 739678 bytes

Total Files Cleaned = 83.00 mb

OTL by OldTimer - Version 3.2.20.2 log created on 01202011_080306

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=13ec1452fe80d34f953db80c7332be1e

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-01-20 06:08:02

# local_time=2011-01-20 12:08:02 (-0600, Central Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 62811005 62811005 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=12507

# found=2

# cleaned=2

# scan_time=1635

C:\I386\APPS\APP18873\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C

C:\I386\APPS\APP18873\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=13ec1452fe80d34f953db80c7332be1e

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-01-20 10:52:06

# local_time=2011-01-20 04:52:06 (-0600, Central Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 62823557 62823557 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=167821

# found=7

# cleaned=7

# scan_time=6125

C:\System Volume Information\_restore{48A57F70-D5CB-477F-94C4-4212822F1F92}\RP11\A0004933.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{48A57F70-D5CB-477F-94C4-4212822F1F92}\RP11\A0004934.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C

D:\Documents and Settings\Matt & Katie\My Documents\My Music\LIl Wayne\Tha Carter III\lil_wayne-10-playin_with_fire_(produced_by_streetrunner)-sp1200.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

D:\Documents and Settings\Matt & Katie\My Documents\My Programs\MyWebFaceSetup2.3.50.56.GRfox000.exe.dap a variant of Win32/Toolbar.MyWebSearch.O application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\Program Files\Native Instruments\Kontakt Player 2\KontaktPlayer2.exe a variant of Win32/Packed.Themida application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\Qoobox\Quarantine\D\WINDOWS\utogigus.dll.vir a variant of Win32/Kryptik.JSR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\System Volume Information\_restore{48A57F70-D5CB-477F-94C4-4212822F1F92}\RP10\A0001675.dll a variant of Win32/Kryptik.JSR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.