Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cant removel malware/viruses - tried eveything - Need Help


  • This topic is locked This topic is locked
49 replies to this topic

#1 BQfromNY

BQfromNY

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 25 July 2010 - 11:30 PM

I have been infected by a virus/malware. I have attempted to remove it myself using adaware, S&D, and Malwarebytes but to no provail.

I use this computer to do online financing and it is needed so I can continue for it effects my business.


I would appreciate a quick response. However, I know you are busy, so I will wait patiently.

Note: I started a new topic 3 days ago but got no replies. I assume thats because I didnt post the required logs. if a mod can please close my original topic that would be great.

Thanks in advance!

== BQ==

DDS (Ver_10-03-17.01) - NTFSX64
Run by BQfromNY at 0:09:32.31 on Mon 07/26/2010
Internet Explorer: 8.0.6001.18928
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8190.6465 [GMT -7:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\PostgreSQL\8.4\bin\pg_ctl.exe
C:\Program Files (x86)\EDIMAX\Common\RalinkRegistryWriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files (x86)\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files (x86)\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files (x86)\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files (x86)\PostgreSQL\8.4\bin\postgres.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\EDIMAX\Common\RaUI.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe
C:\Windows\SysWOW64\szetyj67vx.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\BQfromNY\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.woot.com/
uSearch Bar = Preserve
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files (x86)\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\bqfromny\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [tghlig] RUNDLL32.EXE c:\users\bqfromny\appdata\local\temp\msgciutr.dll,w
uRun: [SpybotSD TeaTimer] c:\program files (x86)\spybot - search & destroy\TeaTimer.exe
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\x64\3\EKIJ5000MUI.exe
mRun: [szetyj67vx] c:\windows\system32\szetyj67vx.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\wirele~1.lnk - c:\program files (x86)\edimax\common\RaUI.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files (x86)\pokerstars\PokerStarsUpdate.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files (x86)\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files (x86)\spybot - search & destroy\SDHelper.dll
LSP: c:\program files (x86)\common files\pc tools\lsp\PCTLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\x64\3\EKIJ5000MUI.exe

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-25 69152]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [2010-7-20 233488]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files (x86)\kodak\aio\center\ekdiscovery.exe [2010-5-17 308592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\lavasoft\ad-aware\AAWService.exe [2010-7-12 1352832]
R2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files (x86)/PostgreSQL/8.4/data" -w --> C:/Program Files (x86)/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files (x86)\edimax\common\RalinkRegistryWriter.exe [2010-2-5 53760]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [2010-7-25 1153368]
R3 rt61x64;Ralink RT61 Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr6164.sys [2009-6-10 393216]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk60x64.sys [2007-12-6 391680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe [2010-6-1 136176]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files (x86)\spyware doctor\pctsAuxs.exe [2010-7-20 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files (x86)\spyware doctor\pctsSvc.exe [2010-7-20 1142224]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework64\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2010-2-5 89920]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-07-26 07:02:34 134656 ------w- c:\windows\syswow64\szetyj67v.exe
2010-07-26 07:02:34 11 ----a-w- c:\windows\syswow64\comsats.sys
2010-07-26 04:17:07 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-26 04:11:07 69152 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-26 03:59:29 0 dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-26 03:59:17 0 d-----w- c:\programdata\Lavasoft
2010-07-26 03:59:17 0 d-----w- c:\program files (x86)\Lavasoft
2010-07-26 03:21:45 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-26 03:21:45 0 d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-07-24 23:00:52 151552 ----a-w- c:\windows\syswow64\szetyj67vx.exe
2010-07-21 00:47:50 1483 ----a-w- c:\windows\lsrslt.ini
2010-07-21 00:24:54 0 d-----w- c:\users\bqfromny\appdata\roaming\Malwarebytes
2010-07-21 00:24:44 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-21 00:24:44 0 d-----w- c:\programdata\Malwarebytes
2010-07-21 00:24:44 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-07-21 00:10:52 7357 ----a-w- c:\windows\system32\drivers\pctgntdi64.cat
2010-07-21 00:10:52 306648 ----a-w- c:\windows\system32\drivers\pctgntdi64.sys
2010-07-21 00:10:52 133072 ----a-w- c:\windows\system32\drivers\pctwfpfilter64.sys
2010-07-21 00:10:51 7353 ----a-w- c:\windows\system32\drivers\pctcore64.cat
2010-07-21 00:10:51 233488 ----a-w- c:\windows\system32\drivers\PCTCore64.sys
2010-07-21 00:10:49 92896 ----a-w- c:\windows\system32\drivers\pctplsg64.sys
2010-07-21 00:10:49 7353 ----a-w- c:\windows\system32\drivers\pctplsg64.cat
2010-07-21 00:10:46 0 d-----w- c:\users\bqfromny\appdata\roaming\PC Tools
2010-07-21 00:10:46 0 d-----w- c:\programdata\PC Tools
2010-07-21 00:10:46 0 d-----w- c:\program files (x86)\Spyware Doctor
2010-07-21 00:10:46 0 d-----w- c:\program files (x86)\common files\PC Tools
2010-07-21 00:10:29 0 d---a-w- c:\programdata\TEMP
2010-07-20 13:02:15 150 ----a-w- C:\zrpt.xml
2010-07-20 13:01:51 0 d-----w- c:\users\bqfromny\appdata\roaming\F04B062B867069D1342B2B1844C5141B

==================== Find3M ====================

2010-06-18 23:51:07 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-18 23:51:06 86016 ----a-w- c:\windows\inf\infstor.dat
2010-06-18 23:51:05 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-05-26 17:23:46 48128 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 17:06:41 34304 ----a-w- c:\windows\syswow64\atmlib.dll
2010-05-26 15:10:41 366080 ----a-w- c:\windows\system32\atmfd.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\syswow64\atmfd.dll
2010-05-22 07:03:34 4 ----a-w- c:\users\bqfromny\appdata\roaming\kqyvwo.dat
2010-05-21 21:14:28 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-05-07 17:50:26 612864 ----a-w- c:\windows\system32\EKIJ5000MON.dll
2010-05-07 17:49:18 141312 ----a-w- c:\windows\system32\EKIJCOINST08.dll
2010-05-04 06:56:19 1147904 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 06:51:49 132096 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 06:51:48 77312 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:59:21 916480 ----a-w- c:\windows\syswow64\wininet.dll
2010-05-04 05:59:11 1209344 ----a-w- c:\windows\syswow64\urlmon.dll
2010-05-04 05:58:07 206848 ----a-w- c:\windows\syswow64\occache.dll
2010-05-04 05:56:49 611840 ----a-w- c:\windows\syswow64\mstime.dll
2010-05-04 05:56:28 5950976 ----a-w- c:\windows\syswow64\mshtml.dll
2010-05-04 05:56:25 599040 ----a-w- c:\windows\syswow64\msfeeds.dll
2010-05-04 05:56:25 55296 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-05-04 05:55:56 25600 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\syswow64\iesetup.dll
2010-05-04 05:55:42 1985536 ----a-w- c:\windows\syswow64\iertutil.dll
2010-05-04 05:55:42 164352 ----a-w- c:\windows\syswow64\ieui.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\syswow64\iesysprep.dll
2010-05-04 05:55:41 55808 ----a-w- c:\windows\syswow64\iernonce.dll
2010-05-04 05:55:41 184320 ----a-w- c:\windows\syswow64\iepeers.dll
2010-05-04 05:55:41 11076096 ----a-w- c:\windows\syswow64\ieframe.dll
2010-05-04 05:55:37 387584 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-05-04 05:01:59 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-04 04:31:05 133632 ----a-w- c:\windows\syswow64\ieUnatt.exe
2010-05-04 04:30:58 173056 ----a-w- c:\windows\syswow64\ie4uinit.exe
2010-05-04 04:30:19 13312 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-05-01 14:39:56 2752000 ----a-w- c:\windows\system32\win32k.sys
2010-04-04 00:16:25 65063 ----a-w- c:\program files (x86)\hminstalllog.txt
2010-02-06 04:47:44 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-03-01 14:58:03 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-02-07 06:57:20 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-03-07 07:38:43 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2010-03-07 07:38:43 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\iecompatcache\index.dat
2010-03-07 07:38:43 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\privacie\index.dat

============= FINISH: 0:10:18.03 ===============









Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:46 PM

Posted 04 August 2010 - 08:17 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 04 August 2010 - 09:54 PM

TY.. Looking forward to getting my computer back.. awaiting instructions.

== BQ ==

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:46 PM

Posted 05 August 2010 - 08:50 AM

There are a number of trojan files on the log. Nothing nasty is showing on the rootkit scanner so we will try a quick and hard fix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 05 August 2010 - 11:15 AM

OK... I have a 64 bit system which I believe is not compatable with Combofix... none the less, the program would not run.. Please advise.

Also note the following:

- I now have no internet (Iam sure the virus is preventing access) so I have to use my laptop to download programs needed and to follow your directions.

- When I reboot, I get an error message that reads "error loading C:Users\myname\appdata\local\temp\msgciutr.dll

- When powering on, Spybot detects attempts at changes to my registry: Here are there entries: Malwarebytes Anti-Malware (reboot), BootExecute, and Excludefromknowndlls.. I denied any changes in the registry - wanted to be safe until you direct me.

Thxs again for your help, it is much appreciated.. looking forward to more directions on how to proceed.

== BQ ==

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:46 PM

Posted 05 August 2010 - 11:22 AM

Apologies, still adjusting to the 64 bit. whistling.gif

Please run OTL so we can take a better look at the PC
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#7 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 05 August 2010 - 11:42 AM

Please note I disabled all anti-,mal/spyware programs. I currently have the following programs installed on the computer: Spybot, Malware, Adaware, and Windows defender. I know it seems excessive but I attempted to fix the problem myself.

Here are the logs:
+++++++++++++

OTL logfile created on: 8/5/2010 9:33:16 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\BQfromNY\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 7.00 Gb Available Physical Memory | 82.00% Memory free
16.00 Gb Paging File | 15.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 74.53 Gb Total Space | 14.76 Gb Free Space | 19.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1.87 Gb Total Space | 1.86 Gb Free Space | 99.76% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: QUERRIE-PC
Current User Name: BQfromNY
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\BQfromNY\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
PRC - C:\Program Files (x86)\PostgreSQL\8.4\bin\pg_ctl.exe (PostgreSQL Global Development Group)
PRC - C:\Program Files (x86)\PostgreSQL\8.4\bin\postgres.exe (PostgreSQL Global Development Group)
PRC - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Program Files (x86)\EDIMAX\Common\RalinkRegistryWriter.exe ()
PRC - C:\Program Files (x86)\EDIMAX\Common\RaUI.exe (Edimax Technology Co., Ltd.)


========== Modules (SafeList) ==========

MOD - C:\Users\BQfromNY\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\SysWOW64\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV:64bit: - (Ati External Event Utility) -- C:\Windows\SysNative\Ati2evxx.exe (ATI Technologies Inc.)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files (x86)\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_64) -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (sdCoreService) -- C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe (PC Tools)
SRV - (sdAuxService) -- C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe (PC Tools)
SRV - (postgresql-8.4) -- C:\Program Files (x86)\PostgreSQL\8.4\bin\pg_ctl.exe (PostgreSQL Global Development Group)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (SBSDWSCService) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (RalinkRegistryWriter) -- C:\Program Files (x86)\EDIMAX\Common\RalinkRegistryWriter.exe ()


========== Driver Services (SafeList) ==========

DRV:64bit: - (NwlnkFwd) -- C:\Windows\SysNative\DRIVERS\nwlnkfwd.sys File not found
DRV:64bit: - (NwlnkFlt) -- C:\Windows\SysNative\DRIVERS\nwlnkflt.sys File not found
DRV:64bit: - (IpInIp) -- C:\Windows\SysNative\DRIVERS\ipinip.sys File not found
DRV:64bit: - (Lbd) -- C:\Windows\SysNative\DRIVERS\Lbd.sys (Lavasoft AB)
DRV:64bit: - (PCTCore) -- C:\Windows\SysNative\drivers\PCTCore64.sys (PC Tools)
DRV:64bit: - (WpdUsb) -- C:\Windows\SysNative\DRIVERS\wpdusb.sys (Microsoft Corporation)
DRV:64bit: - (rt61x64) -- C:\Windows\SysNative\DRIVERS\netr6164.sys (Ralink Technology, Corp.)
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\DRIVERS\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (yukonx64) -- C:\Windows\SysNative\DRIVERS\yk60x64.sys (Marvell)
DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\Wbem\ntfs.mof ()
DRV:64bit: - (MTsensor) -- C:\Windows\SysNative\DRIVERS\ASACPI.sys ()

========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.woot.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2010/02/05 20:16:03 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/07/24 21:26:50 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4:64bit: - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\SysNative\spool\DRIVERS\x64\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Conime] C:\Windows\SysWOW64\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\SysWow64\spool\DRIVERS\x64\3\EKIJ5000MUI.exe File not found
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [szetyj67vx] C:\Windows\SysWow64\szetyj67vx.exe File not found
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Google Update] C:\Users\BQfromNY\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [tghlig] C:\Users\BQfromNY\AppData\Local\Temp\msgciutr.DLL File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O9:64bit: - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files (x86)\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\SysNative\NLAapi.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\SysNative\napinsp.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\SysNative\pnrpnsp.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\SysNative\pnrpnsp.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\SysNative\winrnr.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\SysWOW64\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\SysWOW64\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\SysWOW64\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\SysWOW64\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\SysWOW64\winrnr.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18:64bit: - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysNative\msvidctl.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysNative\inetcomm.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysNative\msvidctl.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysWOW64\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysWOW64\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files (x86)\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysWOW64\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\Windows\SysNative\shell32.dll (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\Windows\SysNative\sysdm.cpl (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\Windows\SysWow64\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\Windows\SysWow64\sysdm.cpl (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\SysNative\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\SysWOW64\webcheck.dll (Microsoft Corporation)
O22:64bit: - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\Windows\SysNative\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\Windows\SysWOW64\browseui.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\BQfromNY\AppData\Roaming\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Users\BQfromNY\AppData\Roaming\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O29:64bit: - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation)
O30:64bit: - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (kerberos) - C:\Windows\SysNative\kerberos.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (schannel) - C:\Windows\SysNative\schannel.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (wdigest) - C:\Windows\SysNative\wdigest.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (tspkg) - C:\Windows\SysNative\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\SysWow64\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\SysWow64\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\SysWow64\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\SysWow64\tspkg.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{95df9be5-1e6d-11df-92fa-0022153fbda0}\Shell\AutoRun\command - "" = .\Encryption Tool\MaxtorEncryption.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: convlwiz - (C:\Windows\system32\RmCllist.dll) - C:\Windows\SysWow64\RmCllist.dll File not found
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/05 09:31:02 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\BQfromNY\Desktop\OTL.exe
[2010/08/05 09:06:57 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/08/01 03:51:02 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\AppData\Local\xexvxyrai
[2010/07/26 00:09:11 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\Desktop\gmer
[2010/07/25 21:11:07 | 000,069,152 | ---- | C] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/07/25 21:11:07 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\DRVSTORE
[2010/07/25 21:00:37 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\AppData\Local\Sunbelt Software
[2010/07/25 20:59:29 | 000,000,000 | -H-D | C] -- C:\ProgramData\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
[2010/07/25 20:59:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/07/25 20:59:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Lavasoft
[2010/07/25 20:21:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/07/25 20:21:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2010/07/25 20:19:49 | 128,750,008 | ---- | C] (Lavasoft ) -- C:\Users\BQfromNY\Desktop\Ad-Aware83Install.exe
[2010/07/25 20:14:40 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Users\BQfromNY\Desktop\spybotsd162.exe
[2010/07/24 21:21:50 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\Desktop\Israel Houghton and New Breed
[2010/07/24 21:21:41 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\Desktop\Tye Tribbett & GA - Life
[2010/07/20 18:32:40 | 000,000,000 | RHSD | C] -- C:\RECYCLER
[2010/07/20 17:24:54 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\AppData\Roaming\Malwarebytes
[2010/07/20 17:24:45 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/07/20 17:24:44 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/07/20 17:24:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/07/20 17:24:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/07/20 17:15:29 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\AppData\Local\Threat Expert
[2010/07/20 17:10:52 | 000,306,648 | ---- | C] (PC Tools) -- C:\Windows\SysNative\drivers\pctgntdi64.sys
[2010/07/20 17:10:52 | 000,133,072 | ---- | C] (PC Tools) -- C:\Windows\SysNative\drivers\pctwfpfilter64.sys
[2010/07/20 17:10:51 | 000,233,488 | ---- | C] (PC Tools) -- C:\Windows\SysNative\drivers\PCTCore64.sys
[2010/07/20 17:10:49 | 000,092,896 | ---- | C] (PC Tools) -- C:\Windows\SysNative\drivers\pctplsg64.sys
[2010/07/20 17:10:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spyware Doctor
[2010/07/20 17:10:46 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\AppData\Roaming\PC Tools
[2010/07/20 17:10:46 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2010/07/20 17:10:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\PC Tools
[2010/07/20 17:10:29 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/07/20 06:02:27 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\AppData\Local\iifdvkefk
[2010/07/20 06:01:51 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\AppData\Roaming\F04B062B867069D1342B2B1844C5141B
[2010/07/10 17:43:41 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\AppData\Roaming\FileZilla
[2010/07/10 17:43:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FileZilla FTP Client

========== Files - Modified Within 30 Days ==========

[2010/08/05 12:29:28 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\BQfromNY\Desktop\OTL.exe
[2010/08/05 12:04:38 | 003,815,890 | ---- | M] () -- C:\Users\BQfromNY\Desktop\comfix.exe.exe
[2010/08/05 09:32:24 | 004,194,304 | -HS- | M] () -- C:\Users\BQfromNY\ntuser.dat
[2010/08/05 09:11:11 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/05 09:10:31 | 000,003,712 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/08/05 09:10:31 | 000,003,712 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/08/05 09:10:29 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/08/05 09:10:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/08/05 09:09:40 | 000,524,288 | -HS- | M] () -- C:\Users\BQfromNY\ntuser.dat{df035733-3f77-11df-8c1a-0022153fbda0}.TMContainer00000000000000000001.regtrans-ms
[2010/08/05 09:09:40 | 000,065,536 | -HS- | M] () -- C:\Users\BQfromNY\ntuser.dat{df035733-3f77-11df-8c1a-0022153fbda0}.TM.blf
[2010/08/05 09:09:38 | 002,225,110 | -H-- | M] () -- C:\Users\BQfromNY\AppData\Local\IconCache.db
[2010/08/05 09:07:18 | 000,720,866 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/08/05 09:07:18 | 000,615,936 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/08/05 09:07:18 | 000,108,834 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/08/05 09:07:01 | 000,000,920 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2894203282-2819386857-897259243-1000UA.job
[2010/08/05 09:03:26 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{16851572-C406-49F7-B505-7D86AF1F9A44}.job
[2010/08/05 08:55:01 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/05 08:44:22 | 000,000,040 | ---- | M] () -- C:\Windows\SysWow64\service.sys
[2010/08/05 08:43:58 | 000,134,656 | ---- | M] () -- C:\Windows\SysWow64\szetyj67v.exe
[2010/07/31 22:07:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2894203282-2819386857-897259243-1000Core.job
[2010/07/26 00:06:44 | 000,525,824 | ---- | M] () -- C:\Users\BQfromNY\Desktop\dds.scr
[2010/07/25 23:52:44 | 000,000,497 | ---- | M] () -- C:\Users\BQfromNY\Desktop\xp_scr_fix.zip
[2010/07/25 23:46:14 | 000,000,126 | ---- | M] () -- C:\Users\BQfromNY\Desktop\dds.htm
[2010/07/25 23:44:12 | 000,284,915 | ---- | M] () -- C:\Users\BQfromNY\Desktop\gmer.zip
[2010/07/25 22:23:20 | 000,618,945 | ---- | M] () -- C:\Users\BQfromNY\Desktop\Autoruns.zip
[2010/07/25 20:59:24 | 000,001,073 | ---- | M] () -- C:\Users\BQfromNY\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/07/25 20:59:24 | 000,001,049 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/07/25 20:21:59 | 000,001,121 | ---- | M] () -- C:\Users\BQfromNY\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/07/25 20:21:59 | 000,001,097 | ---- | M] () -- C:\Users\BQfromNY\Desktop\Spybot - Search & Destroy.lnk
[2010/07/25 20:19:49 | 128,750,008 | ---- | M] (Lavasoft ) -- C:\Users\BQfromNY\Desktop\Ad-Aware83Install.exe
[2010/07/25 20:14:53 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Users\BQfromNY\Desktop\spybotsd162.exe
[2010/07/25 10:04:24 | 000,363,520 | ---- | M] () -- C:\Users\BQfromNY\Desktop\rkill.exe
[2010/07/25 07:38:21 | 000,363,520 | ---- | M] () -- C:\Users\BQfromNY\Desktop\iExplore.exe
[2010/07/23 22:00:41 | 000,001,142 | ---- | M] () -- C:\Users\BQfromNY\Desktop\ Mabinogi .lnk
[2010/07/23 19:16:59 | 000,033,280 | ---- | M] () -- C:\Users\BQfromNY\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/20 17:47:50 | 000,001,483 | ---- | M] () -- C:\Windows\lsrslt.ini
[2010/07/20 17:40:22 | 000,363,520 | ---- | M] () -- C:\Users\BQfromNY\Desktop\rkill.com
[2010/07/20 17:24:47 | 000,000,848 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/20 17:16:26 | 000,002,811 | ---- | M] () -- C:\Users\BQfromNY\AppData\Local\ohogerudanesu.dll
[2010/07/20 16:45:48 | 000,002,811 | ---- | M] () -- C:\Users\BQfromNY\AppData\Local\ebocegaqabiheb.dll
[2010/07/20 06:08:27 | 000,002,811 | ---- | M] () -- C:\Users\BQfromNY\AppData\Local\aposikunoseso.dll
[2010/07/20 06:02:15 | 000,000,150 | ---- | M] () -- C:\zrpt.xml
[2010/07/12 01:55:39 | 000,069,152 | ---- | M] (Lavasoft AB) -- C:\Windows\SysNative\drivers\Lbd.sys
[2010/07/12 01:55:38 | 000,015,880 | ---- | M] () -- C:\Windows\SysNative\lsdelete.exe

========== Files Created - No Company Name ==========

[2010/08/05 09:06:05 | 003,815,890 | ---- | C] () -- C:\Users\BQfromNY\Desktop\comfix.exe.exe
[2010/08/05 08:44:22 | 000,000,040 | ---- | C] () -- C:\Windows\SysWow64\service.sys
[2010/08/05 08:43:58 | 000,134,656 | ---- | C] () -- C:\Windows\SysWow64\szetyj67v.exe
[2010/07/26 00:09:08 | 000,525,824 | ---- | C] () -- C:\Users\BQfromNY\Desktop\dds.scr
[2010/07/25 23:52:47 | 000,000,497 | ---- | C] () -- C:\Users\BQfromNY\Desktop\xp_scr_fix.zip
[2010/07/25 23:50:12 | 000,000,126 | ---- | C] () -- C:\Users\BQfromNY\Desktop\dds.htm
[2010/07/25 23:44:10 | 000,284,915 | ---- | C] () -- C:\Users\BQfromNY\Desktop\gmer.zip
[2010/07/25 22:23:15 | 000,618,945 | ---- | C] () -- C:\Users\BQfromNY\Desktop\Autoruns.zip
[2010/07/25 21:17:07 | 000,015,880 | ---- | C] () -- C:\Windows\SysNative\lsdelete.exe
[2010/07/25 20:59:24 | 000,001,073 | ---- | C] () -- C:\Users\BQfromNY\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/07/25 20:59:24 | 000,001,049 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/07/25 20:21:59 | 000,001,121 | ---- | C] () -- C:\Users\BQfromNY\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/07/25 20:21:59 | 000,001,097 | ---- | C] () -- C:\Users\BQfromNY\Desktop\Spybot - Search & Destroy.lnk
[2010/07/25 10:04:23 | 000,363,520 | ---- | C] () -- C:\Users\BQfromNY\Desktop\rkill.exe
[2010/07/25 07:38:20 | 000,363,520 | ---- | C] () -- C:\Users\BQfromNY\Desktop\iExplore.exe
[2010/07/24 21:03:16 | 000,363,520 | ---- | C] () -- C:\Users\BQfromNY\Desktop\rkill.com
[2010/07/22 21:44:55 | 000,001,142 | ---- | C] () -- C:\Users\BQfromNY\Desktop\ Mabinogi .lnk
[2010/07/20 17:47:50 | 000,001,483 | ---- | C] () -- C:\Windows\lsrslt.ini
[2010/07/20 17:24:47 | 000,000,848 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/20 17:16:26 | 000,002,811 | ---- | C] () -- C:\Users\BQfromNY\AppData\Local\ohogerudanesu.dll
[2010/07/20 17:10:52 | 000,007,357 | ---- | C] () -- C:\Windows\SysNative\drivers\pctgntdi64.cat
[2010/07/20 17:10:51 | 000,007,353 | ---- | C] () -- C:\Windows\SysNative\drivers\pctcore64.cat
[2010/07/20 17:10:49 | 000,007,353 | ---- | C] () -- C:\Windows\SysNative\drivers\pctplsg64.cat
[2010/07/20 17:10:47 | 000,011,496 | ---- | C] () -- C:\Users\BQfromNY\AppData\Local\dd_vcredistUI7416.txt
[2010/07/20 17:10:47 | 000,001,852 | ---- | C] () -- C:\Users\BQfromNY\AppData\Local\dd_vcredistMSI7416.txt
[2010/07/20 17:10:47 | 000,001,812 | ---- | C] () -- C:\Users\BQfromNY\AppData\Local\dd_vcredistMSI7413.txt
[2010/07/20 17:10:46 | 000,011,176 | ---- | C] () -- C:\Users\BQfromNY\AppData\Local\dd_vcredistUI7413.txt
[2010/07/20 16:45:48 | 000,002,811 | ---- | C] () -- C:\Users\BQfromNY\AppData\Local\ebocegaqabiheb.dll
[2010/07/20 06:08:23 | 000,002,811 | ---- | C] () -- C:\Users\BQfromNY\AppData\Local\aposikunoseso.dll
[2010/07/20 06:02:15 | 000,000,150 | ---- | C] () -- C:\zrpt.xml
[2010/04/03 17:29:13 | 000,000,000 | ---- | C] () -- C:\Windows\HMHud.INI
[2010/03/30 17:03:44 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2010/02/08 20:35:23 | 000,000,038 | ---- | C] () -- C:\Windows\ka.ini
[2010/02/06 12:31:35 | 000,722,342 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/02/05 20:46:31 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2010/02/05 20:46:24 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2010/02/05 16:31:06 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\AsIO.dll
[2010/02/05 16:31:06 | 000,013,368 | ---- | C] () -- C:\Windows\SysWow64\drivers\AsIO.sys
[2010/02/05 16:30:36 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
[2008/01/20 19:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini

========== LOP Check ==========

[2010/07/20 18:17:22 | 000,000,000 | ---D | M] -- C:\Users\BQfromNY\AppData\Roaming\F04B062B867069D1342B2B1844C5141B
[2010/07/21 06:43:51 | 000,000,000 | ---D | M] -- C:\Users\BQfromNY\AppData\Roaming\FileZilla
[2010/03/07 00:39:23 | 000,000,000 | ---D | M] -- C:\Users\BQfromNY\AppData\Roaming\FLV Extract
[2010/02/12 17:17:02 | 000,000,000 | ---D | M] -- C:\Users\BQfromNY\AppData\Roaming\Libronix DLS
[2010/06/25 16:26:59 | 000,000,000 | ---D | M] -- C:\Users\BQfromNY\AppData\Roaming\Temp
[2010/03/26 19:13:39 | 000,000,000 | ---D | M] -- C:\Users\BQfromNY\AppData\Roaming\UnknownApplicationVendor
[2010/07/19 23:55:24 | 000,000,000 | ---D | M] -- C:\Users\BQfromNY\AppData\Roaming\uTorrent
[2010/08/05 09:09:41 | 000,032,552 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/08/05 09:03:26 | 000,000,424 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{16851572-C406-49F7-B505-7D86AF1F9A44}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 158 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:A8ADE5D8
< End of report >
+++++++
OTL Extras logfile created on: 8/5/2010 9:33:18 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\BQfromNY\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 7.00 Gb Available Physical Memory | 82.00% Memory free
16.00 Gb Paging File | 15.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 74.53 Gb Total Space | 14.76 Gb Free Space | 19.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1.87 Gb Total Space | 1.86 Gb Free Space | 99.76% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: QUERRIE-PC
Current User Name: BQfromNY
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]
"VistaSp2" = 45 24 2A 63 E3 A6 CA 01 [binary data]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{08804478-7A0F-416D-B91A-3607C407C506}" = rport=445 | protocol=6 | dir=out | app=system |
"{1E39B470-43F4-4C7F-BD03-6623581090B4}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\outlook.exe |
"{3564ABA3-3F3B-4853-9F1B-8871EE69D1F1}" = rport=137 | protocol=17 | dir=out | app=system |
"{40C1D9C4-8D21-444B-AFDF-A34175946CBE}" = rport=138 | protocol=17 | dir=out | app=system |
"{514D187C-B02C-43F7-A235-99FDACF1ED57}" = lport=139 | protocol=6 | dir=in | app=system |
"{55FAC87B-F590-4603-ACCB-60213C849C5F}" = rport=139 | protocol=6 | dir=out | app=system |
"{6A4B7F4C-882F-44D3-9E73-485BDF63944C}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{6F4D4859-BFBA-4263-B9BE-531A339D9DF9}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{814158A0-A603-40DA-9481-E60912CDBD43}" = lport=5432 | protocol=6 | dir=in | name=postgres |
"{95B402B8-E14D-431F-85EE-1C4CA881CAFC}" = lport=445 | protocol=6 | dir=in | app=system |
"{D63642AA-422A-480C-9607-0644C17B70C5}" = lport=137 | protocol=17 | dir=in | app=system |
"{F9559DCC-DEE9-48E6-B00D-67D207103E29}" = lport=9322 | protocol=6 | dir=in | name=ekdiscovery |
"{FF0D110F-43D1-40B5-A1A7-C2E181B74F0A}" = lport=138 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{259A8055-2324-4DA2-A3FA-62819FF858E0}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{29047B77-1152-4FB1-9EC2-AE36C99618AB}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{2E08A848-717E-4B8D-B598-79B428F2B4C4}" = protocol=6 | dir=in | app=c:\programdata\nexonus\ngm\ngm.exe |
"{3F72399D-C01E-4BC5-85C4-D12C25C77272}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{4B5D3EF6-6BC8-479B-A243-69EF25805635}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{4EBEC4C7-740C-44C1-8EF5-5FDBF8E52534}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{536345A6-F1B4-49B5-A957-9A5EAF8DBD9A}" = protocol=17 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{5D2D0CA5-6A05-45CB-816C-19D5F45A27E2}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{6CCEDC8C-664E-43DA-ADF9-3E669495EF8B}" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{7292840C-24E1-4264-B5C3-4AFDE0C66301}" = protocol=6 | dir=in | app=c:\windows\temp\~ose2b1.tmp\rlvknlg.exe |
"{85B13121-72CF-48CF-B0A3-4A51101095EC}" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{8D8C0F70-5357-4C13-BBBD-23E20FCF3ECB}" = dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{B4DF286B-FC92-4C41-92F4-E0F099D27666}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{B9BC12DC-7350-4DAC-B0CB-2C6B3925FAB2}" = protocol=6 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{C845917D-1124-4DCE-89E6-6F5EA6238EFE}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{CBEC96CA-5352-4073-A46F-D9AA47CAC4CA}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{CC63F159-B075-4D4F-912C-0F241A29E702}" = protocol=17 | dir=in | app=c:\programdata\nexonus\ngm\ngm.exe |
"{D33CE1AD-6352-4518-BFB8-02DB87C5F838}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{DD04CB45-CAC0-414B-90D2-011009B00CA3}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{E952D891-19F4-4463-9E1A-8C85D40D6BB7}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"TCP Query User{0FBC858A-CE7E-4531-9249-CF0DABD97284}C:\program files (x86)\mektek.net\mechwarrior mercenaries - mektek mekpak\mw4mercs.exe" = protocol=6 | dir=in | app=c:\program files (x86)\mektek.net\mechwarrior mercenaries - mektek mekpak\mw4mercs.exe |
"TCP Query User{633818D5-1161-4193-A815-8F618C5F78DA}C:\program files (x86)\mektek.net\mtx\profiles\mechwarrior mercenaries - mektek mekpak\mw4mercs.exe" = protocol=6 | dir=in | app=c:\program files (x86)\mektek.net\mtx\profiles\mechwarrior mercenaries - mektek mekpak\mw4mercs.exe |
"TCP Query User{8D491CD2-7278-4896-875A-C69E299BC478}C:\program files (x86)\sony\everquest ii\eq2voiceservice.exe" = protocol=6 | dir=in | app=c:\program files (x86)\sony\everquest ii\eq2voiceservice.exe |
"TCP Query User{9596DBB5-6396-4451-BFD4-213D703D59E0}C:\program files (x86)\steam\steamapps\common\crysis\bin64\crysis64.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\crysis\bin64\crysis64.exe |
"TCP Query User{D246BBF5-F4C4-4642-AEAC-6E742BE46807}C:\program files (x86)\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\java.exe |
"TCP Query User{D491752F-11C7-4E3D-81DA-40830CE32410}C:\program files (x86)\mektek.net\mtx\mtx.exe" = protocol=6 | dir=in | app=c:\program files (x86)\mektek.net\mtx\mtx.exe |
"TCP Query User{FEE92155-8D47-4235-B09A-28ECFC3809AF}C:\program files (x86)\sony\everquest ii\launchpad.exe" = protocol=6 | dir=in | app=c:\program files (x86)\sony\everquest ii\launchpad.exe |
"UDP Query User{0DD4ABC8-4B75-4038-B92F-6FFF12FCCCCB}C:\program files (x86)\steam\steamapps\common\crysis\bin64\crysis64.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\crysis\bin64\crysis64.exe |
"UDP Query User{2DDC2D0D-84CF-4C55-97F7-632C7BA2F50A}C:\program files (x86)\mektek.net\mechwarrior mercenaries - mektek mekpak\mw4mercs.exe" = protocol=17 | dir=in | app=c:\program files (x86)\mektek.net\mechwarrior mercenaries - mektek mekpak\mw4mercs.exe |
"UDP Query User{665A4F48-C52D-4945-898F-104C2D4D623F}C:\program files (x86)\sony\everquest ii\eq2voiceservice.exe" = protocol=17 | dir=in | app=c:\program files (x86)\sony\everquest ii\eq2voiceservice.exe |
"UDP Query User{6829E473-B238-4791-A79B-98225EF59B9F}C:\program files (x86)\sony\everquest ii\launchpad.exe" = protocol=17 | dir=in | app=c:\program files (x86)\sony\everquest ii\launchpad.exe |
"UDP Query User{87EBCE2A-D41F-4765-84A6-201B19BE6A39}C:\program files (x86)\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\java.exe |
"UDP Query User{8E606DF0-0526-46A1-A56E-8CC540DB1198}C:\program files (x86)\mektek.net\mtx\profiles\mechwarrior mercenaries - mektek mekpak\mw4mercs.exe" = protocol=17 | dir=in | app=c:\program files (x86)\mektek.net\mtx\profiles\mechwarrior mercenaries - mektek mekpak\mw4mercs.exe |
"UDP Query User{D9FB37F7-E34B-4C29-A514-D345AAD48B1C}C:\program files (x86)\mektek.net\mtx\mtx.exe" = protocol=17 | dir=in | app=c:\program files (x86)\mektek.net\mtx\mtx.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt
"{167F938F-5AD3-40e2-B05D-2B7C6F0FDE48}" = HP Deskjet D1500 Printer Driver 10.0 Rel .3
"{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{A2B16A37-6F22-6F71-FED4-773C09CF4602}" = ATI Catalyst Install Manager
"{ABCA4D9C-6FBB-FEBC-DB27-CBA018529D8D}" = ccc-utility64
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1EF69B7-7A97-40FC-9AF1-6D6656FF874F}" = ATI AVIVO64 Codecs
"{DAE239CE-EB9D-4EB3-B0D4-528D6BAA48FD}" = Bonjour
"{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}" = Ventrilo Client for Windows x64
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{10934A28-0CC6-4B98-A14F-76B3546003AF}" = ksDIP
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{19DDEE14-1A97-196F-B33B-5F069C929ACA}" = HydraVision
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{277F41AC-1A48-535A-B01D-DC122D9BACD5}" = Skins
"{305468A6-DE2D-43ba-A168-2F45A97A89DA}" = DJ_SF_03_D1500_Software_Min
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{3E932E56-09ED-EBB9-CF60-5FF5F767CA73}" = Catalyst Control Center Graphics Full New
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{48B41C3A-9A92-4B81-B653-C97FEB85C910}" = C4USelfUpdater
"{4957E341-3C94-5D88-4592-CC90888FB5A6}" = Catalyst Control Center Graphics Light
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56BA241F-580C-43D2-8403-947241AAE633}" = center
"{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}" = GameSpy Comrade
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6583D00E-0924-4950-8BE9-5D09FE70B333}" = MTX
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{8048CA89-D6EA-C1EA-E477-2DA5B0739166}" = Catalyst Control Center Graphics Previews Common
"{8D24AD6D-25B8-980F-D153-46785DF73EAF}" = ccc-core-static
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002A-0000-1000-0000000FF1CE}_PROPLUS_{00C5525B-3CB3-467D-8100-2E6FB306CD86}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002A-0409-1000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0116-0409-1000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA5F2BD4-9D75-755E-ED99-4002597B5C6F}" = Catalyst Control Center Graphics Previews Vista
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AF1C0686-E2EB-37BA-01FC-BED04845DFE8}" = Catalyst Control Center HydraVision Full
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C93A8A74-ECF5-EE9A-2B67-B2DAB86FEFEA}" = Catalyst Control Center Core Implementation
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK AiO Home Center
"{E710D350-2F56-3084-070A-133742C77AFE}" = Catalyst Control Center Graphics Full Existing
"{ECD81E39-A85F-ECAE-2F3E-8CAC79C5F4F6}" = CCC Help English
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FA3A247D-437A-455E-A88F-7EB6E5F9E799}" = Catalyst Control Center - Branding
"{FAB1F336-1B7C-4057-A7BC-2922CD82A781}" = Edimax Wireless LAN
"{FE24086F-3B0C-4C47-A874-97A7B8E2FBBE}" = aioscnnr
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Bejeweled 2 Deluxe" = Bejeweled 2 Deluxe (remove only)
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"EQ2MAP Updater" = EQ2MAP Updater 1.2.4
"FileZilla Client" = FileZilla Client 3.3.3
"HoldemManager" = Holdem Manager
"Mabinogi" = Mabinogi
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MWLL Actionmapper v0.2" = MWLL Actionmapper v0.2
"PokerStars" = PokerStars
"PostgreSQL 8.4" = PostgreSQL 8.4
"PROPLUS" = Microsoft Office Professional Plus 2007
"Spyware Doctor" = Spyware Doctor 7.0
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.5
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:46 PM

Posted 05 August 2010 - 11:56 AM

QUOTE
I currently have the following programs installed on the computer: Spybot, Malware, Adaware, and Windows defender. I know it seems excessive


Not too excessive. Ad-Aware and Spybot shouldn't be running together though. Pick one and ditch the other one.

Okay, let's see if we can script the baddies out with another run of OTL, as below.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following (If you have set a proxy please take out the first three lines)

CODE
:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [szetyj67vx] C:\Windows\SysWow64\szetyj67vx.exe File not found
O4 - HKCU..\Run: [tghlig] C:\Users\BQfromNY\AppData\Local\Temp\msgciutr.DLL File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
[2010/08/01 03:51:02 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\AppData\Local\xexvxyrai
[2010/07/20 06:02:27 | 000,000,000 | ---D | C] -- C:\Users\BQfromNY\AppData\Local\iifdvkefk
[2010/08/05 09:03:26 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{16851572-C406-49F7-B505-7D86AF1F9A44}.job
[2010/07/20 17:16:26 | 000,002,811 | ---- | M] () -- C:\Users\BQfromNY\AppData\Local\ohogerudanesu.dll
[2010/07/20 16:45:48 | 000,002,811 | ---- | M] () -- C:\Users\BQfromNY\AppData\Local\ebocegaqabiheb.dll
[2010/07/20 06:08:27 | 000,002,811 | ---- | M] () -- C:\Users\BQfromNY\AppData\Local\aposikunoseso.dll
@Alternate Data Stream - 158 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:A8ADE5D8
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Posted Image
m0le is a proud member of UNITE

#9 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 05 August 2010 - 12:03 PM

Please note - internet is now working.

========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\szetyj67vx deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\tghlig deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
C:\Users\BQfromNY\AppData\Local\xexvxyrai folder moved successfully.
C:\Users\BQfromNY\AppData\Local\iifdvkefk folder moved successfully.
C:\Windows\Tasks\User_Feed_Synchronization-{16851572-C406-49F7-B505-7D86AF1F9A44}.job moved successfully.
C:\Users\BQfromNY\AppData\Local\ohogerudanesu.dll moved successfully.
C:\Users\BQfromNY\AppData\Local\ebocegaqabiheb.dll moved successfully.
C:\Users\BQfromNY\AppData\Local\aposikunoseso.dll moved successfully.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP:A8ADE5D8 deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTL by OldTimer - Version 3.2.9.1 log created on 08052010_100021


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:46 PM

Posted 05 August 2010 - 12:07 PM

Okay, now we're in amongst it...

Please now run ESET and let's see what else we can dig up
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.


Posted Image
m0le is a proud member of UNITE

#11 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 05 August 2010 - 12:54 PM

Thanks again for all the help!

I have a few questions:

- Is it ok to download window updates?
- Is it now ok to log onto sites using my name/pass?
- You suggested I delete either adaware or spybot.. which do you suggest I KEEP?

Heres the latest log:

C:\Program Files (x86)\mektek.net\MTX\temp\games\mechwarrior4mercenaries.all.to.51.03.01.0017.mtx probably a variant of Win32/StartPage trojan
C:\Program Files (x86)\mektek.net\MTX\temp\games\MW4Mercs.exe probably a variant of Win32/StartPage trojan
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-468b4d0b multiple threats
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3e17490c-53a8815d multiple threats
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\7bb99554-2aa20135 Java/TrojanDownloader.Agent.NBL trojan
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\7adbb65d-2be3f581 multiple threats
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\30feb821-3b874f1a Java/TrojanDownloader.Agent.NBK trojan
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\6aa23129-161cf7cf a variant of Java/Exploit.Agent.NAC trojan
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\64200ea-5b62a7ec multiple threats
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\556445eb-47ffb657 probably a variant of Win32/Agent trojan
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\556445eb-7db63ec7 Java/TrojanDownloader.Agent.NBL trojan
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\5473416c-5e68b43a multiple threats
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-113c79dd Java/TrojanDownloader.Agent.NBL trojan
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-6af702e6 probably a variant of Win32/Agent trojan
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\31bba1f4-468b79fc Java/TrojanDownloader.Agent.NBL trojan
C:\Users\BQfromNY\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\2d475f78-37c0ec85 multiple threats
C:\Windows\System32\szetyj67v.exe Win32/Refpron.LB trojan
C:\Windows\SysWOW64\szetyj67v.exe Win32/Refpron.LB trojan


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:46 PM

Posted 05 August 2010 - 04:21 PM

Lots of questions there!
QUOTE
1. Is it ok to download window updates?
2. Is it now ok to log onto sites using my name/pass?
3. You suggested I delete either adaware or spybot.. which do you suggest I KEEP?


1. No not yet, when I call it clean then you can run the updates

2.
QUOTE
C:\Windows\System32\szetyj67v.exe Win32/Refpron.LB trojan


This is a trojan/backdoor. When you are clean you can use your PC for names and passwords but change them as you go, this trojan may have sent the previous data back past your firewall to hackers. Be aware also that once a trojan/backdoor gets through your security it is never as strong unless you reformatted and reinstalled the operating system. Whether you feel that the information your PC holds is worthy of that is up to you.

3. The last question is tricky. I would personally uninstall them both and install Superantispyware - a more impressive product. Again, wait until you are clean before you do this.


Right, now run OTL again so we can remove the ESET finds.

Under the Custom Scans/Fixes box at the bottom, paste in the following

CODE
:OTL
C:\Program Files (x86)\mektek.net\MTX\temp\games\mechwarrior4mercenaries.all.to.51.03.01.0017.mtx
C:\Program Files (x86)\mektek.net\MTX\temp\games\MW4Mercs.exe
C:\Windows\System32\szetyj67v.exe
C:\Windows\SysWOW64\szetyj67v.exe
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Next we remove the Java cache items

To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon. If you don't see it, go to Other options in the left panel or change to Classic View
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • Applications and applets
    • Trace and log files
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.
Posted Image
m0le is a proud member of UNITE

#13 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 05 August 2010 - 09:47 PM

========== OTL ==========
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTL by OldTimer - Version 3.2.9.1 log created on 08052010_194246

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:46 PM

Posted 06 August 2010 - 04:01 AM

How is the PC running now, BQfromNY?
Posted Image
m0le is a proud member of UNITE

#15 BQfromNY

BQfromNY
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 06 August 2010 - 05:36 AM

Honestly, I havent been using it since I cant log onto my regular sites.. but with the little use it has had I see no major issues... are you saying Iam clear? Shall I do some of the usual scans?

== BQ ==




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users