Malwarebytes blocks numerous websites [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Malwarebytes blocks numerous websites [Solved] Mbam scan keeps finding C :\Windows\system32\Drivers�

#1 cody1

Group: Member
Posts: 24
Joined: 10-March 09

Posted 28 May 2010 - 09:24 AM

I have followed the steps in your "before posting a hijack this log." The results are pasted in order:

I've tried to install avira but a previous version will not uninstall and I have yet to figure out how. I followed all the websites guides but can't get past the locked registry files even after trying to change permissions (advanced/owner/myself/apply) nothing works.

MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4151

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/28/2010 9:03:51 AM
mbam-log-2010-05-28 (09-03-51).txt

Scan type: Quick scan
Objects scanned: 121421
Time elapsed: 3 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\gelfkbjq.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

********************************************************************************
********************************************************

GMER: (See attached zip please)

********************************************************************************
********************************************************

OTL:

OTL logfile created on: 5/28/2010 9:34:58 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\Codeman\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 213.80 Gb Total Space | 133.83 Gb Free Space | 62.60% Space Free | Partition Type: NTFS
Drive D: | 153.38 Gb Total Space | 0.01 Gb Free Space | 0.01% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 164.18 Gb Total Space | 100.44 Gb Free Space | 61.18% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 242.53 Gb Total Space | 151.69 Gb Free Space | 62.55% Space Free | Partition Type: NTFS
Drive K: | 232.88 Gb Total Space | 177.19 Gb Free Space | 76.09% Space Free | Partition Type: NTFS

Computer Name: CODEMAN-MYPC
Current User Name: Codeman
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/28 09:32:43 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Codeman\Desktop\OTL.exe
PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2010/02/17 08:48:43 | 000,015,928 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2010/01/11 22:00:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2010/01/01 01:42:54 | 000,108,544 | ---- | M] (Yamicsoft) -- C:\Program Files\Yamicsoft\Windows 7 Manager\FreeMemory.exe
PRC - [2009/10/31 00:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/10/30 06:57:08 | 000,369,200 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2009/10/23 20:44:36 | 001,732,960 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2009/08/15 17:47:08 | 001,613,824 | ---- | M] (Voyetra Turtle Beach, Inc.) -- C:\Program Files\Turtle Beach\Riviera\TBRivieraTray.exe
PRC - [2009/07/13 20:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2008/11/12 20:49:28 | 000,057,344 | ---- | M] (Ideazon, Inc.) -- C:\Program Files\Ideazon\ZEngine\Zboard.exe
PRC - [2008/08/10 04:05:54 | 000,080,368 | ---- | M] () -- C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe
PRC - [2008/08/01 12:59:26 | 000,125,424 | ---- | M] () -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
PRC - [2007/09/25 03:10:50 | 002,007,088 | ---- | M] (FlashGet.com) -- C:\Program Files\flashget\flashget.exe

========== Modules (SafeList) ==========

MOD - [2010/05/28 09:32:43 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Codeman\Desktop\OTL.exe
MOD - [2009/07/13 20:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 20:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 20:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 20:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 20:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 20:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 20:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 20:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 20:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 20:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 20:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/13 20:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
MOD - [2007/05/18 11:13:08 | 000,053,329 | ---- | M] (www.flashget.com) -- C:\Program Files\flashget\fgmgr.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/03/03 10:44:41 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/01/11 22:00:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/10/23 20:44:36 | 001,732,960 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2009/10/20 13:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/07/13 20:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 20:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 20:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 20:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 20:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 20:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 20:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 20:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 20:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 20:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 20:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 20:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (DEFRAGSVC)
SRV - [2009/07/13 20:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 20:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 20:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 20:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/01/09 08:46:25 | 001,122,304 | R--- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe -- (RoxMediaDB11)
SRV - [2008/08/14 01:25:24 | 000,367,088 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe -- (Roxio Upnp Server 11)
SRV - [2008/08/14 01:25:20 | 000,313,840 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe -- (Roxio UPnP Renderer 11)
SRV - [2008/08/14 01:24:06 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe -- (RoxLiveShare11)
SRV - [2008/08/14 01:24:02 | 000,170,480 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe -- (RoxWatch11)
SRV - [2008/08/01 12:59:26 | 000,125,424 | ---- | M] () [Auto | Running] -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe -- (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269)

========== Driver Services (SafeList) ==========

DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/02/28 12:40:42 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/02/16 13:01:19 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 13:01:19 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/02/16 13:01:19 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/01/11 23:03:33 | 011,586,280 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/12/11 02:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/10/21 02:04:34 | 000,045,232 | ---- | M] (Diskeeper Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\DKRtWrt.sys -- (DKRtWrt)
DRV - [2009/10/20 13:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2009/10/05 17:31:50 | 001,221,632 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/07/13 20:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 20:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 20:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 20:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 20:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 20:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 20:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 20:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 20:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 20:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 20:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 20:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 20:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 20:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 20:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 20:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 20:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 20:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 20:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 20:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 20:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 20:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 20:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 20:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 20:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 20:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/13 20:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 20:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/13 20:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 20:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 20:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 20:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 20:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 20:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 20:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 20:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 20:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 20:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 20:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 19:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 19:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 19:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 18:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 18:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 18:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 18:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/13 18:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 18:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 18:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 18:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 18:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 18:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 18:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 18:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 18:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 18:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/13 18:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 18:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/13 18:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 18:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 17:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 17:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 17:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 17:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 17:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 17:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 17:02:53 | 000,311,296 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2009/07/13 17:02:50 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2009/07/13 17:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 17:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 17:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/05/22 16:03:00 | 001,872,320 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cmudax3.sys -- (cmuda3)
DRV - [2008/08/11 12:03:24 | 000,254,320 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\Windows\System32\drivers\C2SCSI.SYS -- (c2scsi)
DRV - [2008/08/11 11:53:22 | 000,057,328 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\Windows\System32\drivers\RxFilter.sys -- (RxFilter)
DRV - [2008/08/01 02:00:00 | 000,025,584 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\Windows\System32\drivers\SaibVd32.sys -- (SaibVd32)
DRV - [2008/08/01 02:00:00 | 000,020,464 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\SahdIa32.sys -- (SahdIa32)
DRV - [2008/08/01 02:00:00 | 000,015,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\SaibIa32.sys -- (SaibIa32)
DRV - [2007/07/23 10:56:58 | 000,042,624 | ---- | M] (Ideazon Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Alpham1.sys -- (Alpham1)
DRV - [2007/03/20 12:49:52 | 000,018,432 | ---- | M] (Ideazon Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Alpham2.sys -- (Alpham2)
DRV - [2007/02/15 12:48:14 | 000,026,624 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tap0801.sys -- (tap0801)
DRV - [2003/09/19 19:23:40 | 000,045,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VMNetSrv.sys -- (VPCNetS2)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.98
FF - prefs.js..extensions.enabledItems: {E650144D-9036-41F0-BCBE-2CF9896E8C31}:1.9.1
FF - prefs.js..network.proxy.share_proxy_settings: true

FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2010/02/28 02:36:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/19 05:11:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/23 20:24:52 | 000,000,000 | ---D | M]

[2010/02/28 02:39:12 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\Mozilla\Extensions
[2010/04/08 19:20:58 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\Mozilla\Firefox\Profiles\f22r4zhq.default\extensions
[2010/05/28 07:30:48 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/06/10 16:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\flashget\Jccatch.dll (www.flashget.com)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (FlashGet GetFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\flashget\getflash.dll (www.flashget.com)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (FlashGet Bar) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\flashget\fgiebar.dll (Amaze Soft)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [CPMonitor] C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe ()
O4 - HKLM..\Run: [Flashget] C:\Program Files\flashget\flashget.exe (FlashGet.com)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe (Sonic Solutions)
O4 - HKLM..\Run: [Turtle Beach Riviera] C:\Program Files\Turtle Beach\Riviera\TBRivieraTray.exe (Voyetra Turtle Beach, Inc.)
O4 - HKLM..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe (Ideazon, Inc.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - Startup: C:\Users\Codeman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SynchronousMachineGroupPolicy = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SynchronousUserGroupPolicy = 0
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\flashget\jc_all.htm ()
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\flashget\jc_link.htm ()
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\flashget\flashget.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\flashget\flashget.exe (FlashGet.com)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: kuaiche.com ([software] http in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/02/20 16:07:06 | 000,000,000 | -H-D | M] - C:\Autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/03/20 10:45:45 | 000,000,000 | RHSD | M] - K:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{4bba8e11-2628-11df-816f-00508db27a99}\Shell - "" = AutoRun
O33 - MountPoints2\{4bba8e11-2628-11df-816f-00508db27a99}\Shell\AutoRun\command - "" = I:\autorun.exe -- File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/07/13 21:37:08 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/28 09:33:00 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Users\Codeman\Desktop\OTL.exe
[2010/05/25 12:02:49 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/05/23 01:02:29 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/05/23 01:01:52 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/16 09:28:43 | 000,000,000 | ---D | C] -- C:\Program Files\MediaInfo
[2010/05/12 21:19:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Codemasters
[2010/05/12 21:18:59 | 000,000,000 | ---D | C] -- C:\Users\Codeman\Documents\My Games
[2010/05/12 21:18:58 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft
[2010/05/12 19:13:21 | 000,872,448 | ---- | C] (Blue Ripple Sound Limited) -- C:\Windows\System32\rapture3d_oal.dll
[2010/05/12 19:13:20 | 000,000,000 | ---D | C] -- C:\Program Files\BRS
[2010/05/12 19:12:57 | 000,000,000 | ---D | C] -- C:\Windows\System32\xlive
[2010/05/12 19:12:57 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Games for Windows - LIVE
[2010/05/12 19:12:46 | 000,445,016 | ---- | C] (Creative Labs) -- C:\Windows\System32\wrap_oal.dll
[2010/05/12 19:12:46 | 000,109,144 | ---- | C] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\System32\OpenAL32.dll
[2010/05/12 19:12:46 | 000,000,000 | ---D | C] -- C:\Program Files\OpenAL
[2010/05/12 18:56:30 | 000,000,000 | ---D | C] -- C:\Program Files\Codemasters
[2010/05/12 12:55:15 | 000,000,000 | ---D | C] -- C:\Program Files\flashget
[2010/05/12 04:45:56 | 000,000,000 | ---D | C] -- C:\ProgramData\createpart
[2010/05/10 01:39:17 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\cyiydnqii
[2010/05/09 21:14:33 | 000,000,000 | ---D | C] -- C:\Users\Codeman\Documents\NFS Most Wanted
[2010/04/27 02:21:23 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2010/04/26 11:13:45 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\lugfmuupc
[2010/04/26 02:07:25 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\Malwarebytes
[2010/04/26 02:07:19 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/26 02:07:18 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/26 02:07:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/26 02:07:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/26 01:26:44 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\{E650144D-9036-41F0-BCBE-2CF9896E8C31}
[2010/04/03 15:08:11 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/03/27 18:18:44 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/03/27 08:11:37 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\BITS
[2010/03/27 08:11:36 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\FlashGetBHO
[2010/03/27 04:40:26 | 000,000,000 | ---D | C] -- C:\Users\Codeman\Documents\Command and Conquer 4
[2010/03/27 04:38:56 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\Command and Conquer 4
[2010/03/27 04:18:27 | 000,000,000 | ---D | C] -- C:\Program Files\Electronic Arts
[2010/03/26 13:45:34 | 000,000,000 | ---D | C] -- C:\Users\Codeman\Desktop\Command.And.Conquer.4.Tiberian.Twilight-RELOADED
[2010/03/25 20:37:10 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\HideIPEasy
[2010/03/25 20:37:10 | 000,000,000 | ---D | C] -- C:\ProgramData\HideIPEasy
[2010/03/25 20:28:25 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/03/25 20:26:19 | 000,000,000 | ---D | C] -- C:\Program Files\VMNetSrv
[2010/03/24 15:57:20 | 000,000,000 | -HSD | C] -- C:\Nsi.pending
[2010/03/24 15:56:02 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\Steganos VPN
[2010/03/24 15:38:43 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\Google
[2010/03/21 15:52:24 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\Thinstall
[2010/03/21 15:52:24 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\Thinstall
[2010/03/21 15:46:30 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\BSplayer
[2010/03/21 15:27:05 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\DivX
[2010/03/21 15:26:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2010/03/21 15:26:28 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/03/19 15:51:53 | 000,000,000 | ---D | C] -- C:\Windows\tmp
[2010/03/16 13:57:46 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\ElevatedDiagnostics
[2010/03/14 17:23:48 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\Apple Computer
[2010/03/14 17:23:48 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\Apple Computer
[2010/03/14 17:23:27 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/03/14 17:23:26 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/03/14 17:23:26 | 000,000,000 | ---D | C] -- C:\ProgramData\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/03/14 17:23:11 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/03/14 17:23:00 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/03/14 17:23:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2010/03/14 17:22:55 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\Apple
[2010/03/14 17:22:54 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/03/14 17:22:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple
[2010/03/14 17:22:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/03/11 05:49:13 | 000,000,000 | ---D | C] -- C:\Program Files\ImTOO
[2010/03/04 14:00:58 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\Microsoft Games
[2010/03/04 12:52:28 | 000,000,000 | ---D | C] -- C:\Program Files\ActMak
[2010/03/04 12:15:45 | 000,000,000 | -HSD | C] -- C:\Diskeeper
[2010/03/04 11:24:54 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\RSIGuard
[2010/03/04 11:21:08 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\RSIGuard
[2010/03/04 10:03:43 | 000,045,232 | ---- | C] (Diskeeper Corporation) -- C:\Windows\System32\drivers\DKRtWrt.sys
[2010/03/04 10:03:43 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2010/03/04 10:03:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Diskeeper Corporation
[2010/03/04 10:03:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Diskeeper Corporation
[2010/03/04 10:03:37 | 000,000,000 | ---D | C] -- C:\Program Files\Diskeeper Corporation
[2010/03/04 02:10:22 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\Apps
[2010/03/03 10:31:13 | 000,000,000 | ---D | C] -- C:\ProgramData\copypart
[2010/03/03 10:30:24 | 000,000,000 | ---D | C] -- C:\ProgramData\redistpart
[2010/03/03 10:18:45 | 000,000,000 | ---D | C] -- C:\ProgramData\GroupPolicy
[2010/03/02 15:21:29 | 000,000,000 | ---D | C] -- C:\Program Files\Active Data Recovery Software
[2010/03/02 14:16:15 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/03/02 14:12:23 | 000,000,000 | ---D | C] -- C:\Program Files\Nsasoft
[2010/03/02 09:20:03 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\AutoHideIP
[2010/03/02 09:20:03 | 000,000,000 | ---D | C] -- C:\ProgramData\AutoHideIP
[2010/03/02 08:38:10 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2010/03/01 16:33:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/03/01 16:32:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
[2010/03/01 16:32:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/03/01 16:32:45 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2010/03/01 16:32:19 | 000,000,000 | ---D | C] -- C:\Users\Public\Desktop\Adobe Reader 9 Installer
[2010/03/01 16:31:36 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\Adobe
[2010/03/01 16:31:32 | 000,000,000 | ---D | C] -- C:\ProgramData\NOS
[2010/02/28 11:38:19 | 001,872,320 | ---- | C] (C-Media Inc) -- C:\Windows\System32\drivers\cmudax3.sys
[2010/02/28 11:38:19 | 000,323,584 | ---- | C] (Turtle Beach Inc.) -- C:\Windows\CmiPCIUninstallRiviera.exe
[2010/02/28 11:38:18 | 000,036,864 | ---- | C] (C-Media Electronics Ins.) -- C:\Windows\System32\cmudax3.DLL
[2010/02/28 11:38:18 | 000,000,000 | ---D | C] -- C:\Program Files\Turtle Beach
[2010/02/28 11:32:27 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Voyetra
[2010/02/28 02:49:30 | 000,000,000 | -HSD | C] -- C:\ProgramData\Templates
[2010/02/28 02:49:30 | 000,000,000 | -HSD | C] -- C:\ProgramData\Start Menu
[2010/02/28 02:49:30 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\My Videos
[2010/02/28 02:49:30 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\My Pictures
[2010/02/28 02:49:30 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\My Music
[2010/02/28 02:49:30 | 000,000,000 | -HSD | C] -- C:\ProgramData\Favorites
[2010/02/28 02:49:30 | 000,000,000 | -HSD | C] -- C:\Documents and Settings
[2010/02/28 02:49:30 | 000,000,000 | -HSD | C] -- C:\ProgramData\Documents
[2010/02/28 02:49:30 | 000,000,000 | -HSD | C] -- C:\ProgramData\Desktop
[2010/02/28 02:49:30 | 000,000,000 | -HSD | C] -- C:\ProgramData\Application Data
[2010/02/28 02:30:14 | 000,000,000 | --SD | C] -- C:\Users\Codeman\AppData\Roaming\Microsoft
[2010/02/28 02:30:14 | 000,000,000 | R--D | C] -- C:\Users\Codeman\Videos
[2010/02/28 02:30:14 | 000,000,000 | R--D | C] -- C:\Users\Codeman\Saved Games
[2010/02/28 02:30:14 | 000,000,000 | R--D | C] -- C:\Users\Codeman\Pictures
[2010/02/28 02:30:14 | 000,000,000 | R--D | C] -- C:\Users\Codeman\Links
[2010/02/28 02:30:14 | 000,000,000 | R--D | C] -- C:\Users\Codeman\Favorites
[2010/02/28 02:30:14 | 000,000,000 | R--D | C] -- C:\Users\Codeman\Downloads
[2010/02/28 02:30:14 | 000,000,000 | R--D | C] -- C:\Users\Codeman\My Documents
[2010/02/28 02:30:14 | 000,000,000 | R--D | C] -- C:\Users\Codeman\Desktop
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\AppData\Local\Temporary Internet Files
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\Templates
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\Start Menu
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\SendTo
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\Recent
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\PrintHood
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\NetHood
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\Documents\My Videos
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\Documents\My Pictures
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\Documents\My Music
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\My Documents
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\Local Settings
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\AppData\Local\History
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\Cookies
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\Application Data
[2010/02/28 02:30:14 | 000,000,000 | -HSD | C] -- C:\Users\Codeman\AppData\Local\Application Data
[2010/02/28 02:30:14 | 000,000,000 | -H-D | C] -- C:\Users\Codeman\AppData
[2010/02/28 02:30:14 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\Temp
[2010/02/28 02:30:14 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Local\Microsoft
[2010/02/28 02:30:14 | 000,000,000 | ---D | C] -- C:\Users\Codeman\AppData\Roaming\Media Center Programs
[2010/02/28 02:29:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Hewlett-Packard
[2010/02/28 02:28:09 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2010/02/28 02:27:59 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2010/02/28 02:27:55 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2010/02/28 02:26:16 | 000,000,000 | ---D | C] -- C:\Windows\CSC
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/05/28 09:35:50 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\gelfkbjq.sys
[2010/05/28 09:35:13 | 001,835,008 | -HS- | M] () -- C:\Users\Codeman\ntuser.dat
[2010/05/28 09:32:43 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Codeman\Desktop\OTL.exe
[2010/05/28 09:10:08 | 000,022,400 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/28 09:10:08 | 000,022,400 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/28 09:05:19 | 000,000,288 | ---- | M] () -- C:\Windows\tasks\Windows 7 Manager - Free Memory.job
[2010/05/28 09:05:06 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/28 09:05:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/28 09:04:52 | 2616,057,856 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/28 09:04:09 | 001,176,048 | -H-- | M] () -- C:\Users\Codeman\AppData\Local\IconCache.db
[2010/05/28 08:50:16 | 000,138,384 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/05/28 08:49:34 | 000,215,128 | ---- | M] () -- C:\Windows\System32\PnkBstrB.xtr
[2010/05/24 01:45:16 | 000,006,642 | ---- | M] () -- C:\Users\Codeman\Desktop\Wolfgang Amadeus Mozart - Shortcut.lnk
[2010/05/23 01:01:57 | 000,001,080 | ---- | M] () -- C:\Users\Codeman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/05/23 01:01:53 | 000,000,900 | ---- | M] () -- C:\Users\Codeman\Desktop\NTREGOPT.lnk
[2010/05/23 01:01:53 | 000,000,881 | ---- | M] () -- C:\Users\Codeman\Desktop\ERUNT.lnk
[2010/05/23 00:41:55 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/23 00:41:55 | 000,615,122 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/23 00:41:55 | 000,103,496 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/18 09:48:33 | 000,001,908 | ---- | M] () -- C:\Users\Codeman\Desktop\launcher - Shortcut.lnk
[2010/05/18 09:46:16 | 000,001,388 | ---- | M] () -- C:\Users\Codeman\Desktop\ChromePortable - Shortcut.lnk
[2010/05/17 23:13:08 | 000,000,198 | ---- | M] () -- C:\Users\Codeman\Desktop\DiRT2.lnk
[2010/05/14 10:19:24 | 000,000,282 | ---- | M] () -- C:\Windows\tasks\Windows 7 Manager Live Update.job
[2010/05/12 19:12:46 | 000,445,016 | ---- | M] (Creative Labs) -- C:\Windows\System32\wrap_oal.dll
[2010/05/12 19:12:46 | 000,109,144 | ---- | M] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\System32\OpenAL32.dll
[2010/05/12 13:00:43 | 000,000,971 | ---- | M] () -- C:\Users\Codeman\Desktop\FlashGet.lnk
[2010/05/10 02:42:41 | 000,524,288 | -HS- | M] () -- C:\Users\Codeman\ntuser.dat{5c8daa88-5c07-11df-b9ff-00508db27a99}.TMContainer00000000000000000002.regtrans-ms
[2010/05/10 02:42:41 | 000,524,288 | -HS- | M] () -- C:\Users\Codeman\ntuser.dat{5c8daa88-5c07-11df-b9ff-00508db27a99}.TMContainer00000000000000000001.regtrans-ms
[2010/05/10 02:42:41 | 000,065,536 | -HS- | M] () -- C:\Users\Codeman\ntuser.dat{5c8daa88-5c07-11df-b9ff-00508db27a99}.TM.blf
[2010/05/10 02:35:48 | 000,524,288 | -HS- | M] () -- C:\Users\Codeman\ntuser.dat{47644c08-5c06-11df-80e9-00508db27a99}.TMContainer00000000000000000002.regtrans-ms
[2010/05/10 02:35:48 | 000,524,288 | -HS- | M] () -- C:\Users\Codeman\ntuser.dat{47644c08-5c06-11df-80e9-00508db27a99}.TMContainer00000000000000000001.regtrans-ms
[2010/05/10 02:35:48 | 000,065,536 | -HS- | M] () -- C:\Users\Codeman\ntuser.dat{47644c08-5c06-11df-80e9-00508db27a99}.TM.blf
[2010/05/09 21:12:11 | 000,002,133 | ---- | M] () -- C:\Users\Public\Desktop\Need for Speed™ Most Wanted.lnk
[2010/05/01 21:18:24 | 000,001,653 | ---- | M] () -- C:\Users\Codeman\Desktop\Levels - Shortcut.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/26 20:33:24 | 000,002,974 | ---- | M] () -- C:\Users\Codeman\AppData\Local\Ktazupodovu.dat
[2010/04/26 10:28:05 | 000,012,982 | -HS- | M] () -- C:\ProgramData\w1vjs2h771
[2010/04/26 10:27:56 | 000,012,982 | -HS- | M] () -- C:\Users\Codeman\AppData\Local\w1vjs2h771
[2010/04/26 02:07:22 | 000,000,985 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/26 01:26:45 | 000,000,000 | ---- | M] () -- C:\Users\Codeman\AppData\Local\Mmicurixu.bin
[2010/04/23 20:24:52 | 000,001,990 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/04/08 16:26:26 | 000,524,288 | -HS- | M] () -- C:\Users\Codeman\ntuser.dat{65a24e76-422e-11df-a30d-00508db27a99}.TMContainer00000000000000000002.regtrans-ms
[2010/04/08 16:26:26 | 000,524,288 | -HS- | M] () -- C:\Users\Codeman\ntuser.dat{65a24e76-422e-11df-a30d-00508db27a99}.TMContainer00000000000000000001.regtrans-ms
[2010/04/08 16:26:26 | 000,065,536 | -HS- | M] () -- C:\Users\Codeman\ntuser.dat{65a24e76-422e-11df-a30d-00508db27a99}.TM.blf
[2010/04/07 05:15:36 | 000,073,416 | ---- | M] () -- C:\Users\Codeman\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/04/07 05:15:23 | 000,314,168 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/05 13:54:47 | 000,012,336 | -HS- | M] () -- C:\Users\Codeman\AppData\Local\GbW53PfLB
[2010/04/05 13:54:47 | 000,012,336 | -HS- | M] () -- C:\ProgramData\GbW53PfLB
[2010/04/04 06:26:35 | 000,000,468 | ---- | M] () -- C:\Windows\System32\secustat.dat
[2010/04/03 15:14:21 | 000,001,770 | ---- | M] () -- C:\Windows\System32\secushr.dat
[2010/03/27 18:12:53 | 000,000,017 | ---- | M] () -- C:\Users\Codeman\AppData\Local\resmon.resmoncfg
[2010/03/27 08:11:49 | 000,000,025 | ---- | M] () -- C:\Windows\libem.INI
[2010/03/27 07:24:59 | 000,000,880 | ---- | M] () -- C:\Users\Codeman\Desktop\uplink - Shortcut.lnk
[2010/03/21 15:26:40 | 000,001,106 | ---- | M] () -- C:\Users\Public\Desktop\DivX Player.lnk
[2010/03/21 15:26:38 | 000,001,142 | ---- | M] () -- C:\Users\Public\Desktop\DivX Converter.lnk
[2010/03/21 14:09:03 | 000,003,266 | ---- | M] () -- C:\Windows\FantasyDVD.ini
[2010/03/21 14:09:03 | 000,002,417 | ---- | M] () -- C:\Windows\ShortCutInf.ini
[2010/03/21 14:09:03 | 000,000,243 | ---- | M] () -- C:\Windows\PlayList.Fpl
[2010/03/21 14:08:48 | 000,389,120 | ---- | M] () -- C:\Windows\System32\ACTSKN43.OCX
[2010/03/19 20:33:30 | 000,000,276 | ---- | M] () -- C:\Windows\System32\FOLESVR.DLL
[2010/03/14 17:27:32 | 000,002,595 | ---- | M] () -- C:\Users\Codeman\Desktop\Diskeeper 2010.lnk
[2010/03/12 08:56:15 | 000,192,960 | ---- | M] () -- C:\Users\Codeman\Documents\2009TaxReturn.pdf
[2010/03/11 05:53:25 | 000,001,190 | ---- | M] () -- C:\Users\Codeman\Desktop\ImTOO iPod Computer Transfer.lnk
[2010/03/04 13:30:48 | 000,002,560 | ---- | M] () -- C:\Windows\_MSRSTRT.EXE
[2010/03/04 13:23:27 | 000,000,029 | ---- | M] () -- C:\Windows\System32\WINCNMDB.DLL
[2010/03/04 13:19:41 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2010/03/02 15:49:31 | 000,001,114 | ---- | M] () -- C:\Users\Codeman\Desktop\Active@ Disk Image.lnk
[2010/03/02 15:27:20 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/03/02 14:35:04 | 000,000,036 | ---- | M] () -- C:\Users\Codeman\AppData\Local\housecall.guid.cache
[2010/02/28 12:40:42 | 000,691,696 | ---- | M] () -- C:\Windows\System32\drivers\sptd.sys
[2010/02/28 11:38:43 | 000,000,306 | ---- | M] () -- C:\Windows\Cmicnfg3.ini.cfl
[2010/02/28 11:38:43 | 000,000,168 | ---- | M] () -- C:\Windows\Cmicnfg3.ini.imi
[2010/02/28 11:38:43 | 000,000,136 | ---- | M] () -- C:\Windows\System\Dlap.pfx
[2010/02/28 11:38:21 | 000,000,107 | ---- | M] () -- C:\Windows\System\Cmicnfg3.ini
[2010/02/28 04:24:36 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2010/02/28 02:51:29 | 000,000,020 | -HS- | M] () -- C:\Users\Codeman\ntuser.ini
[2010/02/28 02:46:34 | 000,042,045 | ---- | M] () -- C:\Windows\System32\license.rtf
[2010/02/28 02:43:12 | 000,021,316 | ---- | M] () -- C:\Windows\System32\emptyregdb.dat
[2010/02/28 02:30:15 | 000,524,288 | -HS- | M] () -- C:\Users\Codeman\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2010/02/28 02:30:15 | 000,524,288 | -HS- | M] () -- C:\Users\Codeman\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2010/02/28 02:30:15 | 000,065,536 | -HS- | M] () -- C:\Users\Codeman\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2010/02/28 01:56:54 | 000,001,890 | ---- | M] () -- C:\Windows\diagwrn.xml
[2010/02/28 01:56:54 | 000,001,890 | ---- | M] () -- C:\Windows\diagerr.xml
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/28 09:19:17 | 000,293,376 | ---- | C] () -- C:\Users\Codeman\Desktop\gmer.exe
[2010/05/24 01:45:16 | 000,006,642 | ---- | C] () -- C:\Users\Codeman\Desktop\Wolfgang Amadeus Mozart - Shortcut.lnk
[2010/05/23 01:01:57 | 000,001,080 | ---- | C] () -- C:\Users\Codeman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/05/23 01:01:53 | 000,000,900 | ---- | C] () -- C:\Users\Codeman\Desktop\NTREGOPT.lnk
[2010/05/23 01:01:53 | 000,000,881 | ---- | C] () -- C:\Users\Codeman\Desktop\ERUNT.lnk
[2010/05/18 09:48:33 | 000,001,908 | ---- | C] () -- C:\Users\Codeman\Desktop\launcher - Shortcut.lnk
[2010/05/17 23:13:08 | 000,000,198 | ---- | C] () -- C:\Users\Codeman\Desktop\DiRT2.lnk
[2010/05/11 21:45:10 | 000,000,282 | ---- | C] () -- C:\Windows\tasks\Windows 7 Manager Live Update.job
[2010/05/10 02:41:14 | 000,524,288 | -HS- | C] () -- C:\Users\Codeman\ntuser.dat{5c8daa88-5c07-11df-b9ff-00508db27a99}.TMContainer00000000000000000002.regtrans-ms
[2010/05/10 02:41:14 | 000,524,288 | -HS- | C] () -- C:\Users\Codeman\ntuser.dat{5c8daa88-5c07-11df-b9ff-00508db27a99}.TMContainer00000000000000000001.regtrans-ms
[2010/05/10 02:41:14 | 000,065,536 | -HS- | C] () -- C:\Users\Codeman\ntuser.dat{5c8daa88-5c07-11df-b9ff-00508db27a99}.TM.blf
[2010/05/10 02:33:31 | 000,524,288 | -HS- | C] () -- C:\Users\Codeman\ntuser.dat{47644c08-5c06-11df-80e9-00508db27a99}.TMContainer00000000000000000002.regtrans-ms
[2010/05/10 02:33:31 | 000,524,288 | -HS- | C] () -- C:\Users\Codeman\ntuser.dat{47644c08-5c06-11df-80e9-00508db27a99}.TMContainer00000000000000000001.regtrans-ms
[2010/05/10 02:33:31 | 000,065,536 | -HS- | C] () -- C:\Users\Codeman\ntuser.dat{47644c08-5c06-11df-80e9-00508db27a99}.TM.blf
[2010/05/09 21:12:11 | 000,002,133 | ---- | C] () -- C:\Users\Public\Desktop\Need for Speed™ Most Wanted.lnk
[2010/05/01 21:18:24 | 000,001,653 | ---- | C] () -- C:\Users\Codeman\Desktop\Levels - Shortcut.lnk
[2010/04/27 00:59:43 | 000,000,288 | ---- | C] () -- C:\Windows\tasks\Windows 7 Manager - Free Memory.job
[2010/04/26 02:07:22 | 000,000,985 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/26 01:26:45 | 000,002,974 | ---- | C] () -- C:\Users\Codeman\AppData\Local\Ktazupodovu.dat
[2010/04/26 01:26:45 | 000,000,000 | ---- | C] () -- C:\Users\Codeman\AppData\Local\Mmicurixu.bin
[2010/04/26 01:25:22 | 000,823,808 | ---- | C] () -- C:\Windows\System32\drivers\gelfkbjq.sys
[2010/04/26 01:24:47 | 000,012,982 | -HS- | C] () -- C:\Users\Codeman\AppData\Local\w1vjs2h771
[2010/04/26 01:24:47 | 000,012,982 | -HS- | C] () -- C:\ProgramData\w1vjs2h771
[2010/04/07 05:15:24 | 000,524,288 | -HS- | C] () -- C:\Users\Codeman\ntuser.dat{65a24e76-422e-11df-a30d-00508db27a99}.TMContainer00000000000000000002.regtrans-ms
[2010/04/07 05:15:24 | 000,524,288 | -HS- | C] () -- C:\Users\Codeman\ntuser.dat{65a24e76-422e-11df-a30d-00508db27a99}.TMContainer00000000000000000001.regtrans-ms
[2010/04/07 05:15:24 | 000,065,536 | -HS- | C] () -- C:\Users\Codeman\ntuser.dat{65a24e76-422e-11df-a30d-00508db27a99}.TM.blf
[2010/04/05 13:19:48 | 000,012,336 | -HS- | C] () -- C:\Users\Codeman\AppData\Local\GbW53PfLB
[2010/04/05 13:19:48 | 000,012,336 | -HS- | C] () -- C:\ProgramData\GbW53PfLB
[2010/03/27 18:12:53 | 000,000,017 | ---- | C] () -- C:\Users\Codeman\AppData\Local\resmon.resmoncfg
[2010/03/27 08:25:23 | 000,000,468 | ---- | C] () -- C:\Windows\System32\secustat.dat
[2010/03/27 08:12:20 | 000,001,770 | ---- | C] () -- C:\Windows\System32\secushr.dat
[2010/03/27 08:11:49 | 000,000,025 | ---- | C] () -- C:\Windows\libem.INI
[2010/03/27 07:24:59 | 000,000,880 | ---- | C] () -- C:\Users\Codeman\Desktop\uplink - Shortcut.lnk
[2010/03/24 15:42:05 | 000,001,388 | ---- | C] () -- C:\Users\Codeman\Desktop\ChromePortable - Shortcut.lnk
[2010/03/21 15:26:40 | 000,001,106 | ---- | C] () -- C:\Users\Public\Desktop\DivX Player.lnk
[2010/03/21 15:26:38 | 000,001,142 | ---- | C] () -- C:\Users\Public\Desktop\DivX Converter.lnk
[2010/03/21 14:01:22 | 000,003,266 | ---- | C] () -- C:\Windows\FantasyDVD.ini
[2010/03/21 14:01:22 | 000,002,417 | ---- | C] () -- C:\Windows\ShortCutInf.ini
[2010/03/19 15:54:04 | 000,000,243 | ---- | C] () -- C:\Windows\PlayList.Fpl
[2010/03/19 15:54:02 | 000,000,276 | ---- | C] () -- C:\Windows\System32\FOLESVR.DLL
[2010/03/19 15:51:53 | 000,389,120 | ---- | C] () -- C:\Windows\System32\ACTSKN43.OCX
[2010/03/14 17:27:32 | 000,002,595 | ---- | C] () -- C:\Users\Codeman\Desktop\Diskeeper 2010.lnk
[2010/03/12 08:56:15 | 000,192,960 | ---- | C] () -- C:\Users\Codeman\Documents\2009TaxReturn.pdf
[2010/03/11 05:49:14 | 000,001,190 | ---- | C] () -- C:\Users\Codeman\Desktop\ImTOO iPod Computer Transfer.lnk
[2010/03/04 13:30:47 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE
[2010/03/04 12:52:42 | 000,000,029 | ---- | C] () -- C:\Windows\System32\WINCNMDB.DLL
[2010/03/02 15:49:31 | 000,001,114 | ---- | C] () -- C:\Users\Codeman\Desktop\Active@ Disk Image.lnk
[2010/03/02 15:27:20 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/03/02 14:35:04 | 000,000,036 | ---- | C] () -- C:\Users\Codeman\AppData\Local\housecall.guid.cache
[2010/03/01 16:32:47 | 000,001,990 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/02/28 11:38:19 | 000,002,678 | ---- | C] () -- C:\Windows\cmudax3.ini
[2010/02/28 02:51:29 | 000,000,020 | -HS- | C] () -- C:\Users\Codeman\ntuser.ini
[2010/02/28 02:47:36 | 2616,057,856 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/28 02:43:12 | 000,021,316 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
[2010/02/28 02:30:14 | 001,835,008 | -HS- | C] () -- C:\Users\Codeman\ntuser.dat
[2010/02/28 02:30:14 | 000,524,288 | -HS- | C] () -- C:\Users\Codeman\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2010/02/28 02:30:14 | 000,524,288 | -HS- | C] () -- C:\Users\Codeman\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2010/02/28 02:30:14 | 000,262,144 | -HS- | C] () -- C:\Users\Codeman\ntuser.dat.LOG1
[2010/02/28 02:30:14 | 000,065,536 | -HS- | C] () -- C:\Users\Codeman\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2010/02/28 02:30:14 | 000,000,000 | -HS- | C] () -- C:\Users\Codeman\ntuser.dat.LOG2
[2010/02/28 01:56:54 | 000,001,890 | ---- | C] () -- C:\Windows\diagwrn.xml
[2010/02/28 01:56:54 | 000,001,890 | ---- | C] () -- C:\Windows\diagerr.xml
[2010/02/23 10:36:41 | 000,691,696 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2010/02/17 18:27:00 | 000,138,384 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/02/17 14:35:06 | 000,000,306 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.cfl
[2010/02/17 14:34:46 | 000,303,104 | ---- | C] () -- C:\Windows\System32\CmiInstallResAll.dll
[2010/02/17 14:34:46 | 000,001,304 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.cfg
[2010/02/17 14:34:46 | 000,000,168 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.imi
[2009/11/06 10:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/10/20 13:19:30 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2004/01/30 16:07:46 | 000,245,408 | ---- | C] () -- C:\Windows\System32\unicows.dll

========== LOP Check ==========

[2010/03/02 09:20:03 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\AutoHideIP
[2010/02/28 02:39:08 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\BF2Players.net
[2010/04/04 06:26:35 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\BITS
[2010/03/21 15:48:39 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\BSplayer
[2010/03/27 04:38:57 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\Command and Conquer 4
[2010/05/02 21:22:37 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\DAEMON Tools Lite
[2010/02/23 10:36:31 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\DAEMON Tools Pro
[2010/03/27 08:11:37 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\FlashGet
[2010/04/03 15:12:10 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\FlashGetBHO
[2010/03/25 20:37:10 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\HideIPEasy
[2010/02/28 02:39:08 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\Ideazon
[2010/02/28 02:39:12 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\RoboForm
[2010/03/04 13:42:40 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\RSIGuard
[2010/03/24 15:56:02 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\Steganos VPN
[2010/03/24 16:49:25 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\Thinstall
[2010/02/28 02:39:13 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\TS3Client
[2010/02/20 14:37:32 | 000,000,000 | ---D | M] -- C:\Users\Codeman\AppData\Roaming\Xilisoft Corporation
[2010/04/26 01:52:19 | 000,025,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/05/28 09:05:19 | 000,000,288 | ---- | M] () -- C:\Windows\Tasks\Windows 7 Manager - Free Memory.job
[2010/05/14 10:19:24 | 000,000,282 | ---- | M] () -- C:\Windows\Tasks\Windows 7 Manager Live Update.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/06/10 16:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2010/03/04 13:19:41 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2009/07/13 20:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr.bak
[2010/02/28 04:24:36 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2009/06/10 16:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010/05/28 09:04:52 | 2616,057,856 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/17 12:53:34 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/02/17 12:53:34 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/05/28 09:05:00 | 3488,079,872 | -HS- | M] () -- C:\pagefile.sys
[2010/02/26 15:03:19 | 000,291,526 | RHS- | M] () -- C:\RVBPE
[2010/02/26 15:03:19 | 000,000,020 | RHS- | M] () -- C:\winx.ld

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

========== Alternate Data Streams ==========

@Alternate Data Stream - 160 bytes -> C:\ProgramData\TEMP:93C2F41D
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:C5760A8B

< End of report >

********************************************************************************
********************************************************

EXTRAS:

OTL Extras logfile created on: 5/28/2010 9:34:58 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\Codeman\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 213.80 Gb Total Space | 133.83 Gb Free Space | 62.60% Space Free | Partition Type: NTFS
Drive D: | 153.38 Gb Total Space | 0.01 Gb Free Space | 0.01% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 164.18 Gb Total Space | 100.44 Gb Free Space | 61.18% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 242.53 Gb Total Space | 151.69 Gb Free Space | 62.55% Space Free | Partition Type: NTFS
Drive K: | 232.88 Gb Total Space | 177.19 Gb Free Space | 76.09% Space Free | Partition Type: NTFS

Computer Name: CODEMAN-MYPC
Current User Name: Codeman
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\FlashGet Network2\FlashGet 3\FlashGet3.exe" = C:\Program Files\FlashGet Network2\FlashGet 3\FlashGet3.exe:*:Enabled:Flashget3 -- File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2™
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{09EA3E66-F60C-45EF-9C16-6CA2262E21C4}" = Roxio Creator 2009 Ultimate
"{0F913F3E-A57D-454C-A8F6-95A85925C75F}" = Turtle Beach Riviera PCI Driver
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D53B6F9-E66E-42D8-A221-4FF8AC134FD7}" = Roxio Activation Module
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}" = Microsoft Games for Windows - LIVE
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3383136B-4F86-4F05-8612-DD4BB16A1EAE}" = Roxio Central
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{50D4CB89-AF34-4978-96DC-C3034062E901}" = Battlefield 2: Special Forces
"{52D1D62C-FEAB-4580-849E-1DB624BADBBD}" = DiRT2
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{64E47A5F-B3C4-476A-9100-2D006BD1FFB4}" = Z Engine
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7919D8D9-69FB-4E94-B330-04C4AF251867}" = Roxio Creator 2009 Ultimate
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{82696435-8572-4D8B-A230-D1AA567D0F0F}" = Command & Conquer™ 4 Tiberian Twilight
"{87A83C6F-F53C-448A-B078-FF00E3EAEB29}" = Roxio Disaster Recovery
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D015A2F-4D85-419E-8E1D-93B0C246D491}" = Diskeeper 2010 Pro Premier
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AA749D64-3741-4D5F-B804-B0BC05D179D1}" = Roxio CinePlayer
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{ACAF8758-8B7C-40C0-AF43-897B3BB7D009}" = Windows 7 Manager
"{ADE91A13-434D-4229-00BC-182BAD607303}" = Need for Speed™ Most Wanted
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
"{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{BA789040-B54B-4E7A-BC62-B6719E84CE9B}" = Active@ Disk Image
"{C0FE37FA-0886-4B66-B01B-76CF70FB77AB}" = Roxio CinePlayer Decoder Pack
"{D2FCA41E-AC01-4DCD-B3A7-DC9E32363065}}_is1" = Rapture3D 2.3.22 Game
"{DA703982C580418795BF4001AA9D7061}" = DivX Plus Media Foundation Components
"{E10DB5DA-E576-40EA-A7FC-1CB2A7B283A6}" = NVIDIA PhysX
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AI RoboForm" = AI RoboForm (All Users)
"Allied Intent Xtended" = Allied Intent Xtended 2.0
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ERUNT_is1" = ERUNT 1.1j
"FlashGet" = FlashGet 1.9.6.1073
"FlashGet(JetCar)" = FlashGet(JetCar)
"ImTOO iPod Manager" = ImTOO iPod Computer Transfer
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaInfo" = MediaInfo 0.7.33
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"OpenAL" = OpenAL
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"WinPcapInst" = WinPcap 4.1.1
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

#2 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 28 May 2010 - 09:27 AM

got the gmer log ?

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O32 - AutoRun File - [2010/02/20 16:07:06 | 000,000,000 | -H-D | M] - C:\Autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/03/20 10:45:45 | 000,000,000 | RHSD | M] - K:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{4bba8e11-2628-11df-816f-00508db27a99}\Shell - "" = AutoRun
O33 - MountPoints2\{4bba8e11-2628-11df-816f-00508db27a99}\Shell\AutoRun\command - "" = I:\autorun.exe -- File not found
[2010/05/28 09:35:50 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\gelfkbjq.sys

:Services

:Reg

:Files

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

Click me
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#3 cody1

Group: Member
Posts: 24
Joined: 10-March 09

Posted 28 May 2010 - 09:58 AM

That was fast, thanks!

Okay here is combo fix: (About GMER, do you want the attachment b\c I couldn't get it to paste but I will try on this one.) How do I show you the attatchment?

Combofix:

ComboFix 10-05-27.03 - Codeman 05/28/2010 10:43:41.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2438 [GMT -5:00]
Running from: c:\users\Codeman\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Codeman\AppData\Local\{E650144D-9036-41F0-BCBE-2CF9896E8C31}
c:\users\Codeman\AppData\Local\{E650144D-9036-41F0-BCBE-2CF9896E8C31}\chrome.manifest
c:\users\Codeman\AppData\Local\{E650144D-9036-41F0-BCBE-2CF9896E8C31}\chrome\content\_cfg.js
c:\users\Codeman\AppData\Local\{E650144D-9036-41F0-BCBE-2CF9896E8C31}\chrome\content\overlay.xul
c:\users\Codeman\AppData\Local\{E650144D-9036-41F0-BCBE-2CF9896E8C31}\install.rdf
c:\users\Codeman\AppData\Roaming\BITS
c:\users\Codeman\AppData\Roaming\BITS\BITS.ini
c:\users\Codeman\AppData\Roaming\BITS\DHTTable.dat
c:\users\Codeman\AppData\Roaming\BITS\ProxyList.ini
c:\users\Codeman\AppData\Roaming\chrtmp
c:\users\Codeman\AppData\Roaming\FlashGetBHO
c:\users\Codeman\AppData\Roaming\FlashGetBHO\FlashGetBHO3.dll
c:\users\Codeman\AppData\Roaming\FlashGetBHO\FlashGetHook.dll
c:\users\Codeman\AppData\Roaming\FlashGetBHO\FlashGetHook1.dll
c:\users\Codeman\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
c:\users\Codeman\AppData\Roaming\FlashGetBHO\GetUrl.htm
c:\windows\system32\FOLESVR.DLL
c:\windows\system32\secustat.dat
c:\windows\system32\WINCNMDB.DLL

.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))
.

2010-05-28 15:46 . 2010-05-28 15:47 -------- d-----w- c:\users\Codeman\AppData\Local\temp
2010-05-28 15:46 . 2010-05-28 15:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-23 06:01 . 2010-05-23 06:01 -------- d-----w- c:\program files\ERUNT
2010-05-16 14:28 . 2010-05-16 14:28 -------- d-----w- c:\program files\MediaInfo
2010-05-13 02:19 . 2010-05-13 02:19 -------- d-----w- c:\programdata\Codemasters
2010-05-13 00:13 . 2009-07-14 00:04 839680 ----a-w- c:\windows\system32\mkl_vml_p4.dll
2010-05-13 00:13 . 2009-07-14 00:04 532480 ----a-w- c:\windows\system32\mkl_vml_p3.dll
2010-05-13 00:13 . 2009-07-14 00:04 512000 ----a-w- c:\windows\system32\mkl_vml_def.dll
2010-05-13 00:13 . 2009-07-14 00:04 3485696 ----a-w- c:\windows\system32\mkl_p4.dll
2010-05-13 00:13 . 2009-07-14 00:04 2793472 ----a-w- c:\windows\system32\mkl_p3.dll
2010-05-13 00:13 . 2009-07-14 00:04 2441216 ----a-w- c:\windows\system32\mkl_def.dll
2010-05-13 00:13 . 2009-07-14 00:04 2174976 ----a-w- c:\windows\system32\mkl_lapack32.dll
2010-05-13 00:13 . 2009-07-14 00:04 2125824 ----a-w- c:\windows\system32\mkl_lapack64.dll
2010-05-13 00:13 . 2009-07-14 00:04 184320 ----a-w- c:\windows\system32\libguide40.dll
2010-05-13 00:13 . 2009-10-16 16:19 872448 ----a-w- c:\windows\system32\rapture3d_oal.dll
2010-05-13 00:13 . 2010-05-13 00:13 -------- d-----w- c:\program files\BRS
2010-05-13 00:12 . 2010-05-13 00:13 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-05-13 00:12 . 2010-05-13 00:12 -------- d-----w- c:\windows\system32\xlive
2010-05-13 00:12 . 2010-05-13 00:12 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-13 00:12 . 2010-05-13 00:12 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-13 00:12 . 2010-05-13 00:12 -------- d-----w- c:\program files\OpenAL
2010-05-12 23:56 . 2010-05-12 23:56 -------- d-----w- c:\program files\Codemasters
2010-05-12 17:55 . 2010-05-12 18:00 -------- d-----w- c:\program files\flashget
2010-05-12 09:45 . 2010-05-12 09:45 -------- d-----w- c:\programdata\createpart
2010-05-10 06:39 . 2010-05-11 03:04 -------- d-----w- c:\users\Codeman\AppData\Local\cyiydnqii
2010-05-03 02:25 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-03 02:25 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-03 02:25 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-03 02:25 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 15:42 . 2010-02-28 07:28 -------- d-----w- c:\programdata\NVIDIA
2010-05-28 13:50 . 2010-02-17 23:27 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-28 13:49 . 2010-02-17 23:26 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-27 02:17 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-25 17:02 . 2010-05-25 17:02 -------- d-----w- c:\program files\CCleaner
2010-05-13 03:00 . 2010-03-02 19:12 -------- d-----w- c:\program files\Nsasoft
2010-05-12 23:56 . 2010-02-17 17:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-12 16:21 . 2009-10-14 09:58 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 02:43 . 2010-04-26 07:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-10 02:08 . 2010-02-17 17:13 -------- d-----w- c:\program files\EA GAMES
2010-05-03 02:22 . 2010-02-20 15:59 -------- d-----w- c:\users\Codeman\AppData\Roaming\DAEMON Tools Lite
2010-04-29 20:39 . 2010-04-26 07:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-04-26 07:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 07:21 . 2010-04-27 07:21 -------- d-----w- c:\program files\WinPcap
2010-04-27 01:33 . 2010-04-26 06:26 2974 ----a-w- c:\users\Codeman\AppData\Local\Ktazupodovu.dat
2010-04-26 18:29 . 2009-07-13 23:13 1285712 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-26 07:07 . 2010-04-26 07:07 -------- d-----w- c:\users\Codeman\AppData\Roaming\Malwarebytes
2010-04-26 07:07 . 2010-04-26 07:07 -------- d-----w- c:\programdata\Malwarebytes
2010-04-26 06:26 . 2010-04-26 06:26 0 ----a-w- c:\users\Codeman\AppData\Local\Mmicurixu.bin
2010-04-23 07:13 . 2010-05-27 02:16 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-21 01:31 . 2010-02-17 22:26 -------- d-----w- c:\program files\TeamSpeak 3 Client
2010-04-14 14:10 . 2010-02-23 15:07 -------- d-----w- c:\programdata\Sonic
2010-04-07 13:10 . 2009-07-14 07:50 -------- d-----w- c:\program files\Windows Journal
2010-04-07 13:10 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Sidebar
2010-04-07 13:10 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Defender
2010-04-07 13:10 . 2009-07-14 04:52 -------- d-----w- c:\program files\DVD Maker
2010-04-07 10:15 . 2010-04-07 10:15 73416 ----a-w- c:\users\Codeman\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-03 20:14 . 2010-03-27 13:12 1770 ----a-w- c:\windows\system32\secushr.dat
2010-04-03 19:07 . 2010-04-03 19:07 6392168 ----a-w- c:\users\Codeman\AppData\Roaming\FlashGet\v3\dat\update\fgcnrc_20100312_1319_3.4.0.1098.exe
2010-03-27 23:18 . 2010-03-27 23:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 21:33 . 2010-05-03 02:26 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 18:30 . 2010-03-04 18:30 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-03-04 07:33 . 2010-05-27 02:16 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-03-03 15:24 . 2010-03-03 15:23 1696081 ----a-w- c:\windows\system32\wbem\WMIObjectsMigration.bin
2010-03-01 21:31 . 2010-03-01 21:31 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-02-28 17:40 . 2010-02-23 15:36 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-28 07:43 . 2010-02-28 07:43 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-02-17 15928]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPMonitor"="c:\program files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe" [2008-08-10 80368]
"Flashget"="c:\program files\flashget\flashget.exe" [2007-09-25 2007088]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"Zboard"="c:\program files\Ideazon\ZEngine\Zboard.exe" [2008-11-13 57344]
"Turtle Beach Riviera"="c:\program files\Turtle Beach\Riviera\TBRivieraTray.exe" [2009-08-15 1613824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-27 149280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\users\Codeman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-28 691696]
R2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe [2008-08-14 367088]
R2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [2008-08-14 309744]
R2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [2008-08-14 170480]
R3 BioNT_BS;BioNT_BS; [x]
R3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [2008-08-14 313840]
R3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [2009-01-09 1122304]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2007-02-15 26624]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-03 1343400]
S0 SahdIa32;HDD Filter Driver;c:\windows\System32\Drivers\SahdIa32.sys [2008-08-01 20464]
S0 SaibIa32;Volume Filter Driver;c:\windows\System32\Drivers\SaibIa32.sys [2008-08-01 15856]
S1 c2scsi;c2scsi;c:\windows\system32\DRIVERS\c2scsi.sys [2008-08-11 254320]
S1 SaibVd32;Virtual Disk Driver;c:\windows\system32\Drivers\SaibVd32.sys [2008-08-01 25584]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [2008-08-01 125424]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-01-12 240232]
S3 DKRtWrt;DKRtWrt;c:\windows\system32\DRIVERS\DKRtWrt.sys [2009-10-21 45232]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]

--- Other Services/Drivers In Memory ---

*Deregistered* - gelfkbjq
.
Contents of the 'Scheduled Tasks' folder

2010-05-28 c:\windows\Tasks\Windows 7 Manager - Free Memory.job
- c:\program files\Yamicsoft\Windows 7 Manager\FreeMemory.exe [2010-01-01 06:42]

2010-05-14 c:\windows\Tasks\Windows 7 Manager Live Update.job
- c:\program files\Yamicsoft\Windows 7 Manager\LiveUpdate.exe [2009-05-09 12:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.speedbit.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
Trusted Zone: kuaiche.com\software
FF - ProfilePath - c:\users\Codeman\AppData\Roaming\Mozilla\Firefox\Profiles\f22r4zhq.default\
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\gelfkbjq]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-05-28 10:47:59
ComboFix-quarantined-files.txt 2010-05-28 15:47

Pre-Run: 143,723,458,560 bytes free
Post-Run: 143,402,409,984 bytes free

- - End Of File - - A40452C6B4A1AD71701A074CF5E057D6

********************************************************************************
*************************************************************

GMER:

It just freezes and hangs when I try to paste it. I can see the text but then FF just hangs with the spinning circle of death. :\

Try this?: http://www.geekstogo...05-ark-zip.html

#4 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 28 May 2010 - 10:18 AM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

Folder::
c:\users\Codeman\AppData\Local\cyiydnqii

File::
c:\users\Codeman\AppData\Local\Ktazupodovu.dat
c:\users\Codeman\AppData\Local\Mmicurixu.bin

Driver::
gelfkbjq

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#5 cody1

Group: Member
Posts: 24
Joined: 10-March 09

Posted 28 May 2010 - 10:39 AM

Did the new log write over the old combo fix log? I noticed the time is 1 hour old?

Here is what I have:

Combofix:

ComboFix 10-05-27.03 - Codeman 05/28/2010 10:43:41.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2438 [GMT -5:00]
Running from: c:\users\Codeman\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Codeman\AppData\Local\{E650144D-9036-41F0-BCBE-2CF9896E8C31}
c:\users\Codeman\AppData\Local\{E650144D-9036-41F0-BCBE-2CF9896E8C31}\chrome.manifest
c:\users\Codeman\AppData\Local\{E650144D-9036-41F0-BCBE-2CF9896E8C31}\chrome\content\_cfg.js
c:\users\Codeman\AppData\Local\{E650144D-9036-41F0-BCBE-2CF9896E8C31}\chrome\content\overlay.xul
c:\users\Codeman\AppData\Local\{E650144D-9036-41F0-BCBE-2CF9896E8C31}\install.rdf
c:\users\Codeman\AppData\Roaming\BITS
c:\users\Codeman\AppData\Roaming\BITS\BITS.ini
c:\users\Codeman\AppData\Roaming\BITS\DHTTable.dat
c:\users\Codeman\AppData\Roaming\BITS\ProxyList.ini
c:\users\Codeman\AppData\Roaming\chrtmp
c:\users\Codeman\AppData\Roaming\FlashGetBHO
c:\users\Codeman\AppData\Roaming\FlashGetBHO\FlashGetBHO3.dll
c:\users\Codeman\AppData\Roaming\FlashGetBHO\FlashGetHook.dll
c:\users\Codeman\AppData\Roaming\FlashGetBHO\FlashGetHook1.dll
c:\users\Codeman\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
c:\users\Codeman\AppData\Roaming\FlashGetBHO\GetUrl.htm
c:\windows\system32\FOLESVR.DLL
c:\windows\system32\secustat.dat
c:\windows\system32\WINCNMDB.DLL

.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))
.

2010-05-28 15:46 . 2010-05-28 15:47 -------- d-----w- c:\users\Codeman\AppData\Local\temp
2010-05-28 15:46 . 2010-05-28 15:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-23 06:01 . 2010-05-23 06:01 -------- d-----w- c:\program files\ERUNT
2010-05-16 14:28 . 2010-05-16 14:28 -------- d-----w- c:\program files\MediaInfo
2010-05-13 02:19 . 2010-05-13 02:19 -------- d-----w- c:\programdata\Codemasters
2010-05-13 00:13 . 2009-07-14 00:04 839680 ----a-w- c:\windows\system32\mkl_vml_p4.dll
2010-05-13 00:13 . 2009-07-14 00:04 532480 ----a-w- c:\windows\system32\mkl_vml_p3.dll
2010-05-13 00:13 . 2009-07-14 00:04 512000 ----a-w- c:\windows\system32\mkl_vml_def.dll
2010-05-13 00:13 . 2009-07-14 00:04 3485696 ----a-w- c:\windows\system32\mkl_p4.dll
2010-05-13 00:13 . 2009-07-14 00:04 2793472 ----a-w- c:\windows\system32\mkl_p3.dll
2010-05-13 00:13 . 2009-07-14 00:04 2441216 ----a-w- c:\windows\system32\mkl_def.dll
2010-05-13 00:13 . 2009-07-14 00:04 2174976 ----a-w- c:\windows\system32\mkl_lapack32.dll
2010-05-13 00:13 . 2009-07-14 00:04 2125824 ----a-w- c:\windows\system32\mkl_lapack64.dll
2010-05-13 00:13 . 2009-07-14 00:04 184320 ----a-w- c:\windows\system32\libguide40.dll
2010-05-13 00:13 . 2009-10-16 16:19 872448 ----a-w- c:\windows\system32\rapture3d_oal.dll
2010-05-13 00:13 . 2010-05-13 00:13 -------- d-----w- c:\program files\BRS
2010-05-13 00:12 . 2010-05-13 00:13 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-05-13 00:12 . 2010-05-13 00:12 -------- d-----w- c:\windows\system32\xlive
2010-05-13 00:12 . 2010-05-13 00:12 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-13 00:12 . 2010-05-13 00:12 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-13 00:12 . 2010-05-13 00:12 -------- d-----w- c:\program files\OpenAL
2010-05-12 23:56 . 2010-05-12 23:56 -------- d-----w- c:\program files\Codemasters
2010-05-12 17:55 . 2010-05-12 18:00 -------- d-----w- c:\program files\flashget
2010-05-12 09:45 . 2010-05-12 09:45 -------- d-----w- c:\programdata\createpart
2010-05-10 06:39 . 2010-05-11 03:04 -------- d-----w- c:\users\Codeman\AppData\Local\cyiydnqii
2010-05-03 02:25 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-03 02:25 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-03 02:25 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-03 02:25 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 15:42 . 2010-02-28 07:28 -------- d-----w- c:\programdata\NVIDIA
2010-05-28 13:50 . 2010-02-17 23:27 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-28 13:49 . 2010-02-17 23:26 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-27 02:17 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-25 17:02 . 2010-05-25 17:02 -------- d-----w- c:\program files\CCleaner
2010-05-13 03:00 . 2010-03-02 19:12 -------- d-----w- c:\program files\Nsasoft
2010-05-12 23:56 . 2010-02-17 17:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-12 16:21 . 2009-10-14 09:58 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 02:43 . 2010-04-26 07:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-10 02:08 . 2010-02-17 17:13 -------- d-----w- c:\program files\EA GAMES
2010-05-03 02:22 . 2010-02-20 15:59 -------- d-----w- c:\users\Codeman\AppData\Roaming\DAEMON Tools Lite
2010-04-29 20:39 . 2010-04-26 07:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-04-26 07:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 07:21 . 2010-04-27 07:21 -------- d-----w- c:\program files\WinPcap
2010-04-27 01:33 . 2010-04-26 06:26 2974 ----a-w- c:\users\Codeman\AppData\Local\Ktazupodovu.dat
2010-04-26 18:29 . 2009-07-13 23:13 1285712 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-26 07:07 . 2010-04-26 07:07 -------- d-----w- c:\users\Codeman\AppData\Roaming\Malwarebytes
2010-04-26 07:07 . 2010-04-26 07:07 -------- d-----w- c:\programdata\Malwarebytes
2010-04-26 06:26 . 2010-04-26 06:26 0 ----a-w- c:\users\Codeman\AppData\Local\Mmicurixu.bin
2010-04-23 07:13 . 2010-05-27 02:16 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-21 01:31 . 2010-02-17 22:26 -------- d-----w- c:\program files\TeamSpeak 3 Client
2010-04-14 14:10 . 2010-02-23 15:07 -------- d-----w- c:\programdata\Sonic
2010-04-07 13:10 . 2009-07-14 07:50 -------- d-----w- c:\program files\Windows Journal
2010-04-07 13:10 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Sidebar
2010-04-07 13:10 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Defender
2010-04-07 13:10 . 2009-07-14 04:52 -------- d-----w- c:\program files\DVD Maker
2010-04-07 10:15 . 2010-04-07 10:15 73416 ----a-w- c:\users\Codeman\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-03 20:14 . 2010-03-27 13:12 1770 ----a-w- c:\windows\system32\secushr.dat
2010-04-03 19:07 . 2010-04-03 19:07 6392168 ----a-w- c:\users\Codeman\AppData\Roaming\FlashGet\v3\dat\update\fgcnrc_20100312_1319_3.4.0.1098.exe
2010-03-27 23:18 . 2010-03-27 23:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 21:33 . 2010-05-03 02:26 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 18:30 . 2010-03-04 18:30 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-03-04 07:33 . 2010-05-27 02:16 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-03-03 15:24 . 2010-03-03 15:23 1696081 ----a-w- c:\windows\system32\wbem\WMIObjectsMigration.bin
2010-03-01 21:31 . 2010-03-01 21:31 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-02-28 17:40 . 2010-02-23 15:36 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-28 07:43 . 2010-02-28 07:43 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-02-17 15928]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPMonitor"="c:\program files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe" [2008-08-10 80368]
"Flashget"="c:\program files\flashget\flashget.exe" [2007-09-25 2007088]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"Zboard"="c:\program files\Ideazon\ZEngine\Zboard.exe" [2008-11-13 57344]
"Turtle Beach Riviera"="c:\program files\Turtle Beach\Riviera\TBRivieraTray.exe" [2009-08-15 1613824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-27 149280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\users\Codeman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-28 691696]
R2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe [2008-08-14 367088]
R2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [2008-08-14 309744]
R2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [2008-08-14 170480]
R3 BioNT_BS;BioNT_BS; [x]
R3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [2008-08-14 313840]
R3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [2009-01-09 1122304]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2007-02-15 26624]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-03 1343400]
S0 SahdIa32;HDD Filter Driver;c:\windows\System32\Drivers\SahdIa32.sys [2008-08-01 20464]
S0 SaibIa32;Volume Filter Driver;c:\windows\System32\Drivers\SaibIa32.sys [2008-08-01 15856]
S1 c2scsi;c2scsi;c:\windows\system32\DRIVERS\c2scsi.sys [2008-08-11 254320]
S1 SaibVd32;Virtual Disk Driver;c:\windows\system32\Drivers\SaibVd32.sys [2008-08-01 25584]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [2008-08-01 125424]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-01-12 240232]
S3 DKRtWrt;DKRtWrt;c:\windows\system32\DRIVERS\DKRtWrt.sys [2009-10-21 45232]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]

--- Other Services/Drivers In Memory ---

*Deregistered* - gelfkbjq
.
Contents of the 'Scheduled Tasks' folder

2010-05-28 c:\windows\Tasks\Windows 7 Manager - Free Memory.job
- c:\program files\Yamicsoft\Windows 7 Manager\FreeMemory.exe [2010-01-01 06:42]

2010-05-14 c:\windows\Tasks\Windows 7 Manager Live Update.job
- c:\program files\Yamicsoft\Windows 7 Manager\LiveUpdate.exe [2009-05-09 12:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.speedbit.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
Trusted Zone: kuaiche.com\software
FF - ProfilePath - c:\users\Codeman\AppData\Roaming\Mozilla\Firefox\Profiles\f22r4zhq.default\
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\gelfkbjq]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-05-28 10:47:59
ComboFix-quarantined-files.txt 2010-05-28 15:47

Pre-Run: 143,723,458,560 bytes free
Post-Run: 143,402,409,984 bytes free

- - End Of File - - A40452C6B4A1AD71701A074CF5E057D6

********************************************************************************
******************************************************************

Gooredfix:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 11:24 on 28/05/2010 (Codeman)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========

(none)

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:37 16/02/2010]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [23:18 27/03/2010]

C:\Users\Codeman\Application Data\Mozilla\Firefox\Profiles\f22r4zhq.default\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{22119944-ED35-4ab1-910B-E619EA06A115}"="C:\Program Files\Siber Systems\AI RoboForm\Firefox" [13:49 17/02/2010]

---------- Old Logs ----------
GooredFix[16.22.30_28-05-2010].txt

-=E.O.F=-

#6 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 28 May 2010 - 10:54 AM

you need to follow my steps exactly, you didn't do my last step properly

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services
gelfkbjq
:Reg

:Files
c:\users\Codeman\AppData\Local\cyiydnqii
c:\users\Codeman\AppData\Local\Ktazupodovu.dat
c:\users\Codeman\AppData\Local\Mmicurixu.bin


:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

#7 cody1

Group: Member
Posts: 24
Joined: 10-March 09

Posted 28 May 2010 - 11:49 AM

I'm sorry about that. Things aren't going exactly as you said they would. I did what you said but couldn't find a log that way. However, this popped up after my comp rebooted.

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
Error: No service named gelfkbjq was found to stop!
Service\Driver key gelfkbjq not found.
========== REGISTRY ==========
========== FILES ==========
c:\users\Codeman\AppData\Local\cyiydnqii folder moved successfully.
c:\users\Codeman\AppData\Local\Ktazupodovu.dat moved successfully.
c:\users\Codeman\AppData\Local\Mmicurixu.bin moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Codeman
->Temp folder emptied: 2254726 bytes
->Temporary Internet Files folder emptied: 400497 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 38907221 bytes
->Flash cache emptied: 778 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 40.00 mb

OTM by OldTimer - Version 3.1.12.0 log created on 05282010_123655

Files moved on Reboot...

Registry entries deleted on Reboot...

#8 cody1

Group: Member
Posts: 24
Joined: 10-March 09

Posted 28 May 2010 - 11:58 AM

I believe I found the file here: The path it was saved under was C:\_OTM\moved files
Sorry for the extra step.

How's is going so far?

#9 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 28 May 2010 - 12:10 PM

going good

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

#10 cody1

Group: Member
Posts: 24
Joined: 10-March 09

Posted 28 May 2010 - 12:27 PM

Okay I will do as you say, thanks for being patient and for your time. I can't thank you enough for your help. I am getting the messages about the blocked websites again so I ran a quick mbam scan while we were doing this and the exact same thing is there. It got removed, but of course unless we find the source it will be back. I'm going to follow the steps in your last reply, just thought you should know. This thing is real pesky. Also, if I didn't have the malwarebytes protection module, I'm sure I would be getting the ave.exe virus right about now. I've had it a few times before and the malwarebytes protection module is the only thing that stops it from starting.

#11 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 28 May 2010 - 12:49 PM

can you host the gmer log somewhere like mediafire.com and post the link to it here, the other method didn't work and i need to see that log

#12 cody1

Group: Member
Posts: 24
Joined: 10-March 09

Posted 29 May 2010 - 06:51 AM

I did what you said.

MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4152

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/28/2010 1:39:34 PM
mbam-log-2010-05-28 (13-39-34).txt

Scan type: Quick scan
Objects scanned: 123329
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\gelfkbjq.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

********************************************************************************
******************************************************************

Kaspersky Online scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, May 29, 2010
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, May 28, 2010 19:57:32
Records in database: 4195545
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Objects scanned: 100420
Threats found: 12
Infected objects found: 12
Suspicious objects found: 0
Scan duration: 05:28:23

File name / Threat / Threats count
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan.Win32.Agent2.cqok 1
C:\Users\Codeman\Downloads\removewat.rar Infected: Trojan.Win32.Rozena.dyl 1
C:\Windows\System32\config\systemprofile\AppData\Roaming\scdata\dbsinit.exe Infected: Trojan.HTML.Fraud.bb 1
C:\Windows\System32\config\systemprofile\AppData\Roaming\scdata\wispex.html Infected: Trojan.HTML.Fraud.bb 1
D:\CODEMAN-MYPC\Backup Set 2010-05-21 041401\Backup Files 2010-05-21 041401\Backup files 1.zip Infected: Exploit.Java.Agent.f 5
D:\CODEMAN-MYPC\Backup Set 2010-05-21 041401\Backup Files 2010-05-21 041401\Backup files 1.zip Infected: Trojan-Downloader.Java.Agent.cd 1
D:\CODEMAN-MYPC\Backup Set 2010-05-21 041401\Backup Files 2010-05-21 041401\Backup files 1.zip Infected: Trojan-Downloader.Java.OpenStream.al 1
D:\CODEMAN-MYPC\Backup Set 2010-05-21 041401\Backup Files 2010-05-21 041401\Backup files 94.zip Infected: Trojan.Win32.Rozena.dyl 1

Selected area has been scanned.

********************************************************************************
*********************************************************************************
**************************************************

Hopefully my ark.txt file is accessible here: http://www.mediafire.com/?kylngzzz11j

#13 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 29 May 2010 - 08:01 AM

you need to format your K:\ and I:\ drives, they appear to be infected

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the Avenger folder to your desktop
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Drivers to delete:
gelfkbjq
Files to delete:
C:\Users\Codeman\Downloads\removewat.rar
C:\Windows\System32\config\systemprofile\AppData\Roaming\scdata\dbsinit.exe
C:\Windows\System32\config\systemprofile\AppData\Roaming\scdata\wispex.html
C:\Windows\system32\Drivers\gelfkbjq.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

then update mbam run a quick scan post that log

#14 cody1

Group: Member
Posts: 24
Joined: 10-March 09

Posted 29 May 2010 - 01:30 PM

Hi Rorschach! How are you doing? Thanks for talking me through this, you've given me hope!

Here are my logs:
(I deleted removewat.rar myself)

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "gelfkbjq" deleted successfully.

Error: file "C:\Users\Codeman\Downloads\removewat.rar" not found!
Deletion of file "C:\Users\Codeman\Downloads\removewat.rar" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Windows\System32\config\systemprofile\AppData\Roaming\scdata\dbsinit.exe" deleted successfully.
File "C:\Windows\System32\config\systemprofile\AppData\Roaming\scdata\wispex.html" deleted successfully.
File "C:\Windows\system32\Drivers\gelfkbjq.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

********************************************************************************
*********************************************************************************
**********************************************

MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4154

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/29/2010 2:08:38 PM
mbam-log-2010-05-29 (14-08-38).txt

Scan type: Quick scan
Objects scanned: 125788
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Note:

I ran a mbam scan prior to your post. I guess I should have waited but I don't like knowing that thing is working. It usually takes a day or so to show back up, so I'm going to wait and see what happens. Nothing was found this time, hopefully we got it with the avenger

#15 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 29 May 2010 - 02:21 PM

yep think that was it

nearly done now

Please download WVCheck by Artellos from one of the mirrors below;

Artellos.com (exe)
Artellos.com (zip)
After the download, run WVCheck.exe
As indicated by the prompt, This program can take a while depending on your hard drive space.
Once the program is done, copy the contents of the notepad file as a reply.

Please run the MGA Diagnostic Tool and post back the report it shall produce:

Download MGADiag to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.

* Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Check next options: Remove found threats and Scan unwanted applications.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

Malwarebytes blocks numerous websites [Solved] - Geeks to Go Forums