Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CleanSweep and winsd Causing Broadband Problems


  • This topic is locked This topic is locked
49 replies to this topic

#1 havoc123

havoc123

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 19 February 2011 - 10:57 AM

To anyone reading this thread, thanks for taking the time to help me out.

Summary
The problem started when I was surfing the Internet, checking Google News on my laptop. The system seemed to freeze at that point so I restarted it by holding the power button (after trying the software shutdown and simply pressing the Power On button once). The laptop restarted just fine after that but my Internet would not work. To be specific, it was the wired broadband connection "Local Area Connection" that would not connect to the network. I restarted the connection, repaired it, even restarted the computer, but to no success.

I began to suspect that malware could be responsible. Sure enough,I had two infections on my computer. One was CleanSweep.exe which I noticed as a new folder I had never seen before a few days ago. I updated MBAM and scanned the folder. Sure enough, it was caught as a Trojan Horse. I removed it and did a Quick Scan with MBAM this time. This scan caught winsd.exe which MBAM called a "Backdoor.IRCBot". I removed these objects as well.

I am writing this thread on the computer that is infected. The wireless connection does work but the wired does not. I have scanned the computer several times with MBAM and no new infections found.


RAM Problems b/c of Malware
The malware had two interesting effects on my computer. The first is that the wired connection would not work. But the second is that when the malware was still lurking on my computer, the RAM usage would double. That is to say, every process on my computer started taking almost 4-5 times as much RAM as they normally do. I really do mean every process. For example, AppleMobileService.exe normally takes about 3 MB of RAM but with the malware, it took up almost 50 MB of RAM. Many system processes that normally take less than 10-20 MB of RAM now took up 60-80 MB of RAM.

My laptop has 2 GB of RAM. During a healthy startup, the OS and starting processes take up about 600 MB of RAM. This leaves around 1400 MB of RAM. With the malware, this would be reduced to about 700 MB of RAM. This meant that the malware was causing an additional 700 MB of RAM to be used up.

I am confident that the malware is/was causing this because when I removed the malware with MBAM, the next reboot was perfectly normal. A few reboots later, the malware was back. This whole time, my wired broadband was still disabled (and still is) by something the malware did so I am sure that I still have a latent infection somewhere. When the malware came back, the RAM usage increased as I described. When I removed it a second time, the system returned to normal after a reboot.

After the second wave of infection, I have not seen the malware again (it kept respawning in the main C drive folder) nor have I seen the increased RAM problem. I am sure both are interlinked in some way.


Requests
What I need is to make sure that there are no latent infections left on my computer. I also need to close any loopholes made by the malware (it increases vulnerabilities and opens holes in security to increase future malware attacks). Finally, it would be nice if someone could help me fix my wired broadband connection. (My wireless connection works fine and is what I am using at this point).

I am not sure which logs to include in this first post. I have the DDS, Attach, and GMER logs for anyone who needs them. I also have the old MBAM scans that I saved after removing each piece of malware if you want the specific name of the malware file. Please advice as to which logs should be posted. I will be checking this page every two hours today. Thanks again for the help.

EDIT: I have not used Combofix or any tool besides Quick Scans on MBAM. I didn't use Spybot either since MBAM works better.

Since I have not gotten a reply telling me that someone has even opened this thread, I will update the information I stated in the OP. It seems that cleansweep.exe is actually the SpyEye bot according to some people I have talked to. I have not acted on this information yet so I am still waiting for someone here on the Malware Removal Team to look at my problem. Thanks.

EDIT: Please be patient. There are over 130 unanswered topics in this forum at present and the current average wait time to receive help is 6 days. ~BP

Edited by Budapest, 21 February 2011 - 04:32 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 PM

Posted 24 February 2011 - 06:56 PM

Hello and welcome to Bleeping Computer

My name is etavares and I will be working with you to fix your computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting. If you will be unable to respond (e.g. vacation, travel, etc.), please let me know ahead of time.
  • Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • If you have already posted a log, please do so again as instructed below, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.


Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log. Thanks and again sorry for the delay.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 27 February 2011 - 06:59 PM

My situation has remained the same as the first post described. I did run the ESET scanner a few days ago and it also caught some things. I am running the OTL and GMER scans right now so if you need the original DDS logs or the ESET log, I can include those. I also have a MBAM log which is the first scan I did after finding out about the malware.

I don't currently see any popups or system crashes but I didn't see those when the malware was here either. The malware only became known to me when the network administrator informed me that my machine seems to have the SpyEye malware. I want to make sure there is no malware still hiding on the computer.

Will post again when OTL and GMER scans are done. Please inform as to if any previous scans are needed with the OTL/GMER scans.


System Information
OS = Windows XP Pro Version 2002 (Service Pack 3)

I do not have my original Windows CD. I do have a Acronis image of the system I did last week. I do have Recovery Console installed on my computer.

Edited by havoc123, 27 February 2011 - 07:05 PM.


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 PM

Posted 27 February 2011 - 07:14 PM

Hello, havoc123.

The new scans only are fine...the old ones are outdated at this point. I will warn you, a Backdoor.IRCBot and Trojan.Spyeye are backdoors.



Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please post the OTL and GMEr logs you're working on.




etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 PM

Posted 27 February 2011 - 07:15 PM

on second thought, please include the original MBAM log as well.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 03 March 2011 - 08:02 PM

I will be away from my computer until Sunday morning on business so please don't lock this topic for a lack of replies. I will do fresh scans for what you told me to do and submit those in my next reply. Thanks for understanding.

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 PM

Posted 04 March 2011 - 06:44 PM

Ok, thanks for letting me know. I'll look for your reply later this weekend.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 09 March 2011 - 12:40 PM

Sorry for the long wait. Ok, I got the DDS and Attach logs and I have the original MBAM log below. The OTL log is also below. However, the GMER scan would not complete. I tried this three times, each time taking about 6+ hours to go through and somewhere near the end, the scan would always freeze. I am not sure if this is because of possible malware or the long long scan times. GMER would start up fine and run correctly for the first 5 hours. After that, it would freeze up the whole computer (the explorer process seems to quit) and I would have to do a hard shutdown of the computer.

Since you didn't mention posting the DDS and Attach logs, I will hold them if you need them in a future post. These scans were all done a few days ago and I have not turned on the infected computer in question after the scans.

The DDS scans were done on March 3rd, and the OTL scan on March 4th. I don't have a GMER scan since the computer would freeze up before it would complete and I could save it.



Original MBAM Scan

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5743

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/17/2011 8:22:19 PM
mbam-log-2011-02-17 (20-22-19).txt

Scan type: Quick scan
Objects scanned: 147552
Time elapsed: 8 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update (Backdoor.IRCBot) -> Value: Windows Update -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services (Backdoor.Bot) -> Value: Windows Services -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Nilesh\local settings\Temp\winsd.exe (Backdoor.IRCBot) -> Delete on reboot.



OTL Scan


OTL logfile created on: 3/4/2011 9:34:22 PM - Run 2
OTL by OldTimer - Version 3.2.22.2 Folder = C:\Documents and Settings\Nilesh\Desktop\Malware Cleanup
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 44.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 1024 3069 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 1.31 Gb Free Space | 1.18% Space Free | Partition Type: NTFS

Computer Name: NILESH-MAIN1 | User Name: Nilesh | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/27 18:51:37 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nilesh\Desktop\Malware Cleanup\OTL.exe
PRC - [2010/04/17 20:30:03 | 000,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/01/02 19:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2002/07/30 14:40:44 | 000,573,440 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
PRC - [2002/07/30 14:36:00 | 000,032,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
PRC - [2002/07/30 14:35:04 | 000,077,824 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe
PRC - [1999/10/07 12:43:34 | 000,469,504 | ---- | M] () -- C:\Program Files\RamBooster\Rambooster.exe


========== Modules (SafeList) ==========

MOD - [2011/02/27 18:51:37 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nilesh\Desktop\Malware Cleanup\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 19:12:10 | 000,018,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wtsapi32.dll
MOD - [2008/04/13 19:12:09 | 000,053,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winsta.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (avg8wd)
SRV - [2010/05/25 12:50:38 | 017,420,168 | ---- | M] (Enterasys Networks, Inc) [Disabled | Stopped] -- C:\Program Files\Enterasys Networks\NAC Agent\NacAgtSv.exe -- (NACAgentService)
SRV - [2008/03/01 00:35:06 | 000,126,976 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\UAService7.exe -- (UserAccess7) SecuROM User Access Service (V7)
SRV - [2007/10/30 20:51:44 | 000,492,720 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
SRV - [2007/10/30 20:07:38 | 000,427,288 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2002/08/14 18:21:16 | 000,200,704 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe -- (GhostStartService)
SRV - [2002/07/30 14:40:44 | 000,573,440 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2002/07/30 14:36:00 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2002/02/15 13:51:00 | 000,114,749 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\pcAnywhere\AWHOST32.EXE -- (awhost32)


========== Driver Services (SafeList) ==========

DRV - [2010/10/18 03:00:00 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101018.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/10/18 03:00:00 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101018.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/04/10 00:11:32 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/02/11 07:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/11/08 11:47:49 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/11/08 11:47:49 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/11/08 11:47:41 | 000,129,248 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/11/08 11:47:27 | 000,368,544 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2008/04/14 22:43:00 | 000,278,728 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2008/04/14 22:42:59 | 000,025,416 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2008/04/13 13:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 13:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/03/04 13:49:39 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/01/23 16:25:32 | 000,027,136 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tapvpn.sys -- (tapvpn)
DRV - [2007/05/11 02:10:50 | 000,034,704 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\blueletaudio.sys -- (BlueletAudio)
DRV - [2007/05/09 00:59:40 | 000,036,496 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)
DRV - [2007/03/16 20:10:56 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2007/03/05 05:00:04 | 000,027,792 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BlueletSCOAudio.sys -- (BlueletSCOAudio)
DRV - [2007/03/05 04:59:04 | 000,018,320 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btnetdrv.sys -- (BT)
DRV - [2007/03/05 04:56:18 | 000,035,600 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\BTHidMgr.sys -- (BTHidMgr)
DRV - [2007/03/05 04:55:12 | 000,020,880 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\vbtenum.sys -- (BTHidEnum)
DRV - [2007/03/05 04:53:18 | 000,044,304 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VcommMgr.sys -- (VcommMgr)
DRV - [2007/03/05 04:52:18 | 000,034,448 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VComm.sys -- (VComm)
DRV - [2006/11/21 21:41:18 | 000,022,416 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\Program Files\IVT Corporation\BlueSoleil\device\Win2k\BTNetFilter.sys -- (BTNetFilter)
DRV - [2006/11/21 06:25:44 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/09/24 08:28:47 | 000,005,248 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/09/15 21:52:12 | 000,124,016 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/05/24 00:06:36 | 001,578,496 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/03/24 19:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/08/12 18:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/07/14 19:28:38 | 000,307,968 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/07/12 21:00:30 | 000,051,328 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/03/03 12:53:57 | 000,048,640 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005/02/23 10:59:54 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2004/07/27 15:05:06 | 000,015,744 | R--- | M] (PASCO scientific) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PSSensor.sys -- (PASCO) PASCO PASPORT USB Driver (PSSensor.sys)
DRV - [2003/11/30 12:43:57 | 000,021,888 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2003/08/01 17:47:24 | 000,029,239 | ---- | M] (Pinnacle Systems) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\vobid.sys -- (VOBID)
DRV - [2003/07/01 02:41:00 | 000,107,648 | R--- | M] (Cisco-Linksys LLC.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vnetusbl.sys -- (USBNET)
DRV - [2003/03/29 09:45:18 | 000,089,184 | ---- | M] (Ahead Software AG and its licensors) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\imagedrv.sys -- (Imagedrv)
DRV - [2002/08/14 18:11:16 | 000,005,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec\Norton Ghost 2003\GhPciScan.sys -- (GhPciScan)
DRV - [2002/08/14 18:03:36 | 000,017,005 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2002/06/19 23:57:14 | 000,029,184 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Navapel.sys -- (NAVAPEL)
DRV - [2002/06/19 23:57:12 | 000,218,112 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Navap.sys -- (NAVAP)
DRV - [2002/04/17 23:27:02 | 000,011,264 | ---- | M] (VOB Computersysteme GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\asapiW2k.sys -- (ASAPIW2K)
DRV - [2002/02/11 13:51:00 | 000,033,496 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\AW_HOST5.sys -- (AW_HOST)
DRV - [2001/10/09 13:50:00 | 000,014,944 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\GERNUWA.SYS -- (Gernuwa)
DRV - [2001/08/23 07:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2001/08/23 07:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2001/08/17 07:49:00 | 000,075,136 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atimpae.sys -- (atirage3)
DRV - [2000/09/11 13:50:00 | 000,010,816 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\awlegacy.sys -- (awlegacy)
DRV - [1996/04/03 14:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-515967899-854245398-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: john@velvetcache.org:1.3.3
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.38
FF - prefs.js..extensions.enabledItems: {ba243cb0-b824-4a26-9418-73ee795d9b9d}:0.7.5
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.0.14
FF - prefs.js..extensions.enabledItems: firefox@ghostery.com:2.3.1
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.9.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {9c51bd27-6ed8-4000-a2bf-36cb95c0c947}:10.1.0
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100908
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/21 19:13:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/10 14:04:53 | 000,000,000 | ---D | M]

[2008/08/20 14:05:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Extensions
[2008/08/20 14:05:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Extensions\{6334D996-EA3E-4a0e-AA8D-15BA56B37241}
[2011/03/03 22:51:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions
[2011/02/11 19:27:40 | 000,000,000 | ---D | M] (Flagfox) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2010/08/18 11:37:10 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/02/22 16:54:57 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/03/01 18:01:45 | 000,000,000 | ---D | M] (Tamper Data) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}
[2010/09/14 23:18:21 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/07/02 22:45:13 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2011/02/22 16:54:56 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/08/01 18:42:52 | 000,000,000 | ---D | M] (Bookmark Duplicate Detector) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{ba243cb0-b824-4a26-9418-73ee795d9b9d}
[2008/08/09 23:31:10 | 000,000,000 | ---D | M] (Media Pirate - The video downloader) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{cc265d3d-3f6f-0170-a78b-bbbaef7a868c}
[2010/08/19 11:33:39 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/03/08 18:06:26 | 000,000,000 | ---D | M] ("BetterPrivacy") -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2010/06/03 10:03:33 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/04/27 10:43:59 | 000,000,000 | ---D | M] (Torbutton) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
[2011/01/26 19:18:15 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/07/02 18:17:44 | 000,000,000 | ---D | M] (Firebug) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\firebug@software.joehewitt.com
[2010/09/04 09:37:27 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\firefox@ghostery.com
[2010/02/18 23:00:28 | 000,000,000 | ---D | M] (FoxSaver) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\foxsaver@www.foxsaver.com
[2010/08/22 10:34:57 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\foxyproxy@eric.h.jung
[2010/10/22 13:03:18 | 000,000,000 | ---D | M] (HTTPS-Everywhere) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\https-everywhere@eff.org
[2011/02/08 09:22:35 | 000,000,000 | ---D | M] (Beef Taco (Targeted Advertising Cookie Opt-Out)) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\john@velvetcache.org
[2010/09/14 23:18:20 | 000,000,000 | ---D | M] (Personas) -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\personas@christopher.beard
[2008/09/07 18:59:09 | 000,000,000 | ---D | M] ("Distrust") -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\trustme@gness.com
[2010/05/06 14:56:38 | 000,002,749 | ---- | M] () -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\searchplugins\cuil.xml
[2011/02/28 21:13:30 | 000,001,969 | ---- | M] () -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\searchplugins\duckduckgo.xml
[2011/02/28 21:25:18 | 000,001,223 | ---- | M] () -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\searchplugins\scroogle-ssl.xml
[2011/02/28 21:22:18 | 000,001,189 | ---- | M] () -- C:\Documents and Settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\searchplugins\scroogle.xml
[2011/03/03 22:51:20 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/10 14:04:55 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/01/10 14:04:32 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/01/10 14:04:29 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/02/11 21:46:01 | 000,000,170 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Catcher Class) - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll (Moyea Software Co., Ltd.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (no name) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Veoh Web Player Video Finder) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll (Veoh Networks Inc)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKU\S-1-5-21-515967899-854245398-725345543-1003\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKU\S-1-5-21-515967899-854245398-725345543-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe ()
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\.DEFAULT..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()
O4 - HKU\S-1-5-18..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()
O4 - HKU\S-1-5-20..\Run: [c:\program file] Reg Error: Value error. File not found
O4 - HKU\S-1-5-21-515967899-854245398-725345543-1003..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-515967899-854245398-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-515967899-854245398-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-515967899-854245398-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-515967899-854245398-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O15 - HKU\S-1-5-21-515967899-854245398-725345543-1003\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-515967899-854245398-725345543-1003\..Trusted Domains: angernet.org ([]http in Trusted sites)
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268674720000 (WUWebControl Class)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268674692265 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38055.5668981482 (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.16.0.cab (SysInfo Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\System32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O20 - Winlogon\Notify\PCANotify: DllName - PCANotify.dll - C:\WINDOWS\System32\PCANotify.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Nilesh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Nilesh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/03/09 17:56:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{38ae8e34-233e-11df-a597-0019b9765436}\Shell - "" = AutoRun
O33 - MountPoints2\{38ae8e34-233e-11df-a597-0019b9765436}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{38ae8e34-233e-11df-a597-0019b9765436}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{84eee7d4-f743-11de-a560-0019b9765436}\Shell - "" = AutoRun
O33 - MountPoints2\{84eee7d4-f743-11de-a560-0019b9765436}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{84eee7d4-f743-11de-a560-0019b9765436}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{84eee7d5-f743-11de-a560-0019b9765436}\Shell\AutoRun\command - "" = H:\BACKUP\RESTORE\ado.exe
O33 - MountPoints2\{84eee7d5-f743-11de-a560-0019b9765436}\Shell\open\command - "" = H:\BACKUP\RESTORE\ado.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/04 21:33:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Nilesh\Recent
[2011/02/25 21:31:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nilesh\My Documents\A5
[2011/02/25 19:18:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nilesh\Desktop\A5
[2011/02/22 11:38:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nilesh\My Documents\HIST 391
[2011/02/18 14:58:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nilesh\Desktop\Malware Cleanup
[2011/02/17 20:58:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nilesh\My Documents\democracy2
[2011/02/13 20:40:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nilesh\Desktop\A4
[2011/02/13 19:46:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nilesh\My Documents\A4
[2011/02/09 11:25:57 | 000,000,000 | ---D | C] -- C:\found.000
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/04 19:59:46 | 000,000,186 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[2011/03/04 14:49:13 | 000,000,366 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2011/03/04 02:01:50 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/03 11:23:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/25 23:57:49 | 000,003,854 | ---- | M] () -- C:\Documents and Settings\Nilesh\Desktop\a5.rar
[2011/02/25 20:55:21 | 000,002,155 | ---- | M] () -- C:\Documents and Settings\Nilesh\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2011/02/23 13:01:10 | 000,096,732 | ---- | M] () -- C:\On Wine Bullbleep.pdf
[2011/02/22 23:22:37 | 000,002,415 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Run Audiosurf.lnk
[2011/02/21 13:22:00 | 001,029,091 | ---- | M] () -- C:\PCI 2 Presentation.pdf
[2011/02/21 11:28:18 | 002,672,312 | ---- | M] () -- C:\esetsmartinstaller_enu.exe
[2011/02/18 18:35:33 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Nilesh\defogger_reenable
[2011/02/18 13:49:04 | 000,116,224 | ---- | M] () -- C:\Documents and Settings\Nilesh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/18 12:17:03 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2011/02/11 21:46:01 | 000,000,170 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2011/02/11 21:42:16 | 000,000,170 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110211-214601.backup
[2011/02/11 21:41:38 | 000,429,180 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110211-214216.backup
[2011/02/11 20:23:49 | 000,273,376 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/11 20:04:31 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/11 00:05:00 | 000,075,242 | ---- | M] () -- C:\Documents and Settings\Nilesh\My Documents\TranscriptRequestForm_new.pdf
[2011/02/07 06:14:57 | 000,078,866 | ---- | M] () -- C:\Mid1Practice.pdf
[2011/02/04 23:34:38 | 005,281,000 | ---- | M] () -- C:\16 - Lostprophets - To Hell We Ride.mp3
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/02/25 23:57:49 | 000,003,854 | ---- | C] () -- C:\Documents and Settings\Nilesh\Desktop\a5.rar
[2011/02/23 13:01:10 | 000,096,732 | ---- | C] () -- C:\On Wine Bullbleep.pdf
[2011/02/21 13:22:00 | 001,029,091 | ---- | C] () -- C:\PCI 2 Presentation.pdf
[2011/02/21 11:27:57 | 002,672,312 | ---- | C] () -- C:\esetsmartinstaller_enu.exe
[2011/02/18 18:35:26 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Nilesh\defogger_reenable
[2011/02/17 10:31:40 | 001,345,817 | ---- | C] () -- C:\Repetition in the Mahabharata.pdf
[2011/02/11 00:04:57 | 000,075,242 | ---- | C] () -- C:\Documents and Settings\Nilesh\My Documents\TranscriptRequestForm_new.pdf
[2011/02/04 23:32:58 | 005,281,000 | ---- | C] () -- C:\16 - Lostprophets - To Hell We Ride.mp3
[2010/04/02 19:24:33 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/06/26 18:08:51 | 000,139,152 | ---- | C] () -- C:\Documents and Settings\Nilesh\Application Data\PnkBstrK.sys
[2009/06/22 21:29:16 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2009/03/15 18:38:21 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2009/02/21 21:08:48 | 000,000,248 | ---- | C] () -- C:\WINDOWS\RomeTW.ini
[2009/01/19 12:35:21 | 000,000,016 | ---- | C] () -- C:\WINDOWS\ADAMGO.INI
[2008/12/28 16:44:55 | 000,059,904 | ---- | C] () -- C:\WINDOWS\zlib1.dll
[2008/12/28 16:44:53 | 000,193,024 | ---- | C] () -- C:\WINDOWS\binkw32.dll
[2008/10/19 20:41:06 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.INI
[2008/07/17 20:13:18 | 000,000,397 | ---- | C] () -- C:\WINDOWS\CODUO.ini
[2008/06/09 16:53:06 | 000,000,868 | ---- | C] () -- C:\WINDOWS\CoD.ini
[2008/05/30 12:23:27 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/05/30 12:23:21 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/05/25 18:24:24 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\GkSui18.EXE
[2008/05/25 18:24:24 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\Copy of GkSui18.EXE
[2008/05/22 17:18:54 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/04/14 22:43:00 | 000,278,728 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2008/04/14 22:42:58 | 000,025,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2008/03/01 00:35:06 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\UAService7.exe
[2008/02/08 17:57:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2008/01/02 00:09:06 | 000,000,172 | ---- | C] () -- C:\WINDOWS\Sierra.ini
[2007/12/31 20:06:48 | 000,003,134 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/10/30 11:54:28 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Nilesh\Application Data\AVSDVDPlayer.m3u
[2007/10/30 11:51:39 | 000,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/10/30 11:51:39 | 000,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/10/19 01:47:52 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2007/10/19 01:47:52 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2007/09/28 11:07:52 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/09/24 16:41:21 | 000,000,902 | ---- | C] () -- C:\WINDOWS\scummvm.ini
[2007/09/23 18:56:49 | 000,001,156 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/09/21 12:28:58 | 000,000,925 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2007/09/11 22:37:33 | 000,000,186 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2007/09/11 22:37:06 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2007/08/28 23:23:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/08/18 23:26:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2007/08/14 23:10:14 | 000,116,224 | ---- | C] () -- C:\Documents and Settings\Nilesh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/14 17:12:13 | 000,000,040 | ---- | C] () -- C:\WINDOWS\nero.INI
[2007/07/06 22:24:34 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2007/07/06 19:52:12 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2007/07/06 19:36:10 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Nilesh\Local Settings\Application Data\fusioncache.dat
[2007/07/06 19:09:32 | 000,127,614 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2007/07/06 19:02:32 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/07/06 19:02:31 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2007/07/06 19:02:30 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/07/06 18:53:45 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2004/03/09 21:13:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2004/03/09 20:44:37 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2004/03/09 20:44:36 | 000,000,847 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/03/09 20:41:38 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/03/09 17:59:11 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/03/09 17:53:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/03/09 16:51:08 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/03/09 09:48:33 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/03/09 09:47:40 | 000,273,376 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/08/06 19:23:08 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2003/05/28 19:37:44 | 000,394,240 | ---- | C] () -- C:\WINDOWS\System32\PSDrvCheck.exe
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/07/30 14:33:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[2001/08/23 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 07:00:00 | 000,492,382 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 07:00:00 | 000,090,846 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2008/11/02 22:02:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\2DBoy
[2010/05/19 19:08:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\abelhadigital.com
[2011/02/13 16:19:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2007/08/31 16:06:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bluetooth
[2010/10/23 18:29:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CambridgeSoft
[2010/04/10 00:10:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2007/10/30 21:43:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Earthsim
[2007/08/22 14:50:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ENotebook 11.0
[2008/05/30 18:05:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
[2008/02/03 03:09:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HermitWorks
[2008/02/28 09:56:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2007/10/25 15:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2010/08/23 11:09:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NAC Assessment Agent
[2008/09/26 17:25:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NexonUS
[2008/02/03 18:31:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2007/10/21 20:36:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\POP3Profiles
[2008/11/29 14:44:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Stardock
[2008/07/21 21:13:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/04/09 16:55:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ubisoft
[2004/03/09 21:14:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/06/16 18:08:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2009/04/01 15:27:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2011/01/10 08:18:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Acronis
[2008/12/24 14:15:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/11/08 11:56:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Acronis
[2011/01/18 19:54:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\.minecraft
[2010/05/19 19:08:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\abelhadigital.com
[2009/11/08 16:27:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\Acronis
[2007/08/28 22:44:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\BitTorrent
[2009/03/11 16:54:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\ChaosPro
[2010/04/10 00:10:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\DAEMON Tools Lite
[2011/01/13 00:17:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\Enthought
[2011/02/11 19:55:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\Free Download Manager
[2008/11/29 12:51:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\Gamelab
[2008/02/28 09:56:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\iolo
[2008/04/24 18:59:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\Leadertech
[2007/11/05 19:21:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\LimeWire
[2008/03/16 00:53:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\Lionhead Studios
[2008/08/11 17:04:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\LucasArts
[2008/06/15 13:49:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\Moyea
[2007/08/12 16:45:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\Musicmatch
[2008/12/28 16:37:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\My Games
[2008/08/20 14:05:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\Participatory Culture Foundation
[2010/05/19 21:40:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\PCF-VLC
[2008/08/11 17:05:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\Petroglyph
[2008/02/03 21:15:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\PlayFirst
[2007/11/27 20:08:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\Rokario
[2010/02/13 22:27:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\ScummVM
[2008/11/29 12:49:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\Stardock
[2011/02/11 00:45:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\uTorrent
[2011/02/23 16:26:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nilesh\Application Data\WinFF

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.sys /90 >
[2010/12/31 08:10:33 | 001,854,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/03/09 09:47:00 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/03/09 09:47:00 | 000,630,784 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/03/09 09:47:00 | 000,401,408 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %SYSTEMDRIVE%\*.* >
[2011/02/04 23:34:38 | 005,281,000 | ---- | M] () -- C:\16 - Lostprophets - To Hell We Ride.mp3
[2010/04/29 18:28:44 | 000,019,456 | ---- | M] () -- C:\2009ConservationBiology.xls
[2009/10/28 08:42:54 | 011,601,408 | ---- | M] () -- C:\2009Lecture 1Final - Introduction to development.ppt
[2009/10/28 08:44:07 | 004,801,536 | ---- | M] () -- C:\2009Lecture 2Final- Drosophila D-V axis.ppt
[2009/10/28 08:45:38 | 009,996,800 | ---- | M] () -- C:\2009Lecture 3 - Drosophila A-P axis_2.ppt
[2009/10/28 08:48:23 | 014,596,096 | ---- | M] () -- C:\2009Lecture 4 - Fertilization and cleavage.ppt
[2009/10/30 08:49:25 | 014,846,464 | ---- | M] () -- C:\2009Lecture 5 - Gastrulation.ppt
[2009/11/02 09:39:56 | 010,016,768 | ---- | M] () -- C:\2009Lecture 6- Axis determination in frog embryos.ppt
[2009/11/04 09:44:32 | 009,238,528 | ---- | M] () -- C:\2009Lecture 7- Molecular effectors of development in frogs.ppt
[2011/02/08 10:43:33 | 006,073,344 | ---- | M] () -- C:\401Feb8atmcirculation.ppt
[2010/04/02 16:09:48 | 011,762,725 | ---- | M] () -- C:\5 Ways Natal Will Ruin Halo.mov
[2010/04/30 19:52:44 | 007,228,928 | ---- | M] () -- C:\9A Invasives.ppt
[2010/05/01 12:37:01 | 005,693,414 | ---- | M] () -- C:\9C_ConBio_Rarity_ExSitu_Reintro.pptx
[2009/03/10 12:04:42 | 045,009,606 | ---- | M] () -- C:\A Fair(y) Use Tale.mp4
[2009/09/29 17:04:44 | 028,928,307 | ---- | M] () -- C:\A Few Words on Toonami.mp4
[2009/07/01 11:08:52 | 014,378,499 | ---- | M] () -- C:\A Lullaby For A Stormy Night.mp4
[2009/08/25 00:07:15 | 000,010,762 | ---- | M] () -- C:\acrocrashlog.html
[2010/09/18 19:10:36 | 000,090,710 | ---- | M] () -- C:\ActionTrip - Old Homepage.htm
[2010/09/20 21:44:44 | 000,192,594 | ---- | M] () -- C:\Add This.JPG
[2010/04/14 15:13:12 | 000,015,858 | ---- | M] () -- C:\Aggregate Expenditure Graph.JPG
[2010/12/15 23:39:59 | 000,065,536 | ---- | M] () -- C:\america.jpg
[2010/04/16 09:37:21 | 000,033,280 | ---- | M] () -- C:\Angiosperms Plant Notes.doc
[2010/09/30 02:31:03 | 005,704,704 | ---- | M] () -- C:\ANTH 145 (2010-2) Class 6 - The Earliest Stone Tools (upload).ppt
[2010/09/30 02:31:10 | 013,990,400 | ---- | M] () -- C:\ANTH 145 (2010-2) Class 7 - The Early Paleolithic Dispersal from Africa (Upload).ppt
[2009/09/14 17:14:43 | 000,024,672 | ---- | M] () -- C:\appointmentsummary.aspx.htm
[2004/03/09 17:56:41 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/12/07 20:31:07 | 000,009,760 | ---- | M] () -- C:\avatar659753_27.gif
[2010/07/20 12:18:47 | 002,133,536 | ---- | M] (AVG Technologies) -- C:\avg_free_stb_all_9_115_cnet.exe
[2010/04/10 14:27:36 | 157,661,610 | ---- | M] () -- C:\Backup of Registry.reg
[2010/02/26 00:07:33 | 002,161,906 | ---- | M] () -- C:\Battle Ignition.mp3
[2010/04/08 11:37:05 | 015,468,544 | ---- | M] () -- C:\Behavior and Conservation April 2009.ppt
[2010/04/09 22:49:26 | 000,191,897 | ---- | M] () -- C:\Bib Fortuna's Dance Party.gif
[2010/02/02 12:53:43 | 001,207,296 | ---- | M] () -- C:\Biodiversity 2 Slides.ppt
[2010/02/02 12:38:17 | 001,190,400 | ---- | M] () -- C:\Biodiversity Slides.ppt
[2010/03/26 01:25:23 | 000,034,304 | ---- | M] () -- C:\BIOL 271 plant hormones handout.doc
[2010/09/27 15:40:48 | 000,097,239 | ---- | M] () -- C:\Biol108_Fall2005_Exam1.pdf
[2010/09/27 15:46:02 | 000,008,776 | ---- | M] () -- C:\Biol108_Fall2005_Exam1.txt
[2010/02/23 21:58:09 | 000,290,430 | ---- | M] () -- C:\Blank Map of Southeast Asia.pdf
[2010/06/17 23:00:56 | 006,535,214 | ---- | M] () -- C:\Bookmarks
[2010/06/17 23:01:05 | 015,037,536 | ---- | M] () -- C:\Bookmarks.html
[2009/07/13 23:14:41 | 000,000,212 | ---- | M] () -- C:\Boot.bak
[2011/02/18 12:17:03 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/21 02:11:44 | 000,027,136 | ---- | M] () -- C:\Boreal Forest Presentation Notes.doc
[2010/04/21 02:12:14 | 012,822,528 | ---- | M] () -- C:\Boreal Forests Presentation.ppt
[2010/04/21 02:22:17 | 012,645,903 | ---- | M] () -- C:\Boreal Forests Presentation.zip
[2010/07/27 16:21:14 | 003,335,314 | ---- | M] () -- C:\Boys Like Girls - The Great Escape.mp3
[2010/07/13 22:41:03 | 035,155,773 | ---- | M] () -- C:\BreakingNCS Latest Vlog! (7_12_10).mp4
[2010/07/27 16:19:35 | 008,575,025 | ---- | M] () -- C:\Bt - The Great Escape.mp3
[2010/08/10 16:41:35 | 028,377,044 | ---- | M] () -- C:\Burn.zip
[2009/12/12 00:36:43 | 000,028,748 | ---- | M] () -- C:\Bush Ballot.jpg
[2010/10/31 17:34:04 | 000,689,202 | ---- | M] () -- C:\bwcliches.png
[2010/10/31 17:42:17 | 000,056,752 | ---- | M] () -- C:\Canada's Greatest Feat.jpg
[2010/04/28 19:54:05 | 000,047,847 | ---- | M] () -- C:\Carbon Dioxide Variations.JPG
[2010/09/18 22:36:47 | 039,626,738 | ---- | M] () -- C:\CJD Brain Killer Documentary.mp4
[2010/05/08 14:25:06 | 000,018,064 | ---- | M] () -- C:\Claim Submission.htm
[2010/04/14 15:20:13 | 000,010,865 | ---- | M] () -- C:\Classical Economics Graph.JPG
[2004/08/03 23:00:00 | 000,260,272 | -H-- | M] () -- C:\cmldr
[2010/04/19 13:13:08 | 000,007,160 | ---- | M] () -- C:\College Health Insurance Waiver.htm
[2010/02/23 22:07:31 | 000,375,325 | ---- | M] () -- C:\Color Map of Southeast Asia with Rivers.pdf
[2010/02/23 22:07:51 | 000,324,970 | ---- | M] () -- C:\Color Map of Southeast Asia.pdf
[2009/09/14 17:15:19 | 000,022,523 | ---- | M] () -- C:\committedregistration.aspx.htm
[2010/10/30 20:26:54 | 000,021,383 | ---- | M] () -- C:\CompanyMoraleOfficer Achievement.JPG
[2004/03/09 17:56:41 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/04/30 22:49:02 | 000,133,632 | ---- | M] () -- C:\Conservation Biology Exam 2 Take Home.doc
[2009/08/25 20:08:19 | 000,113,152 | ---- | M] () -- C:\Course Id.doc
[2010/04/03 22:15:43 | 018,970,155 | ---- | M] () -- C:\Cruel Angel Thesis Instrumental.mp4
[2010/10/30 20:28:31 | 000,039,791 | ---- | M] () -- C:\Custom Professional Achievement.JPG
[2010/03/26 01:26:00 | 000,704,000 | ---- | M] () -- C:\cytokinin pathway.ppt
[2011/01/18 17:54:53 | 000,108,403 | ---- | M] () -- C:\darth-vader-noooo.jpg
[2010/07/15 19:26:20 | 000,000,164 | ---- | M] () -- C:\Debug.log
[2010/04/30 22:49:26 | 003,733,504 | ---- | M] () -- C:\Disturbance Ecology Part 1.ppt
[2010/04/06 12:18:12 | 010,458,624 | ---- | M] () -- C:\Disturbance Ecology Part 2.ppt
[2010/10/10 15:12:55 | 000,053,760 | ---- | M] () -- C:\dq5honer-2.doc
[2009/10/11 01:29:07 | 004,068,864 | ---- | M] () -- C:\Drownin Pool - Tear Away.mp3
[2010/01/28 12:02:38 | 000,021,097 | ---- | M] () -- C:\dsds.rtf
[2010/04/10 00:09:46 | 009,591,104 | ---- | M] (DT Soft Ltd.) -- C:\DTLite4356-0091.exe
[2010/09/03 22:22:18 | 000,072,309 | ---- | M] () -- C:\Duke Nukem 3 Reaction.jpg
[2010/11/04 18:56:10 | 000,014,103 | ---- | M] () -- C:\duty_calls.png
[2010/07/31 22:27:15 | 003,645,568 | ---- | M] () -- C:\E Nomine - Das Omen.mp3
[2010/07/31 23:00:10 | 008,978,114 | ---- | M] () -- C:\E Nomine - Vater (Long).mp3
[2010/07/31 22:53:18 | 005,173,252 | ---- | M] () -- C:\E Nomine - Vater Unser Part II.mp3
[2010/07/31 22:49:23 | 002,591,149 | ---- | M] () -- C:\E Nomine - Vater Unser.mp3
[2010/02/26 00:49:12 | 000,415,744 | ---- | M] () -- C:\EC101_PracQ06_K.doc
[2010/02/26 00:45:34 | 000,104,960 | ---- | M] () -- C:\EC101_PracQ07_K.doc
[2010/04/29 19:18:24 | 000,028,672 | ---- | M] () -- C:\Econ 101 Final Exam Notes.doc
[2010/04/29 16:48:30 | 000,622,592 | ---- | M] () -- C:\Econ 101 Final Exam Study Guide.doc
[2010/04/30 00:29:28 | 000,097,280 | ---- | M] () -- C:\Econ 101 Notes.doc
[2010/03/24 15:16:45 | 000,012,384 | ---- | M] () -- C:\econ graph 1.JPG
[2010/04/05 10:03:22 | 000,019,968 | ---- | M] () -- C:\Econ Notes.doc
[2010/10/21 17:51:32 | 009,136,128 | ---- | M] () -- C:\Endemism in the Southeast.ppt
[2011/02/21 17:13:48 | 000,000,440 | ---- | M] () -- C:\ESET Scan.txt
[2011/02/21 11:28:18 | 002,672,312 | ---- | M] () -- C:\esetsmartinstaller_enu.exe
[2010/04/19 18:28:03 | 000,284,220 | ---- | M] () -- C:\Evil Forces in the Sky.jpg
[2010/08/04 22:06:16 | 000,097,591 | ---- | M] () -- C:\eviler than you.jpg
[2010/03/01 07:49:48 | 000,069,120 | ---- | M] () -- C:\Exam 2 Study Guide Answers.doc
[2010/02/27 16:45:43 | 000,068,096 | ---- | M] () -- C:\Exam 2 Study Guide.doc
[2010/03/26 01:41:45 | 000,032,768 | ---- | M] () -- C:\Exam 3 Study Guide.doc
[2010/03/05 23:10:28 | 000,075,776 | ---- | M] () -- C:\Exam1_Biology565_Spring2010 Patel.doc
[2010/03/01 22:28:15 | 000,040,448 | ---- | M] () -- C:\Exam1_Biology565_Spring2010.doc
[2010/04/30 22:44:01 | 000,133,632 | ---- | M] () -- C:\Exam2_2010_TAKEHOMEfin-1 - Dev Patel.doc
[2010/05/01 13:13:42 | 000,033,792 | ---- | M] () -- C:\Exam2_Bio565 2010 In Class - Dev Patel.doc
[2010/07/29 14:10:41 | 000,011,473 | ---- | M] () -- C:\Fall Payment Receipt.pdf
[2010/06/18 11:05:56 | 000,026,112 | ---- | M] () -- C:\FCC Comments on Network Neutrality.doc
[2010/05/04 23:01:05 | 000,042,496 | ---- | M] () -- C:\Final Exam Study Guidelines.doc
[2008/09/05 13:40:52 | 000,858,593 | ---- | M] () -- C:\First Aid Guide.pdf
[2009/11/05 21:19:33 | 000,070,808 | ---- | M] () -- C:\Flow Chart of Modern Warfare 2.png
[2010/05/01 13:17:14 | 008,264,192 | ---- | M] () -- C:\Fragmentation Slides.ppt
[2010/05/04 23:01:28 | 000,025,600 | ---- | M] () -- C:\Gametes Chart.doc
[2010/07/28 22:39:47 | 004,636,759 | ---- | M] () -- C:\GC2_DA_TOTH2.01_AND_DL1.53.rar
[2010/04/28 19:59:15 | 000,039,122 | ---- | M] () -- C:\Global Fossil Carbon Emissions.JPG
[2010/04/07 19:04:08 | 000,132,696 | ---- | M] () -- C:\Good Fast Food Service Part 1.jpg
[2010/04/07 19:04:24 | 000,134,839 | ---- | M] () -- C:\Good Fast Food Service Part 2.jpg
[2010/04/16 09:37:28 | 000,025,088 | ---- | M] () -- C:\Gymnosperms Plant Notes.doc
[2009/07/28 21:53:13 | 024,345,536 | ---- | M] () -- C:\Halo Music Video Hell.mp4
[2009/02/18 18:53:16 | 000,028,672 | ---- | M] () -- C:\Halo Server Commands.doc
[2010/03/29 14:35:17 | 010,369,674 | ---- | M] () -- C:\Heavy (Extended).mp3
[2009/09/29 16:46:13 | 033,991,420 | ---- | M] () -- C:\Hell.wmv
[2009/12/02 13:06:52 | 000,069,275 | ---- | M] () -- C:\hellsing vs twilight.jpg
[2010/10/26 18:43:43 | 000,033,280 | ---- | M] () -- C:\HH Debate.doc
[2010/03/15 14:06:49 | 000,150,730 | ---- | M] () -- C:\hosts.zip
[2010/10/30 19:33:10 | 000,071,173 | ---- | M] () -- C:\How Bowdaar Handles Falling Moons.JPG
[2009/11/10 14:43:55 | 000,065,097 | ---- | M] () -- C:\Hunter_screenshot.jpg
[2010/10/31 23:48:07 | 000,027,008 | ---- | M] () -- C:\Ignorance Luke and Leia.jpg
[2009/08/18 22:22:02 | 001,847,410 | ---- | M] () -- C:\immediate music - imperativa nc.mp3
[2009/08/18 22:21:58 | 002,254,085 | ---- | M] () -- C:\immediate music - imperativa.mp3
[2010/09/20 19:13:54 | 000,581,763 | ---- | M] () -- C:\InadequateProtection.jpg
[2011/02/02 16:10:26 | 001,232,576 | ---- | M] () -- C:\Infinite Knife Kill in COD.gif
[2010/04/06 14:54:03 | 001,098,752 | ---- | M] () -- C:\Intermediate Disturbance Hypothesis.ppt
[2004/03/09 17:56:41 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/11/17 10:56:44 | 000,025,600 | ---- | M] () -- C:\Key Factors for Eradication of Disease.doc
[2010/10/31 17:42:38 | 000,398,940 | ---- | M] () -- C:\Know Your Bioware Characters.jpg
[2009/08/25 12:49:51 | 003,990,287 | ---- | M] () -- C:\Lacuna Coil - The Ghost Woman And The Hunter.mp3
[2010/04/30 18:39:42 | 015,143,936 | ---- | M] () -- C:\Landscape Ecology.ppt
[2010/04/28 16:41:04 | 000,027,648 | ---- | M] () -- C:\Left Brain Assignment for Conservation Biology.doc
[2010/11/25 18:47:16 | 012,351,103 | ---- | M] () -- C:\Living Inside The Shell.mp3
[2010/08/18 20:25:26 | 000,157,106 | ---- | M] () -- C:\Makeup of the Internet.jpg
[2010/05/11 15:47:55 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2009/12/06 03:47:13 | 002,306,858 | ---- | M] () -- C:\Metal Gear Solid 2 and 3 Theme (Eminence Symphony Orchestra).mp3
[2011/02/07 06:14:57 | 000,078,866 | ---- | M] () -- C:\Mid1Practice.pdf
[2010/04/26 00:40:13 | 002,629,412 | ---- | M] () -- C:\mindless self indulgence - 08 - animal.mp3
[2010/10/01 19:50:27 | 000,029,696 | ---- | M] () -- C:\Mock NIH Panel Homework Assignment 2010-1.doc
[2010/04/09 22:47:18 | 000,048,912 | ---- | M] () -- C:\Mount Darthmore (In Dooku We Trust).jpg
[2004/03/09 17:56:41 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/04/14 22:50:23 | 009,851,595 | ---- | M] () -- C:\Muse - Undisclosed Desires.mp3
[2010/04/09 22:41:32 | 000,033,024 | ---- | M] () -- C:\My Schwartz is Bigger than Lonestar's.jpg
[2011/02/07 12:05:02 | 000,390,964 | ---- | M] () -- C:\Net_Neutrality Failure.png
[2010/10/30 19:44:51 | 000,039,843 | ---- | M] () -- C:\Never Tell Me The Odds.JPG
[2010/05/21 14:05:45 | 158,620,794 | ---- | M] () -- C:\Norton Fix Registry Backup.reg
[2007/07/06 19:58:43 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/05/07 16:45:59 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/11/13 19:46:09 | 000,043,614 | ---- | M] () -- C:\nuhzptgv.jpg
[2010/07/27 13:17:43 | 001,806,810 | ---- | M] () -- C:\OMBD.NET.100723a.zip
[2010/07/27 13:18:45 | 002,127,410 | ---- | M] () -- C:\ombd.zip
[2011/02/23 13:01:10 | 000,096,732 | ---- | M] () -- C:\On Wine Bullbleep.pdf
[2010/10/30 20:31:16 | 000,033,338 | ---- | M] () -- C:\One in a Million Shot(s).jpg
[2010/07/27 13:18:45 | 002,127,114 | ---- | M] () -- C:\otbd.zip
[2011/03/03 11:23:24 | 1073,741,824 | -HS- | M] () -- C:\pagefile.sys
[2009/11/12 12:02:11 | 000,041,494 | ---- | M] () -- C:\pc vs console.jpg
[2010/03/26 00:38:24 | 003,414,016 | ---- | M] () -- C:\Photosynthesis Notes.doc
[2010/03/26 00:41:22 | 000,034,816 | ---- | M] () -- C:\Photosynthesis Study Guide Key.doc
[2010/03/24 09:46:30 | 000,030,720 | ---- | M] () -- C:\Photosynthesis Study Guide.doc
[2010/07/30 20:34:14 | 002,392,414 | ---- | M] () -- C:\Pictures Taken at Exactly The Right Moment.flv
[2010/04/12 02:33:13 | 000,221,184 | ---- | M] () -- C:\Pine Tree Lifecycle.ppt
[2004/03/09 20:33:09 | 000,017,218 | ---- | M] () -- C:\PkgClnup.log
[2010/01/21 22:55:23 | 004,747,929 | ---- | M] () -- C:\Placebo - Running Up That Hill.mp3
[2010/05/03 16:16:14 | 000,027,648 | ---- | M] () -- C:\Plant Biology Final Exam Study Guide.doc
[2010/03/26 01:27:25 | 035,365,888 | ---- | M] () -- C:\plant hormone class.ppt
[2010/02/17 01:29:10 | 000,037,888 | ---- | M] () -- C:\Plant Project Paper - Rice.doc
[2010/04/25 21:15:40 | 000,028,160 | ---- | M] () -- C:\Pollination Paper Final.doc
[2010/04/25 15:33:29 | 000,036,352 | ---- | M] () -- C:\Pollination Paper.doc
[2010/04/28 07:43:03 | 000,033,280 | ---- | M] () -- C:\Pollination Presentation Notes.doc
[2010/04/28 00:38:29 | 007,379,456 | ---- | M] () -- C:\Pollination Presentation.ppt
[2010/04/25 13:41:15 | 000,030,208 | ---- | M] () -- C:\Pollinator Notes.doc
[2010/08/01 08:43:55 | 007,863,311 | ---- | M] () -- C:\Portal - Credits Song _Still Alive_ [www.keepvid.com].flv
[2010/08/01 08:43:58 | 006,286,826 | ---- | M] () -- C:\Portal - Credits Song _Still Alive_ [www.keepvid.com].mp4
[2010/02/15 17:48:28 | 000,021,504 | ---- | M] () -- C:\PRESENTATIONS2010.doc
[2010/03/23 17:21:16 | 000,161,113 | ---- | M] () -- C:\pretending to do science.jpg
[2009/10/01 22:08:12 | 000,033,792 | ---- | M] () -- C:\Problem Set 5 Mitochondria.doc
[2009/09/26 14:58:06 | 000,035,840 | ---- | M] () -- C:\Real Men Use Windows 98.doc
[2010/04/28 19:44:43 | 000,058,361 | ---- | M] () -- C:\Reconstructed Global Temperatures (10000 Years).JPG
[2010/04/28 19:43:47 | 000,050,169 | ---- | M] () -- C:\Reconstructed Global Temperatures (2000 Years).JPG
[2010/03/21 13:13:33 | 000,793,223 | ---- | M] () -- C:\Recursion.gif
[2010/04/26 09:10:07 | 000,024,064 | ---- | M] () -- C:\Requirements for Pollination Presentation.doc
[2010/11/23 04:46:14 | 000,011,849 | ---- | M] () -- C:\Resume 1.rtf
[2010/02/17 02:31:54 | 000,057,820 | ---- | M] () -- C:\rice - brown.JPG
[2010/02/17 02:34:44 | 000,047,634 | ---- | M] () -- C:\rice - white.JPG
[2010/02/17 02:11:22 | 000,036,359 | ---- | M] () -- C:\rice 2.JPG
[2010/02/17 02:18:25 | 000,036,587 | ---- | M] () -- C:\rice genome.JPG
[2010/02/17 03:01:21 | 003,089,920 | ---- | M] () -- C:\Rice Plant Presentation.ppt
[2010/02/17 01:50:09 | 000,055,570 | ---- | M] () -- C:\rice.JPG
[2010/09/18 01:45:23 | 000,215,646 | ---- | M] () -- C:\Road of Fish.jpg
[2010/10/13 23:14:09 | 004,202,033 | ---- | M] () -- C:\Savage Garden - You Can Be Free.mp3
[2010/10/04 01:38:12 | 000,070,489 | ---- | M] () -- C:\Schrodinger's Fridge.gif
[2010/04/28 17:26:20 | 000,026,624 | ---- | M] () -- C:\Service Assignment and Garden Tour.doc
[2010/05/21 13:26:30 | 002,387,529 | ---- | M] () -- C:\sigmatel_hdaudio_5106230_xp32.zip
[2010/02/23 21:57:12 | 000,028,160 | ---- | M] () -- C:\Southeast Asia Map Key.doc
[2010/05/01 12:23:35 | 006,498,816 | ---- | M] () -- C:\Species Interactions and Communities.ppt
[2010/04/10 00:21:22 | 000,880,624 | ---- | M] (Duplex Secure Ltd.) -- C:\SPTDinst-v162-x86.exe
[2010/04/26 23:13:18 | 018,219,482 | ---- | M] () -- C:\Star Trek vs. Star Wars.mp4
[2010/04/09 22:43:08 | 000,221,167 | ---- | M] () -- C:\Star Wars Action Hips.gif
[2010/12/03 14:09:41 | 000,033,792 | ---- | M] () -- C:\Statement of Intent.doc
[2010/02/26 00:06:53 | 002,553,952 | ---- | M] () -- C:\Storm Center.mp3
[2010/11/05 08:53:43 | 000,024,064 | ---- | M] () -- C:\Story of Sucralose.doc
[2010/03/21 13:13:45 | 000,062,139 | ---- | M] () -- C:\tactical_facepalm.jpg
[2010/04/27 22:08:47 | 000,033,280 | ---- | M] () -- C:\The 12 Threads Revisited.doc
[2010/04/28 22:42:06 | 000,752,128 | ---- | M] () -- C:\The Carbon Argument for Conservation Final Version.doc
[2010/04/28 22:41:32 | 000,766,464 | ---- | M] () -- C:\The Carbon Argument for Conservation.doc
[2010/02/27 15:48:35 | 000,626,206 | ---- | M] () -- C:\The Faust Table of MTW 2 Stats.pdf
[2010/10/05 20:54:43 | 005,214,610 | ---- | M] () -- C:\This Is Why I Cancelled Cable.jpg
[2011/03/03 22:36:12 | 001,673,216 | -HS- | M] () -- C:\Thumbs.db
[2010/11/30 18:51:17 | 000,486,656 | ---- | M] () -- C:\vbulletin4_logo.gif
[2010/05/21 15:15:24 | 084,535,835 | ---- | M] () -- C:\vd315402.xdb
[2010/02/05 11:24:23 | 004,854,654 | ---- | M] () -- C:\Voyage to Avalon.mp3
[2010/08/02 14:45:58 | 000,585,254 | ---- | M] () -- C:\wallpaper_lodgings.jpg
[2010/03/24 11:47:40 | 000,038,400 | ---- | M] () -- C:\Wednesday Questions.doc
[2009/07/28 21:05:31 | 018,934,588 | ---- | M] () -- C:\When Your Evil - The Yellow Dart.wmv
[2010/04/22 13:13:26 | 000,024,576 | ---- | M] () -- C:\White's Tour Notes.doc
[2010/09/20 19:14:33 | 000,174,904 | ---- | M] () -- C:\WhowantstobeamillionaireWRONG.jpg
[2009/09/11 11:09:17 | 013,039,543 | ---- | M] () -- C:\Windows 95 Start-Up Theme Beat Video.mp4
[2009/09/11 10:05:36 | 001,823,880 | ---- | M] () -- C:\Windows 95 Start-Up Theme Beat.mp3
[2011/02/23 11:18:06 | 000,052,808 | ---- | M] () -- C:\winphone-7-brick-ars-thumb-640xauto-19757.jpg
[2010/04/09 22:40:09 | 000,027,736 | ---- | M] () -- C:\Wishful Thinking.jpg
[2010/04/09 22:41:38 | 000,025,510 | ---- | M] () -- C:\Wookie Wallace.jpg
[2010/09/30 02:31:18 | 009,418,752 | ---- | M] () -- C:\World Prehistory (2010-2) Class 10 - Symbolic Behavior in the Paleolithic (upload).ppt
[2010/09/30 02:31:24 | 010,338,816 | ---- | M] () -- C:\World Prehistory (2010-2) Class 11 - Pleistocene Colonizations of Australonesia and the Americas (upload).ppt
[2010/09/30 02:31:15 | 013,337,088 | ---- | M] () -- C:\World Prehistory (2010-2) Class 9 - Middle Paleolithic (upload).ppt
[2010/10/07 23:36:39 | 002,999,402 | ---- | M] () -- C:\You're Going Down.mp3
[2009/11/10 21:54:03 | 000,967,151 | ---- | M] () -- C:\Yuri Lowenthal - Animation and Video Games.mp3
[2009/11/10 21:55:45 | 002,504,969 | ---- | M] () -- C:\Yuri Lowenthal - Commercials.mp3
[2004/03/09 20:34:24 | 000,022,618 | -H-- | M] () -- C:\_NavCClt.Log

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2003/06/18 20:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2002/06/07 12:13:04 | 000,145,168 | ---- | M] (Pharos Systems Limited) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\unipcpnt.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< End of report >



Incomplete GMER Scan

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-03-06 12:36:53
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9120822AS rev.3.CDD
Running: gmer.exe; Driver: C:\DOCUME~1\Nilesh\LOCALS~1\Temp\fflcrpog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 PM

Posted 09 March 2011 - 02:08 PM

Hello, havoc123.


P2P Warning and Request
The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case uTorrent/BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.




Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 12 March 2011 - 12:32 PM

I may be unable to upload the Combofix scan until Monday night due to a lack of free time and the need for data backups. There is plenty of important data on that laptop and while it is disconnected from the internet, I need to backup the needed files. I am aware that any one of them could contain malware but if my laptop is bricked, that is my only alternative. If the scan goes fine, I won't need those backups. Will post by Monday night on the results of the scan.

#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 PM

Posted 13 March 2011 - 06:46 AM

OK, thanks for letting me know...backing up is always a good idea.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 14 March 2011 - 09:48 PM

Ok, I tried to run ComboFix but the first two runs did not complete properly. The system basically froze and after 1.5 hours, I gave up and quit the process.

Does this mean that there is stuff I need to clean up because of the failed scans with ComboFix? Any scripts you have in mind? Hopefully this will not be a problem.

The third scan was successful and the log entry is located below. ComboFix did note that this file was trying to attach itself to Combofix during the start of the scan so it was disabled. I think "bonjour" is part of iTunes but I am not sure.

I already had Windows Recovery Console installed from a previous use of Combofix. There are no adverse symptoms as of yet (I will inform you if any pop up). The computer actually seems a bit faster than before the Combofix scan, if anything. :thumbup2:

EDIT: The file deleted was winsvcxxxx.exe in the main C drive folder. Not sure if this is actually winsvc.exe under a different name.


Disabled Process
C:\Program Files\Bonjour\mdnsNSP.dll


ComboFix Log

ComboFix 11-03-14.02 - Nilesh 03/14/2011 22:04:28.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1203 [GMT -4:00]
Running from: c:\documents and settings\Nilesh\Desktop\Malware Cleanup\etavaresCF.exe
.
The following files were disabled during the run:
c:\program files\Bonjour\mdnsNSP.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
C:\winsvcxxxx.exe
c:\winsvcxxxx.exe\winsvcxxxx.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
.
.
2011-02-21 16:27 . 2011-02-21 16:28 2672312 ----a-w- C:\esetsmartinstaller_enu.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-03-09 21:55 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-03-09 21:55 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 03:35 . 2011-02-08 03:35 11464440 ----a-w- C:\ova_dreamnote_demo.zip
2011-02-07 23:21 . 2011-02-07 23:20 38036516 ----a-w- C:\ova_mofuku_demo.zip
2011-02-02 07:58 . 2004-03-09 21:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-03-09 21:55 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-03-09 21:57 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-10 19:04 . 2011-01-10 19:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-10 19:04 . 2011-01-10 19:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-07 14:09 . 2001-08-23 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2001-08-23 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2010-03-14 03:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-03-14 03:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 22:15 . 2006-06-23 18:33 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15 . 2001-08-23 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 22:15 . 2007-07-07 00:52 81920 ------w- c:\windows\system32\ieencode.dll
2010-12-20 17:26 . 2001-08-23 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30 . 2007-07-07 00:52 369664 ------w- c:\windows\system32\html.iec
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RamBooster"="c:\program files\RamBooster\Rambooster.exe" [1999-10-07 469504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2003-05-29 394240]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-17 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 18:51 24638 ------w- c:\windows\system32\PCANotify.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NAC Assessment Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NAC Assessment Agent.lnk
backup=c:\windows\pss\NAC Assessment Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PASPortal.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PASPortal.lnk
backup=c:\windows\pss\PASPortal.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^Registration Prince of Persia T2T.LNK]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\Registration Prince of Persia T2T.LNK
backup=c:\windows\pss\Registration Prince of Persia T2T.LNKStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^Registration The Political Machine.LNK]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\Registration The Political Machine.LNK
backup=c:\windows\pss\Registration The Political Machine.LNKStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^Ubisoft register.lnk]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\Ubisoft register.lnk
backup=c:\windows\pss\Ubisoft register.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-10-31 01:07 140568 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-10-31 01:11 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 05:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2003-11-30 15:06 177152 ------w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-11-07 19:16 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2002-08-14 23:21 94208 ------w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-05-15 00:03 1103216 ----a-w- c:\program files\IGN\Download Manager\DLM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 00:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 15:06 11776 ------w- c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-19 15:06 110592 ------w- c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-25 00:30 282624 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-10-31 01:06 2595616 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-06-03 00:27 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 14:18 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
2005-03-29 01:24 28616 ----a-w- c:\program files\WildTangent\Apps\CDA\GameDrvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NACAgentService"=2 (0x2)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"UserAccess7"=2 (0x2)
"MSSQL$CSSQL05"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"GhostStartService"=2 (0x2)
"avg8wd"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"=
"c:\\Complete Junk\\ut\\New Folder\\fd\\Splinter Cell Chaos Theory\\Chaos Theory Rip\\TC[1].SC.CT\\Tom Clancy's Splinter Cell\\System\\SPLINTERCELL3.EXE"=
"c:\\Program Files\\DeusEx\\System\\DeusEx.exe"=
"c:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Uplink\\uplink.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Battlefront\\GameData\\Battlefront.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict - DEMO\\wic.exe"=
"c:\\Program Files\\Ubisoft\\Stardock\\PolMachine\\PolMachine.exe"=
"c:\\Program Files\\Enterasys Networks\\NAC Agent\\NacAgent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [8/1/2003 6:47 PM 29239]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 7:11 PM 5632]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S2 mrtRate;mrtRate; [x]
S3 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [7/27/2004 4:05 PM 15744]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\vnetusbl.sys [7/6/2007 9:18 PM 107648]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S4 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
S4 NACAgentService;NAC Agent Service;c:\program files\Enterasys Networks\NAC Agent\NacAgtSv.exe [5/25/2010 1:50 PM 17420168]
S4 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-03-14 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-03-10 21:26]
.
.
------- Supplementary Scan -------
.
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: angernet.org
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Tamper Data: {9c51bd27-6ed8-4000-a2bf-36cb95c0c947} - %profile%\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: Beef Taco (Targeted Advertising Cookie Opt-Out): john@velvetcache.org - %profile%\extensions\john@velvetcache.org
FF - Ext: Bookmark Duplicate Detector: {ba243cb0-b824-4a26-9418-73ee795d9b9d} - %profile%\extensions\{ba243cb0-b824-4a26-9418-73ee795d9b9d}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: GoogleEnhancer: {21e48e29-f574-4619-b65d-0f00eea92e5b} - %profile%\extensions\{21e48e29-f574-4619-b65d-0f00eea92e5b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-winsvcxxxx.exe - c:\winsvcxxxx.exe\winsvcxxxx.exe
HKU-Default-Run-winsvcxxxx.exe - c:\winsvcxxxx.exe\winsvcxxxx.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\DTLite.exe
AddRemove-Galactic Civilizations II - c:\progra~1\Stardock\TOTALG~1\GalCiv2\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 22:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**%æ*y*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**%æ*y*\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ad,9c,05,41,54,0b,b2,6c,05,c6,06,69,30,39,aa,fb,3f,06,6a,3c,87,a2,49,
fb,25,d0,af,8a,66,40,fa,35,28,85,d3,34,5a,97,d7,f7,18,ff,e2,fe,c3,c6,23,fc,\
"??"=hex:a8,04,cb,18,bb,e2,29,4d,6d,18,e5,45,3e,b7,15,cf
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(620)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-14 22:33:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-15 02:33
.
Pre-Run: 1,572,147,200 bytes free
Post-Run: 1,515,515,904 bytes free
.
Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - D1E46A6B507176E7A2AE4790639170C0

Edited by havoc123, 14 March 2011 - 09:49 PM.


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 PM

Posted 14 March 2011 - 10:11 PM

Hello, havoc123.

That's OK, thanks for letting me know. we do need to run it another time.





Step 1



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
Driver::
mrtRate
RegLockDel::
[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**%*y*]
[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**%*y*\OpenWithList]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 15 March 2011 - 08:11 PM

Etavares, if I needed to run Combofix one more time, how does this affect the script you gave me? My brother turned on the laptop and connected to the Internet before I told him it was ok. Now popups are occasionally coming up. Should I run Combofix one more time or not?

As for the files Combofix deleted, one of them seems to be from Daemon Tools Lite which I use to mount ISO's. I am not sure if Combofix caused this but the program no longer works. The error message is located below.

There are some other files deleted including one from a game called Galactic Civilizations II. Would this affect any uninstalls of the game? The list of deleted files from Combofix are below.

Basically the first two files in the list below are of concern to me. Thumbs.db also is a file that I have seen since I first got my computer but I don't think I need it since it is running stably right now.

Any ideas? Should I go ahead and re-run Combofix? Are the Registry Backup files important at all?


EDIT: I have confirmed the loss of the ability to uninstall both Daemon Tools Lite and Galactic Civilizations II from the Control Panel. The game does not come with a uninstaller. I don't want to uninstall Daemon Tools Lite if it is in "pieces" with some deleted by Combofix.



Error Message for Daemon Tools Lite
Initialization error 0.
This program requires at least Windows 2000 with SPTD 1.43 or higher.
Kernal debugger must be deactivated.



List of Quarantined Files
2011-03-15 02:32:16 . 2011-03-15 02:32:16 696 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Galactic Civilizations II.reg.dat
2011-03-15 02:32:01 . 2011-03-15 02:32:01 638 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-DAEMON Tools Lite.reg.dat
2011-03-15 02:32:01 . 2011-03-15 02:32:01 574 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-AVG8_TRAY.reg.dat
2011-03-15 02:31:53 . 2011-03-15 02:31:53 136 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-winsvcxxxx.exe.reg.dat
2011-03-15 02:31:51 . 2011-03-15 02:31:51 134 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-winsvcxxxx.exe.reg.dat
2011-03-15 01:56:13 . 2011-03-15 01:56:15 130,048 ----a-w- C:\Qoobox\Quarantine\C\Thumbs.db.vir
2011-03-15 01:42:06 . 2011-03-15 02:14:38 12,413 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-03-15 01:08:24 . 2011-03-15 02:01:41 204 ----a-w- C:\Qoobox\Quarantine\catchme.log

Edited by havoc123, 15 March 2011 - 10:01 PM.


#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 PM

Posted 15 March 2011 - 10:25 PM

You can go ahead and run the script. If it sees anything else, it will take care of it.

In regards to Daemon Tools and Galactic Civilizations, those were already gone before Combofix was run. Perhaps they were infected? Those entries you point out are not files, but registry entries that are orphaned. E.g. they reference a file that is not there. Your best bet is to reinstall both programs when we are done. Nothing we've done will bring them back as they were already gone.

Registry backups are important, but rest assured, we have them in this case.

As for thumbs.db that is a windows file that is hidden in many folders, it's just very odd to have one in C:\. Not having it isn't a big deal, if Windows needs it again, it will just create it.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users