Cannot delete file AUTORUN.INF - Page 2

rappokalling · 10-23-2009, 06:46 PM

Hi EB,

When I tried it, unlocker gave a false notification that said 'The Object was deleted' ... but the folder zzzzz still remains in the drive D. Even after I rebooted my system, it is still there. Seems nothing happened.

Does it have something to do with 'permission'? I was doing all the fixes so far as Administrator.

Well, I am more curious with this folder.

Best Regards,

extremeboy · 10-24-2009, 04:25 PM

Hello.

Let's try the following to delete that folder by giving your user account (Herman Nehru) full control...

Please go to Start >> Run... >> In the open field box please type in the following in bold and blue: cmd

Now press Ok.

This shall open a black command prompt window. Please copy the following in blue below and then right-click and press paste in the command prompt window to paste what you have copied onto the command prompt window:

cacls D:\zzzzz /G Herman Nehru :F

Then press enter on your keyboard.

You shall then recieve a message saying it was completed successfully. Now try delete that folder.

--

Then, if it doesn't get deleted I want to see what message OTM says deleting that folder..

Download and Run OTM

Please download OTM by OldTimer and save it to your desktop.
Double click the icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
Paste the following code under the [acronym=Paste Fix Here][/acronym] area. Do not include the word "Code".
Code:
```
:files
D:\zzzzz
D:\uo
:commands
[EmptyTemp]
[Reboot]
```
Click the large [acronym=MoveIt][/acronym] button.
If OTM requires are reboot, please allow it to do so.
Copy/Paste the contents under the [acronym=Results][/acronym] line here in your next reply.

Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

~Extremeboy

rappokalling · 10-24-2009, 09:31 PM

Thanks EB,

I have tried the Command Prompt. When I entered "cacls D:\zzzzz /G Herman Nehru :F" ... I received this:

Invalid arguments. Displays or modifies access control lists (ACLs) of files.

CACLS filename [/T] [/E] ... and soon. But I didn't receive a message saying 'It was completed successfully".

What should I do? I have downloaded OTM but not run it yet due to the matter above, or should I just run OTM?

Best Regards,

extremeboy · 10-25-2009, 08:03 AM

That was my mistake.. Sorry, please continue with running OTM.

rappokalling · 10-25-2009, 08:23 PM

Hi EB,

Thanks for your help.

This is what OTM made to the folder. After trying to delete it, it rebooted my system, but the folder still remains. ... trying to delete it manually as well but no result ... what a tough!

All processes killed
========== FILES ==========
Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652}\úø . scheduled to be moved on reboot.
Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652} scheduled to be moved on reboot.
Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ scheduled to be moved on reboot.
Folder move failed. D:\ZZZZZ scheduled to be moved on reboot.
File/Folder D:\zzzzzz.zz not found.
File move failed. D:\com1 scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Herman Nehru
->Temp folder emptied: 1036992 bytes
File delete failed. C:\Documents and Settings\Herman Nehru\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 5387183 bytes
->FireFox cache emptied: 165781493 bytes
->Google Chrome cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: TEMP
->Temp folder emptied: 212992 bytes
->Temporary Internet Files folder emptied: 402 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 2686548 bytes
RecycleBin emptied: 35495577 bytes

Total Files Cleaned = 202.89 mb

OTM by OldTimer - Version 3.0.0.6 log created on 10262009_094741

Files moved on Reboot...
File D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652}\úø . not found!
File move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652} scheduled to be moved on reboot.
Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652}\úø . scheduled to be moved on reboot.
Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652} scheduled to be moved on reboot.
Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ scheduled to be moved on reboot.
Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652}\úø . scheduled to be moved on reboot.
Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652} scheduled to be moved on reboot.
Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ scheduled to be moved on reboot.
Folder move failed. D:\ZZZZZ scheduled to be moved on reboot.
File move failed. D:\com1 scheduled to be moved on reboot.

Registry entries deleted on Reboot...

extremeboy · 10-26-2009, 03:05 PM

Hello.

Let's try something else here..

Please download and save SWXCACLS from this page and save it to your C:\Windows folder: http://www.xs4all.nl/~fstaal01/swxcacls-us.html (The download link is near the bottom)

Next, please open cmd.

To do this go please go to Start >> Run... >> In the open field box please type in the following in bold and blue: cmd

Now press Ok.

This shall open a black command prompt window. Please copy the following in blue below and then right-click and press paste in the command prompt window to paste what you have copied onto the command prompt window:

cacls SWXCACLS D:\ZZZZZ /RESET

Then press enter on your keyboard.

You shall then recieve a message saying it was processed successfully. Now try delete that folder.

If it doesn't work try the following in the cmd window:

cacls SWXCACLS D:\ZZZZZ /OA

This will give the administrator group user ownership and try deleting it now with administrative powers. Let me know how it goes.

With Regards,
Extremeboy

rappokalling · 10-26-2009, 07:16 PM

Hello EB.

I have used the method you asked me to, but still this folder does not go away from my drive. It gave the same message like before '.... Cannot find the specified file ...'.

I Wonder what this folder/file really is ... I' m still good to go to kill this.

Best Regards,

extremeboy · 10-27-2009, 03:10 PM

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
Code:
```
KillAll::
Folder::
D:\ZZZZZ
D:\com1
```
Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

rappokalling · 10-27-2009, 10:36 PM

Hello EB,

Well, the folder zzzzz HAS GONE!!!!! after running the last combofix scan .... Yeaaaaah ....

Hope that this annoying folder's gone forever and never come to my laptop anymore. ... if it is .... well BRAVO BRAVO BRAVO ... EB. YOU'RE THE MAN!!! Yeaaaahh. Thank you, bro ... much appreciated and I've got much learning in this forum.

However, like I see, I need to post the log. I hope it is good result.

Thank you and best regards,

ComboFix 09-10-20.03 - Herman Nehru 10/28/2009 12:09.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1790.1246 [GMT -7:00]
Running from: c:\documents and settings\Herman Nehru\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Herman Nehru\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\ZZZZZ

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-26 16:47 . 2009-10-26 16:47 -------- d-----w- C:\_OTM
2009-10-25 20:41 . 2009-10-25 20:41 -------- d-----w- c:\program files\Internet Download Manager
2009-10-23 16:47 . 2009-10-23 16:48 -------- d-----w- c:\program files\Unlocker
2009-10-20 23:39 . 2009-10-20 23:39 -------- d-----w- C:\Themes
2009-10-19 04:45 . 2009-10-21 06:05 -------- d-----w- c:\program files\COED11
2009-10-18 03:24 . 2009-10-18 03:24 -------- d-----w- c:\program files\ESET
2009-10-17 22:07 . 2004-08-06 20:49 265785 ----a-w- c:\windows\system32\pixomatic.dll
2009-10-17 22:07 . 2004-10-18 21:04 161280 ----a-w- c:\windows\system32\fmod.dll
2009-10-17 22:07 . 2004-01-06 17:43 188416 ----a-w- c:\windows\system32\eax.dll
2009-10-17 22:07 . 2002-02-01 14:00 22016 ----a-w- c:\windows\system32\borlndmm.dll
2009-10-17 22:07 . 2004-08-18 19:34 442368 ----a-w- c:\windows\system32\vp6vfw.dll
2009-10-17 00:14 . 2009-10-17 00:14 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-10-16 23:49 . 2009-10-16 23:49 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\URSoft
2009-10-16 17:52 . 2009-10-16 17:52 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Malwarebytes
2009-10-16 17:52 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-16 17:52 . 2009-10-16 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-16 17:52 . 2009-10-16 17:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 17:52 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 18:15 . 2009-10-14 19:42 -------- d-----w- c:\program files\Real Desktop
2009-10-13 20:52 . 2009-10-13 20:52 -------- d-----w- c:\documents and settings\Herman Nehru\1st Security Agent
2009-10-13 20:52 . 2009-10-13 20:52 -------- d-----w- c:\documents and settings\Guest\1st Security Agent
2009-10-13 20:52 . 2009-10-13 20:52 -------- d-----w- c:\documents and settings\Administrator\1st Security Agent
2009-10-13 20:52 . 2009-10-13 20:52 -------- d-----w- C:\1st Security Agent
2009-10-13 20:52 . 2009-10-13 20:52 -------- d-----w- c:\program files\1st Security Agent
2009-10-13 19:05 . 2009-10-13 20:04 -------- d-----w- c:\program files\HÑÑ
2009-10-13 15:28 . 2009-10-13 15:28 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\WinPatrol
2009-10-13 15:28 . 2009-10-13 15:28 -------- d-----w- c:\program files\BillP Studios
2009-10-12 07:06 . 2009-10-12 07:06 -------- d-----w- c:\program files\PowerISO
2009-10-12 06:18 . 2009-10-12 06:18 -------- d-----w- C:\[Smad-Cage]
2009-10-11 18:02 . 2009-10-11 18:02 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-10 22:48 . 2009-10-10 22:48 -------- d-----w- c:\documents and settings\Herman Nehru\Local Settings\Application Data\WMTools Downloaded Files
2009-10-10 22:19 . 2009-10-10 22:19 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\The Labyrinth Plus! Edition
2009-10-10 16:49 . 2009-10-10 16:49 -------- d-----w- c:\program files\Microsoft Plus!
2009-10-07 02:18 . 2009-10-07 02:18 -------- d-----w- c:\documents and settings\Herman Nehru\Local Settings\Application Data\Google
2009-10-06 23:53 . 2009-10-06 23:53 -------- d-----w- c:\program files\AskPBar
2009-10-06 23:01 . 2009-10-06 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2009-10-06 23:00 . 2009-10-06 23:01 -------- d-----w- c:\program files\Raxco
2009-10-05 05:14 . 2009-10-05 05:14 -------- d-----w- c:\program files\FreeCommander
2009-10-05 04:50 . 2007-12-14 03:13 17264 ----a-w- c:\windows\system32\drivers\mprifl.sys
2009-10-05 04:50 . 2009-10-05 04:50 -------- d-----w- c:\program files\My Lockbox
2009-10-05 02:03 . 2008-06-20 03:28 41984 ----a-w- c:\windows\system32\dwlGina3.dll
2009-10-05 02:03 . 2007-08-20 17:46 3712 ----a-w- c:\windows\system32\dwlkbf.sys
2009-10-05 02:03 . 2009-10-05 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskman9
2009-10-04 06:51 . 2009-10-04 06:51 -------- d-----w- c:\documents and settings\Herman Nehru\Local Settings\Application Data\Thinstall
2009-10-04 06:51 . 2009-10-04 06:51 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Thinstall
2009-10-04 03:26 . 2009-10-04 03:31 387104 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-04 03:23 . 2008-07-08 21:54 148496 ----a-w- c:\windows\system32\drivers\86909831.sys
2009-10-04 03:06 . 2009-10-15 16:03 -------- d-----w- c:\program files\Vista Start Menu
2009-10-03 07:20 . 2009-10-03 07:20 -------- d-----w- c:\documents and settings\Herman Nehru\Local Settings\Application Data\Opera
2009-10-03 07:19 . 2009-10-03 07:19 -------- d-----w- c:\program files\Opera
2009-10-01 06:53 . 2009-10-01 06:53 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-10-01 06:44 . 2009-10-15 16:02 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-01 06:44 . 2009-10-15 16:02 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-01 06:42 . 2009-10-28 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-01 06:42 . 2009-10-01 06:42 -------- d-----w- c:\program files\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 00:24 . 2009-08-08 22:57 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-25 19:37 . 2009-07-13 19:31 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\DMCache
2009-10-24 23:09 . 2009-07-19 19:49 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\COWON
2009-10-24 23:09 . 2009-07-11 22:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-24 23:09 . 2009-07-19 19:47 -------- d-----w- c:\program files\JetAudio
2009-10-24 05:39 . 2009-08-01 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Stardock
2009-10-23 00:01 . 2009-07-11 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-13 23:42 . 2009-08-16 18:02 862136 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-13 19:14 . 2009-07-17 18:13 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Delicious IE Extension
2009-10-10 20:24 . 2009-07-12 03:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-10 17:23 . 2009-07-20 04:25 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\SoftMaker
2009-10-10 17:22 . 2009-07-19 19:21 -------- d-----w- c:\program files\Flock
2009-10-10 17:22 . 2009-07-19 19:21 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Flock
2009-10-08 02:52 . 2009-08-24 23:49 -------- d-----w- c:\program files\Styler
2009-10-08 02:51 . 2009-08-23 10:29 -------- d-----w- c:\program files\Gish
2009-10-08 02:50 . 2009-07-14 16:29 -------- d-----w- c:\program files\Mobile Partner
2009-10-04 03:31 . 2009-10-04 03:26 5612 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-04 01:10 . 2009-07-20 05:06 -------- d-----w- c:\program files\Windows Sidebar
2009-10-01 09:03 . 2009-05-24 22:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-10-01 06:38 . 2009-09-09 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-10-01 06:27 . 2009-08-18 22:13 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-01 06:26 . 2009-09-03 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-28 06:44 . 2009-09-12 06:35 -------- d-----w- c:\program files\Youda Camper
2009-09-27 07:39 . 2009-09-27 07:39 -------- d-----w- c:\documents and settings\All Users\Application Data\The Skins Factory
2009-09-27 06:54 . 2009-09-27 06:54 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Skinux
2009-09-20 00:42 . 2009-09-20 00:42 -------- d-----w- c:\program files\Avatar - Path of Zuko
2009-09-19 20:04 . 2009-09-19 20:01 -------- d-----w- c:\program files\USB Disk Security
2009-09-19 20:01 . 2009-09-19 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Zbshareware Lab
2009-09-19 19:38 . 2009-09-19 19:38 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Merscom
2009-09-19 19:38 . 2009-09-19 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-09-19 19:38 . 2009-09-19 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2009-09-18 23:24 . 2009-08-08 20:38 -------- d-----w- c:\program files\Altysoft Free Video Converter
2009-09-15 04:51 . 2009-08-17 19:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-15 04:05 . 2009-09-15 04:05 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\360desktop
2009-09-14 03:41 . 2004-08-03 22:56 1580544 ----a-w- c:\windows\system32\SfcFiles.dll
2009-09-14 03:40 . 2004-08-03 22:56 219648 ----a-w- c:\windows\system32\uxtheme.dll
2009-09-14 01:17 . 2009-09-14 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-14 00:56 . 2009-09-14 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-14 00:56 . 2009-09-14 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-14 00:52 . 2009-09-14 00:52 -------- d-----w- c:\program files\NOS
2009-09-13 23:25 . 2009-08-02 16:47 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\PlayFirst
2009-09-13 23:25 . 2009-08-02 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-09-13 04:44 . 2009-09-13 04:44 -------- d-----w- c:\program files\Appwalk.com Technologies Canada
2009-09-12 15:44 . 2009-08-03 17:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:33 . 2004-08-03 22:56 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 10:43 . 2009-09-16 12:26 210352 ----a-w- c:\windows\system32\idmmbc.dll
2009-09-08 06:28 . 2009-09-08 06:28 288256 ----a-w- c:\windows\system32\fmodex.dll
2009-09-08 01:23 . 2009-09-08 01:21 -------- d-----w- c:\program files\Cheatbook Database 2009
2009-09-05 18:39 . 2009-09-05 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-09-05 18:39 . 2009-07-12 00:49 -------- d-----w- c:\program files\PopCap Games
2009-09-05 03:04 . 2009-09-04 18:15 -------- d-----w- c:\program files\Training Manager 2008 Enterprise
2009-09-05 02:55 . 2009-09-05 02:55 -------- d-----w- c:\documents and settings\Guest\Application Data\Windows Desktop Search
2009-09-04 22:13 . 2009-08-30 09:03 7 ----a-w- c:\windows\sbacknt.bin
2009-09-04 20:45 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 18:15 . 2009-09-04 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\TrainingManager
2009-09-03 21:59 . 2009-07-12 00:40 -------- d-----w- c:\program files\Tumblebugs 2
2009-09-03 07:47 . 2009-09-03 05:54 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-02 16:47 . 2009-09-02 16:24 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\CheckPoint
2009-09-01 23:25 . 2009-07-12 01:36 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-09-01 06:21 . 2009-09-01 06:21 -------- d-----w- c:\program files\Alwil Software
2009-08-31 19:13 . 2009-07-12 00:22 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Ahead
2009-08-31 17:21 . 2009-08-31 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-08-31 17:09 . 2009-08-29 22:30 -------- d-----w- c:\program files\Common Files\BitDefender
2009-08-31 17:07 . 2009-08-30 05:21 81984 ----a-w- c:\windows\system32\bdod.bin
2009-08-31 01:19 . 2009-08-31 01:19 -------- d-----w- c:\program files\MSXML 4.0
2009-08-31 00:05 . 2009-08-30 08:44 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\vghd
2009-08-30 08:44 . 2009-08-30 08:34 152904 ----a-w- c:\windows\system32\vghd.scr
2009-08-30 05:22 . 2009-08-30 05:22 132 ----a-w- C:\httpdwl.dat
2009-08-30 05:07 . 2009-07-17 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-08-29 08:08 . 2004-08-03 22:56 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:16 . 2004-08-03 22:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-21 22:51 . 2009-07-11 20:49 126464 ----a-w- c:\windows\system32\RTPScan.dll
2009-08-21 05:35 . 2009-07-11 22:59 76528 ----a-w- c:\documents and settings\Herman Nehru\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 04:46 . 2009-08-14 16:50 2119680 ----a-w- c:\documents and settings\Herman Nehru\Local Settings\Application Data\cooliris-win-ie-release-1.11.2.27471.en-US.msi
2009-08-19 02:38 . 2009-08-17 06:06 10 ----a-w- c:\windows\popcinfo.dat
2009-08-18 06:33 . 2009-08-18 06:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-17 03:35 . 2009-08-17 03:35 272868 ----a-w- c:\windows\system32\Windows XP Media Center Edition Screen Saver.scr
2009-08-15 02:23 . 2001-08-23 11:00 25600 ----a-w- c:\windows\twunk_32.exe
2009-08-11 01:57 . 2009-08-11 01:57 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-08-11 01:57 . 2009-08-11 01:57 362240 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-08-07 02:24 . 2009-07-11 22:07 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2009-07-11 22:07 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2009-07-19 23:38 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2009-07-11 22:07 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2009-07-11 22:07 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-03 22:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2009-07-11 22:07 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-07-26 04:45 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2009-07-11 22:07 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 02:23 . 2008-10-16 21:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 19:38 . 2008-05-29 11:41 13537280 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-06 18:29 . 2009-07-11 14:58 69120 ----a-w- c:\windows\NOTEPAD.EXE
2009-08-05 09:11 . 2004-08-03 22:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 13:58 . 2004-08-03 21:18 2136064 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-08-03 22:59 2015744 ------w- c:\windows\system32\ntkrnlpa.exe
2009-03-16 21:35 . 2009-03-16 21:35 525128 ----a-w- c:\program files\DXSETUP.exe
2009-03-16 21:35 . 2009-03-16 21:35 94024 ----a-w- c:\program files\DSETUP.dll
.

------- Sigcheck -------

[-] 2009-09-14 . 1186FB2F052E4890C6C23F420F4BE1BC . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\SfcFiles.dll
[-] 2009-09-14 . 1186FB2F052E4890C6C23F420F4BE1BC . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-10-22_17.07.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 11:00 . 2009-10-22 17:01 79360 c:\windows\system32\perfc009.dat
+ 2001-08-23 11:00 . 2009-10-28 15:30 79360 c:\windows\system32\perfc009.dat
+ 2009-06-25 02:56 . 2009-06-25 02:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
+ 2008-05-28 07:49 . 2008-05-28 07:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 03:58 . 2007-04-14 03:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 03:57 . 2007-04-14 03:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 07:49 . 2008-05-28 07:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 07:49 . 2008-05-28 07:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 03:57 . 2007-04-14 03:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2008-05-28 08:30 . 2008-05-28 08:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2007-04-14 04:30 . 2007-04-14 04:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2009-07-11 19:55 . 2009-10-18 08:08 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-07-11 19:55 . 2009-10-23 00:01 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-07-11 19:55 . 2009-10-23 00:01 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-07-11 19:55 . 2009-10-18 08:08 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-07-11 19:55 . 2009-10-23 00:01 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-07-11 19:55 . 2009-10-18 08:08 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-10-23 15:48 . 2009-10-23 15:48 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_3d60dd08\System.Drawing.Design.dll
+ 2009-10-23 15:47 . 2009-10-23 15:47 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_43e55392\CustomMarshalers.dll
- 2001-08-23 11:00 . 2009-10-22 17:01 465640 c:\windows\system32\perfh009.dat
+ 2001-08-23 11:00 . 2009-10-28 15:30 465640 c:\windows\system32\perfh009.dat
- 2007-04-14 03:58 . 2007-04-14 03:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2008-05-28 07:49 . 2008-05-28 07:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 03:56 . 2007-04-14 03:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 07:48 . 2008-05-28 07:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2007-04-14 04:30 . 2007-04-14 04:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2008-05-28 08:30 . 2008-05-28 08:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2009-07-11 19:55 . 2009-10-18 08:08 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-07-11 19:55 . 2009-10-23 00:01 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-07-11 19:55 . 2009-10-23 00:01 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-07-11 19:55 . 2009-10-18 08:08 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-07-11 19:55 . 2009-10-18 08:08 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-07-11 19:55 . 2009-10-23 00:01 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-07-11 19:55 . 2009-10-18 08:08 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-07-11 19:55 . 2009-10-23 00:01 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-07-11 19:55 . 2009-10-18 08:08 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-07-11 19:55 . 2009-10-23 00:01 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-07-11 19:55 . 2009-10-18 08:08 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-07-11 19:55 . 2009-10-23 00:01 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-07-11 19:55 . 2009-10-23 00:01 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2009-07-11 19:55 . 2009-10-18 08:08 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-10-23 15:49 . 2009-10-23 15:49 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_4bd5ec9f\System.Drawing.dll
+ 2009-10-23 15:49 . 2009-10-23 15:49 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_a85c1ac9\System.Drawing.Design.dll
+ 2009-10-23 15:49 . 2009-10-23 15:49 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_f954ad8f\CustomMarshalers.dll
+ 2008-05-28 08:35 . 2008-05-28 08:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 04:35 . 2007-04-14 04:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 04:35 . 2007-04-14 04:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 08:35 . 2008-05-28 08:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2007-04-14 03:57 . 2007-04-14 03:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2008-05-28 07:48 . 2008-05-28 07:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 03:57 . 2007-04-14 03:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 07:48 . 2008-05-28 07:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 07:43 . 2008-05-28 07:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2007-04-14 03:50 . 2007-04-14 03:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2009-07-11 19:55 . 2009-10-23 00:01 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-07-11 19:55 . 2009-10-18 08:08 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-07-11 19:55 . 2009-10-23 00:01 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2009-07-11 19:55 . 2009-10-18 08:08 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-10-23 15:49 . 2009-10-23 15:49 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_2ce4c314\System.dll
+ 2009-10-23 06:15 . 2009-10-23 06:15 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_0496b928\System.dll
+ 2009-10-23 15:48 . 2009-10-23 15:48 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_61295da8\System.Xml.dll
+ 2009-10-23 15:49 . 2009-10-23 15:49 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_3ad4b375\System.Xml.dll
+ 2009-10-23 15:49 . 2009-10-23 15:49 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_df2e35b0\System.Windows.Forms.dll
+ 2009-10-23 15:48 . 2009-10-23 15:48 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_b91e972a\System.Windows.Forms.dll
+ 2009-10-23 15:49 . 2009-10-23 15:49 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_4c530024\System.Drawing.dll
+ 2009-10-23 15:49 . 2009-10-23 15:49 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_f10948fb\System.Design.dll
+ 2009-10-23 15:48 . 2009-10-23 15:48 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_1eee0ac3\System.Design.dll
+ 2009-10-23 15:49 . 2009-10-23 15:49 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_b2606a27\mscorlib.dll
+ 2009-10-23 15:49 . 2009-10-23 15:49 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_885bb94a\mscorlib.dll
- 2009-07-31 16:01 . 2009-07-31 16:01 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2009-10-23 06:15 . 2009-10-23 06:15 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2009-07-31 16:01 . 2009-07-31 16:01 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-23 06:15 . 2009-10-23 06:15 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-08-11 04:08 . 2009-08-11 04:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-08-18 19:50 . 2009-08-18 19:50 12022272 c:\windows\Installer\e8314a.msp
+ 2009-08-10 21:09 . 2009-08-10 21:09 17254912 c:\windows\Installer\1095774.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-06 13537280]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-29 86016]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-06-05 821768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-12 1028096]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2009-09-12 811008]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-05-25 303376]
"flockbox"="c:\program files\My Lockbox\flockbox.exe" [2007-12-14 1071472]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"00saskda"="c:\program files\1st Security Agent\newlock.exe" [2009-06-18 1457344]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-29 1630208]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-05-13 16862720]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Hyperdesk_uninst0.lnk - c:\documents and settings\All Users\Application Data\The Skins Factory\Hyperdesk\HyperdeskEngine.exe [2009-9-27 1273856]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
Hyperdesk_uninst0.lnk - c:\documents and settings\All Users\Application Data\The Skins Factory\Hyperdesk\HyperdeskEngine.exe [2009-9-27 1273856]

c:\documents and settings\Herman Nehru\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-8-24 3581680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-11 576104]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 0 (0x0)
"HideShutdownScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyMusic"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoWelcomeScreen"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"HideSCAVolume"= 0 (0x0)
"HideSCANetwork"= 0 (0x0)
"HideSCAPower"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 1 (0x1)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 22:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fsproflt]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Herman Nehru^Start Menu^Programs^Startup^DesktopVideoPlayer.LNK]
backup=c:\windows\pss\DesktopVideoPlayer.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Herman Nehru^Start Menu^Programs^Startup^Styler.lnk]
backup=c:\windows\pss\Styler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [8/19/2009 22:23 43792]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 20:41 33808]
R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [10/4/2009 21:50 17264]
R2 DeskSaverService;DeskSaverService;c:\program files\1st Security Agent\newlock.exe [10/13/2009 13:52 1457344]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [8/19/2009 22:23 73392]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [8/10/2009 18:57 603904]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 20:59 19472]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [7/11/2009 15:28 154624]
S2 PCMAVRTPService;PCMAV RealTime Protector Service;c:\windows\system32\RTPSvc.exe --> c:\windows\system32\RTPSvc.exe [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [7/13/2009 18:21 36608]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/3/2004 15:56 14336]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\windows\TEMP\drv1.tmp --> c:\windows\TEMP\drv1.tmp [?]
S3 plkusbser;PROLiNKU6 USB Device for Legacy Serial Communication;c:\windows\system32\drivers\plkusbser.sys [7/11/2009 15:56 99456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce0d351b-6e6d-11de-bfbf-906212db8de3}]
\Shell\AutoRun\command - E:\QsSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
"c:\program files\Windows Sidebar\sidebar.exe" /RegServer
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 23:28]

2009-10-28 c:\windows\Tasks\User_Feed_Synchronization-{E3CD1275-2939-4B63-B05D-BE902B8818D5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.id/
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Herman Nehru\Application Data\Mozilla\Firefox\Profiles\nk4rik1i.default\
FF - prefs.js: keyword.URL - hxxp://ide.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_ide&p=
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Herman Nehru\Application Data\Mozilla\Firefox\Profiles\nk4rik1i.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\NPOFF12.DLL
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\nppl3260.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 12:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NTProcDrv]
"ImagePath"="\??\c:\windows\TEMP\drv1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):87,2d,c3,ce,b9,a4,9b,4f,ee,59,ba,03,35,42,2d,61,ea,34,96,06,2c,
65,99,e3,86,40,49,42,37,54,ca,4e,6c,0e,a2,93,7a,c4,10,02,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{fc28d12f-953c-4768-98c7-cebe59a1a05e}]
@Denied: (Full) (Everyone)
"Model"=dword:00000106
"Therad"=dword:0000000e
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,98,07,ff,fc,5d,
df,1c,2f,3b,8a,0a,32,11,89,01,b5,d6,31,95,fc,65,93,df,8b,66,88,7c,1a,78,15,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\progra~1\COMMON~1\Stardock\mcpstub.dll

- - - - - - - > 'explorer.exe'(572)
c:\windows\system32\WININET.dll
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\windows\system32\SearchIndexer.exe
c:\combofix\CF25464.exe
c:\windows\system32\RUNDLL32.EXE
c:\docume~1\HERMAN~1\LOCALS~1\Temp\RtkBtMnt.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 12:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 19:17
ComboFix2.txt 2009-10-22 17:09
ComboFix3.txt 2009-10-15 21:51

Pre-Run: 28,998,942,720 bytes free
Post-Run: 29,011,202,048 bytes free

- - End Of File - - D23D61CC29402D92489AFCA03A453E6A

extremeboy · 10-28-2009, 02:08 PM

You're welcome. I would also like to thank Tetonbob for mentioning it to me as well to script it out with Combofix. I wasn't thinking too hard on something else when this could of been dealt easily and thought more of the perms side. Glad it's removed, thanks bob.

Just a few things we can remove and we should be good.

Please Update Combofix. This can be done when Combofix prompts you to update itself instead of running in "Reduced Functionality". Alternatively, you can delete the exisiting copy of Combofix you have and re-download a new copy from one of those 2 links to your desktop.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
Code:
```
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{fc28d12f-953c-4768-98c7-cebe59a1a05e}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
File::
c:\windows\popcinfo.dat
```
Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

I suggest you not use the Beta copy of FireFox (Mozilla Firefox 3.5 Beta 4) and instead download the latest version and uninstall the beta copy.

Let me know how your computer is running now as well.

Thanks.

~Extremeboy

rappokalling · 10-28-2009, 08:52 PM

Hello EB,
and thank you Tetonbob for your assistance as well ... greatly appreciated.

Currently, My system is running well, no suspicious activity I find here. Hope so ...

The following is the log from combofix. Hopefully, it looks good.

Best Regards,

ComboFix 09-10-28.01 - Herman Nehru 10/29/2009 10:28.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1790.1375 [GMT -7:00]
Running from: c:\documents and settings\Herman Nehru\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Herman Nehru\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\popcinfo.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\popcinfo.dat

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-26 16:47 . 2009-10-26 16:47 -------- d-----w- C:\_OTM
2009-10-25 20:41 . 2009-10-25 20:41 -------- d-----w- c:\program files\Internet Download Manager
2009-10-23 16:47 . 2009-10-23 16:48 -------- d-----w- c:\program files\Unlocker
2009-10-20 23:39 . 2009-10-20 23:39 -------- d-----w- C:\Themes
2009-10-19 04:45 . 2009-10-21 06:05 -------- d-----w- c:\program files\COED11
2009-10-18 03:24 . 2009-10-18 03:24 -------- d-----w- c:\program files\ESET
2009-10-17 22:07 . 2004-08-06 20:49 265785 ----a-w- c:\windows\system32\pixomatic.dll
2009-10-17 22:07 . 2004-10-18 21:04 161280 ----a-w- c:\windows\system32\fmod.dll
2009-10-17 22:07 . 2004-01-06 17:43 188416 ----a-w- c:\windows\system32\eax.dll
2009-10-17 22:07 . 2002-02-01 14:00 22016 ----a-w- c:\windows\system32\borlndmm.dll
2009-10-17 22:07 . 2004-08-18 19:34 442368 ----a-w- c:\windows\system32\vp6vfw.dll
2009-10-17 00:14 . 2009-10-17 00:14 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-10-16 23:49 . 2009-10-16 23:49 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\URSoft
2009-10-16 17:52 . 2009-10-16 17:52 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Malwarebytes
2009-10-16 17:52 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-16 17:52 . 2009-10-16 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-16 17:52 . 2009-10-16 17:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 17:52 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 18:15 . 2009-10-14 19:42 -------- d-----w- c:\program files\Real Desktop
2009-10-13 20:52 . 2009-10-13 20:52 -------- d-----w- c:\documents and settings\Herman Nehru\1st Security Agent
2009-10-13 20:52 . 2009-10-13 20:52 -------- d-----w- c:\documents and settings\Guest\1st Security Agent
2009-10-13 20:52 . 2009-10-13 20:52 -------- d-----w- c:\documents and settings\Administrator\1st Security Agent
2009-10-13 20:52 . 2009-10-13 20:52 -------- d-----w- C:\1st Security Agent
2009-10-13 20:52 . 2009-10-13 20:52 -------- d-----w- c:\program files\1st Security Agent
2009-10-13 19:05 . 2009-10-13 20:04 -------- d-----w- c:\program files\HÑÑ
2009-10-13 15:28 . 2009-10-13 15:28 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\WinPatrol
2009-10-13 15:28 . 2009-10-13 15:28 -------- d-----w- c:\program files\BillP Studios
2009-10-12 07:06 . 2009-10-12 07:06 -------- d-----w- c:\program files\PowerISO
2009-10-12 06:18 . 2009-10-12 06:18 -------- d-----w- C:\[Smad-Cage]
2009-10-11 18:02 . 2009-10-11 18:02 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-10 22:48 . 2009-10-10 22:48 -------- d-----w- c:\documents and settings\Herman Nehru\Local Settings\Application Data\WMTools Downloaded Files
2009-10-10 22:19 . 2009-10-10 22:19 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\The Labyrinth Plus! Edition
2009-10-10 16:49 . 2009-10-10 16:49 -------- d-----w- c:\program files\Microsoft Plus!
2009-10-07 02:18 . 2009-10-07 02:18 -------- d-----w- c:\documents and settings\Herman Nehru\Local Settings\Application Data\Google
2009-10-06 23:53 . 2009-10-06 23:53 -------- d-----w- c:\program files\AskPBar
2009-10-06 23:01 . 2009-10-06 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2009-10-06 23:00 . 2009-10-06 23:01 -------- d-----w- c:\program files\Raxco
2009-10-05 05:14 . 2009-10-05 05:14 -------- d-----w- c:\program files\FreeCommander
2009-10-05 04:50 . 2007-12-14 03:13 17264 ----a-w- c:\windows\system32\drivers\mprifl.sys
2009-10-05 04:50 . 2009-10-05 04:50 -------- d-----w- c:\program files\My Lockbox
2009-10-05 02:03 . 2008-06-20 03:28 41984 ----a-w- c:\windows\system32\dwlGina3.dll
2009-10-05 02:03 . 2007-08-20 17:46 3712 ----a-w- c:\windows\system32\dwlkbf.sys
2009-10-05 02:03 . 2009-10-05 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskman9
2009-10-04 06:51 . 2009-10-04 06:51 -------- d-----w- c:\documents and settings\Herman Nehru\Local Settings\Application Data\Thinstall
2009-10-04 06:51 . 2009-10-04 06:51 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Thinstall
2009-10-04 03:26 . 2009-10-04 03:31 387104 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-04 03:23 . 2008-07-08 21:54 148496 ----a-w- c:\windows\system32\drivers\86909831.sys
2009-10-04 03:06 . 2009-10-15 16:03 -------- d-----w- c:\program files\Vista Start Menu
2009-10-03 07:20 . 2009-10-03 07:20 -------- d-----w- c:\documents and settings\Herman Nehru\Local Settings\Application Data\Opera
2009-10-03 07:19 . 2009-10-03 07:19 -------- d-----w- c:\program files\Opera
2009-10-01 06:53 . 2009-10-01 06:53 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-10-01 06:44 . 2009-10-15 16:02 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-01 06:44 . 2009-10-15 16:02 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-01 06:42 . 2009-10-29 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-01 06:42 . 2009-10-01 06:42 -------- d-----w- c:\program files\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 00:24 . 2009-08-08 22:57 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-25 19:37 . 2009-07-13 19:31 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\DMCache
2009-10-24 23:09 . 2009-07-19 19:49 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\COWON
2009-10-24 23:09 . 2009-07-11 22:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-24 23:09 . 2009-07-19 19:47 -------- d-----w- c:\program files\JetAudio
2009-10-24 05:39 . 2009-08-01 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Stardock
2009-10-23 00:01 . 2009-07-11 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-13 23:42 . 2009-08-16 18:02 862136 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-13 19:14 . 2009-07-17 18:13 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Delicious IE Extension
2009-10-10 20:24 . 2009-07-12 03:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-10 17:23 . 2009-07-20 04:25 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\SoftMaker
2009-10-10 17:22 . 2009-07-19 19:21 -------- d-----w- c:\program files\Flock
2009-10-10 17:22 . 2009-07-19 19:21 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Flock
2009-10-08 02:52 . 2009-08-24 23:49 -------- d-----w- c:\program files\Styler
2009-10-08 02:51 . 2009-08-23 10:29 -------- d-----w- c:\program files\Gish
2009-10-08 02:50 . 2009-07-14 16:29 -------- d-----w- c:\program files\Mobile Partner
2009-10-04 03:31 . 2009-10-04 03:26 5612 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-04 01:10 . 2009-07-20 05:06 -------- d-----w- c:\program files\Windows Sidebar
2009-10-01 09:03 . 2009-05-24 22:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-10-01 06:38 . 2009-09-09 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-10-01 06:27 . 2009-08-18 22:13 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-01 06:26 . 2009-09-03 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-28 06:44 . 2009-09-12 06:35 -------- d-----w- c:\program files\Youda Camper
2009-09-27 07:39 . 2009-09-27 07:39 -------- d-----w- c:\documents and settings\All Users\Application Data\The Skins Factory
2009-09-27 06:54 . 2009-09-27 06:54 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Skinux
2009-09-20 00:42 . 2009-09-20 00:42 -------- d-----w- c:\program files\Avatar - Path of Zuko
2009-09-19 20:04 . 2009-09-19 20:01 -------- d-----w- c:\program files\USB Disk Security
2009-09-19 20:01 . 2009-09-19 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Zbshareware Lab
2009-09-19 19:38 . 2009-09-19 19:38 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Merscom
2009-09-19 19:38 . 2009-09-19 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-09-19 19:38 . 2009-09-19 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2009-09-18 23:24 . 2009-08-08 20:38 -------- d-----w- c:\program files\Altysoft Free Video Converter
2009-09-15 04:51 . 2009-08-17 19:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-15 04:05 . 2009-09-15 04:05 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\360desktop
2009-09-14 03:41 . 2004-08-03 22:56 1580544 ----a-w- c:\windows\system32\SfcFiles.dll
2009-09-14 03:40 . 2004-08-03 22:56 219648 ----a-w- c:\windows\system32\uxtheme.dll
2009-09-14 01:17 . 2009-09-14 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-14 00:56 . 2009-09-14 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-14 00:56 . 2009-09-14 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-14 00:52 . 2009-09-14 00:52 -------- d-----w- c:\program files\NOS
2009-09-13 23:25 . 2009-08-02 16:47 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\PlayFirst
2009-09-13 23:25 . 2009-08-02 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-09-13 04:44 . 2009-09-13 04:44 -------- d-----w- c:\program files\Appwalk.com Technologies Canada
2009-09-12 15:44 . 2009-08-03 17:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:33 . 2004-08-03 22:56 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 10:43 . 2009-09-16 12:26 210352 ----a-w- c:\windows\system32\idmmbc.dll
2009-09-08 06:28 . 2009-09-08 06:28 288256 ----a-w- c:\windows\system32\fmodex.dll
2009-09-08 01:23 . 2009-09-08 01:21 -------- d-----w- c:\program files\Cheatbook Database 2009
2009-09-05 18:39 . 2009-09-05 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-09-05 18:39 . 2009-07-12 00:49 -------- d-----w- c:\program files\PopCap Games
2009-09-05 03:04 . 2009-09-04 18:15 -------- d-----w- c:\program files\Training Manager 2008 Enterprise
2009-09-05 02:55 . 2009-09-05 02:55 -------- d-----w- c:\documents and settings\Guest\Application Data\Windows Desktop Search
2009-09-04 22:13 . 2009-08-30 09:03 7 ----a-w- c:\windows\sbacknt.bin
2009-09-04 20:45 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 18:15 . 2009-09-04 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\TrainingManager
2009-09-03 21:59 . 2009-07-12 00:40 -------- d-----w- c:\program files\Tumblebugs 2
2009-09-03 07:47 . 2009-09-03 05:54 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-02 16:47 . 2009-09-02 16:24 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\CheckPoint
2009-09-01 23:25 . 2009-07-12 01:36 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-09-01 06:21 . 2009-09-01 06:21 -------- d-----w- c:\program files\Alwil Software
2009-08-31 19:13 . 2009-07-12 00:22 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\Ahead
2009-08-31 17:21 . 2009-08-31 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-08-31 17:09 . 2009-08-29 22:30 -------- d-----w- c:\program files\Common Files\BitDefender
2009-08-31 17:07 . 2009-08-30 05:21 81984 ----a-w- c:\windows\system32\bdod.bin
2009-08-31 01:19 . 2009-08-31 01:19 -------- d-----w- c:\program files\MSXML 4.0
2009-08-31 00:05 . 2009-08-30 08:44 -------- d-----w- c:\documents and settings\Herman Nehru\Application Data\vghd
2009-08-30 08:44 . 2009-08-30 08:34 152904 ----a-w- c:\windows\system32\vghd.scr
2009-08-30 05:22 . 2009-08-30 05:22 132 ----a-w- C:\httpdwl.dat
2009-08-29 08:08 . 2004-08-03 22:56 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:16 . 2004-08-03 22:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-21 22:51 . 2009-07-11 20:49 126464 ----a-w- c:\windows\system32\RTPScan.dll
2009-08-21 05:35 . 2009-07-11 22:59 76528 ----a-w- c:\documents and settings\Herman Nehru\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 04:46 . 2009-08-14 16:50 2119680 ----a-w- c:\documents and settings\Herman Nehru\Local Settings\Application Data\cooliris-win-ie-release-1.11.2.27471.en-US.msi
2009-08-18 06:33 . 2009-08-18 06:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-17 03:35 . 2009-08-17 03:35 272868 ----a-w- c:\windows\system32\Windows XP Media Center Edition Screen Saver.scr
2009-08-15 02:23 . 2001-08-23 11:00 25600 ----a-w- c:\windows\twunk_32.exe
2009-08-11 01:57 . 2009-08-11 01:57 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-08-11 01:57 . 2009-08-11 01:57 362240 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-08-07 02:24 . 2009-07-11 22:07 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2009-07-11 22:07 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2009-07-19 23:38 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2009-07-11 22:07 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2009-07-11 22:07 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-03 22:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2009-07-11 22:07 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-07-26 04:45 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2009-07-11 22:07 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 02:23 . 2008-10-16 21:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 19:38 . 2008-05-29 11:41 13537280 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-06 18:29 . 2009-07-11 14:58 69120 ----a-w- c:\windows\NOTEPAD.EXE
2009-08-05 09:11 . 2004-08-03 22:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 13:58 . 2004-08-03 21:18 2136064 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-08-03 22:59 2015744 ------w- c:\windows\system32\ntkrnlpa.exe
2009-03-16 21:35 . 2009-03-16 21:35 525128 ----a-w- c:\program files\DXSETUP.exe
2009-03-16 21:35 . 2009-03-16 21:35 94024 ----a-w- c:\program files\DSETUP.dll
.

------- Sigcheck -------

[-] 2009-09-14 . 1186FB2F052E4890C6C23F420F4BE1BC . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\SfcFiles.dll
[-] 2009-09-14 . 1186FB2F052E4890C6C23F420F4BE1BC . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-10-28_19.13.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 11:00 . 2009-10-28 15:30 79360 c:\windows\system32\perfc009.dat
+ 2001-08-23 11:00 . 2009-10-29 17:31 79360 c:\windows\system32\perfc009.dat
+ 2001-08-23 11:00 . 2009-10-29 17:31 465640 c:\windows\system32\perfh009.dat
- 2001-08-23 11:00 . 2009-10-28 15:30 465640 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-06 13537280]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-29 86016]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-06-05 821768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-12 1028096]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2009-09-12 811008]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-05-25 303376]
"flockbox"="c:\program files\My Lockbox\flockbox.exe" [2007-12-14 1071472]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"00saskda"="c:\program files\1st Security Agent\newlock.exe" [2009-06-18 1457344]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-29 1630208]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-05-13 16862720]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Hyperdesk_uninst0.lnk - c:\documents and settings\All Users\Application Data\The Skins Factory\Hyperdesk\HyperdeskEngine.exe [2009-9-27 1273856]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
Hyperdesk_uninst0.lnk - c:\documents and settings\All Users\Application Data\The Skins Factory\Hyperdesk\HyperdeskEngine.exe [2009-9-27 1273856]

c:\documents and settings\Herman Nehru\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-8-24 3581680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-11 576104]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 0 (0x0)
"HideShutdownScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyMusic"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoWelcomeScreen"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"HideSCAVolume"= 0 (0x0)
"HideSCANetwork"= 0 (0x0)
"HideSCAPower"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 1 (0x1)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 22:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fsproflt]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Herman Nehru^Start Menu^Programs^Startup^DesktopVideoPlayer.LNK]
backup=c:\windows\pss\DesktopVideoPlayer.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Herman Nehru^Start Menu^Programs^Startup^Styler.lnk]
backup=c:\windows\pss\Styler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [8/19/2009 22:23 43792]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 20:41 33808]
R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [10/4/2009 21:50 17264]
R2 DeskSaverService;DeskSaverService;c:\program files\1st Security Agent\newlock.exe [10/13/2009 13:52 1457344]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [8/19/2009 22:23 73392]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [8/10/2009 18:57 603904]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 20:59 19472]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [7/11/2009 15:28 154624]
S2 PCMAVRTPService;PCMAV RealTime Protector Service;c:\windows\system32\RTPSvc.exe --> c:\windows\system32\RTPSvc.exe [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [7/13/2009 18:21 36608]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/3/2004 15:56 14336]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\windows\TEMP\drv1.tmp --> c:\windows\TEMP\drv1.tmp [?]
S3 plkusbser;PROLiNKU6 USB Device for Legacy Serial Communication;c:\windows\system32\drivers\plkusbser.sys [7/11/2009 15:56 99456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
"c:\program files\Windows Sidebar\sidebar.exe" /RegServer
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 23:28]

2009-10-29 c:\windows\Tasks\User_Feed_Synchronization-{E3CD1275-2939-4B63-B05D-BE902B8818D5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.id/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Herman Nehru\Application Data\Mozilla\Firefox\Profiles\nk4rik1i.default\
FF - prefs.js: keyword.URL - hxxp://ide.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_ide&p=
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Herman Nehru\Application Data\Mozilla\Firefox\Profiles\nk4rik1i.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\NPOFF12.DLL
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\nppl3260.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 10:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NTProcDrv]
"ImagePath"="\??\c:\windows\TEMP\drv1.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\progra~1\COMMON~1\Stardock\mcpstub.dll
.
Completion time: 2009-10-29 10:40
ComboFix-quarantined-files.txt 2009-10-29 17:40
ComboFix2.txt 2009-10-28 19:18
ComboFix3.txt 2009-10-22 17:09
ComboFix4.txt 2009-10-15 21:51

Pre-Run: 29,084,151,808 bytes free
Post-Run: 29,036,077,056 bytes free

- - End Of File - - CABB899D675E62AB98D338803BC2346F

extremeboy · 10-30-2009, 02:17 PM

Hello.

I apologies for the delay.

Yup, those look good. Let's run one last online scan, just to make sure all is good and a new scan to see your machine and we'll be good if all is good of course.

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply.

Thanks.

With Regards,
Extremeboy

rappokalling · 10-31-2009, 04:51 AM

Hello EB,

I have scanned using ESET but no infection found in my system so there is no button 'list of Found Thread'.

The following is DDS scan result. How does it look here?

Best Regards,

DDS (Ver_09-10-13.01) - NTFSx86
Run by Herman Nehru at 18:03:19.70 on Sat 10/31/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1790.1119 [GMT -7:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\1st Security Agent\newlock.exe
C:\WINDOWS\system32\fsproflt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\DOCUME~1\HERMAN~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\1st Security Agent\newlock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\PROLINK\PHS100\PROLINK HSDPA Modem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Program Files\Raxco\PerfectDisk10\PerfectDisk.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Herman Nehru\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.id/
mURLSearchHooks: H - No File
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: CDelHotkeys Object: {78875f5c-a685-4405-8dc5-d48dc65452b0} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
BHO: Ask Toolbar BHO: {f4d76f01-7896-458a-890f-e1f05c46069f} - c:\program files\askpbar\bar\1.bin\ASKPBAR.DLL
TB: Delicious Toolbar: {61d1c847-df80-423a-8c6d-dc03b97e6ebe} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: Ask Toolbar: {f4d76f09-7896-458a-890f-e1f05c46069f} - c:\program files\askpbar\bar\1.bin\ASKPBAR.DLL
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Delicious Sidebar: {9d19c405-ba93-461b-871f-97992cc45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [USB Antivirus] c:\program files\usb disk security\USBGuard.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [flockbox] c:\program files\my lockbox\flockbox.exe /a
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [00saskda] "c:\program files\1st security agent\newlock.exe" saskda
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
StartupFolder: c:\docume~1\herman~1\startm~1\programs\startup\stardock objectdock.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoChangeAnimation = 0 (0x0)
uPolicies-explorer: RestrictCpl = 0 (0x0)
uPolicies-explorer: DisallowCpl = 0 (0x0)
uPolicies-explorer: RestrictRun = 0 (0x0)
uPolicies-explorer: ForceRecycleBinSize = 0 (0x0)
uPolicies-explorer: NoCustomizeWebView = 0 (0x0)
uPolicies-explorer: NoFileAssociate = 0 (0x0)
uPolicies-explorer: NoDFSTab = 0 (0x0)
uPolicies-explorer: NoInstrumentation = 0 (0x0)
uPolicies-explorer: NoCustomizeThisFolder = 0 (0x0)
uPolicies-explorer: NoWebView = 0 (0x0)
uPolicies-explorer: DontShowSuperHidden = 0 (0x0)
uPolicies-explorer: NoOnlinePrintsWizard = 0 (0x0)
uPolicies-explorer: NoPublishingWizard = 0 (0x0)
uPolicies-explorer: NoSMConfigurePrograms = 0 (0x0)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
uPolicies-explorer: NoHelp = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
uPolicies-explorer: NoStartMenuEjectPC = 0 (0x0)
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: NoStartMenuSubFolders = 0 (0x0)
uPolicies-explorer: NoDisconnect = 0 (0x0)
uPolicies-explorer: NoNtSecurity = 0 (0x0)
uPolicies-explorer: GreyMSIAds = 0 (0x0)
uPolicies-explorer: ForceMaxRecentDocs = 0 (0x0)
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
uPolicies-explorer: NoSMBalloonTips = 0 (0x0)
uPolicies-explorer: HideSCAVolume = 0 (0x0)
uPolicies-explorer: HideSCANetwork = 0 (0x0)
uPolicies-explorer: HideSCAPower = 0 (0x0)
uPolicies-explorer: NoTaskGrouping = 0 (0x0)
uPolicies-explorer: NoWebServices = 0 (0x0)
uPolicies-explorer: NoFileUrl = 0 (0x0)
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
uPolicies-explorer: PromptRunasInstallNetPath = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 0 (0x0)
uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: ForceCopyAclwithFile = 0 (0x0)
uPolicies-explorer: StartRunNoHOMEPATH = 0 (0x0)
mPolicies-explorer: <NO NAME> =
mPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
mPolicies-explorer: NoSMMyPictures = 0 (0x0)
mPolicies-explorer: NoWelcomeScreen = 0 (0x0)
mPolicies-system: <NO NAME> =
mPolicies-system: HideFastUserSwitching = 0 (0x0)
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2C887991-08F0-11DC-A9B2-0012F0B227DD} - {B8D8B1D0-83AF-451B-8CD9-8F1BF4ED8FEA} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2C887992-08F0-11DC-A9B2-0012F0B227DD} - {9D19C405-BA93-461b-871F-97992CC45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2C887993-08F0-11DC-A9B2-0012F0B227DD} - {4D3D441F-9543-4941-B664-2EDCF9FC1B56} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/V6/V5Controls/en/x86/client/wuweb_site.cab?1247595412296
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248583003125
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
AppInit_DLLs: c:\progra~1\kaspersky lab\kaspersky internet security 2010\kloehk.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\herman~1\applic~1\mozilla\firefox\profiles\nk4rik1i.default\
FF - prefs.js: keyword.URL - hxxp://ide.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_ide&p=
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\herman nehru\application data\mozilla\firefox\profiles\nk4rik1i.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\NPOFF12.DLL
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\nppl3260.dll
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2009-8-19 43792]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2009-10-4 17264]
R2 DeskSaverService;DeskSaverService;c:\program files\1st security agent\newlock.exe [2009-10-13 1457344]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2009-8-19 73392]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-8-10 603904]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
R3 plkusbser;PROLiNKU6 USB Device for Legacy Serial Communication;c:\windows\system32\drivers\plkusbser.sys [2009-7-11 99456]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-7-11 154624]
S2 PCMAVRTPService;PCMAV RealTime Protector Service;c:\windows\system32\rtpsvc.exe --> c:\windows\system32\RTPSvc.exe [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-7-13 36608]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-3 14336]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\windows\temp\drv1.tmp --> c:\windows\temp\drv1.tmp [?]

=============== Created Last 30 ================

2009-10-30 22:08 <DIR> --d----- c:\program files\Orbitdownloader
2009-10-29 10:24 77,312 a------- c:\windows\MBR.exe
2009-10-26 09:47 <DIR> --d----- C:\_OTM
2009-10-23 09:47 <DIR> --d----- c:\program files\Unlocker
2009-10-22 09:54 <DIR> a-d--r-- C:\autorun.inf
2009-10-20 16:39 <DIR> --d----- C:\Themes
2009-10-18 21:45 <DIR> --d----- c:\program files\COED11
2009-10-17 20:24 <DIR> --d----- c:\program files\ESET
2009-10-17 15:07 265,785 a------- c:\windows\system32\pixomatic.dll
2009-10-17 15:07 161,280 a------- c:\windows\system32\fmod.dll
2009-10-17 15:07 188,416 a------- c:\windows\system32\eax.dll
2009-10-17 15:07 22,016 a------- c:\windows\system32\borlndmm.dll
2009-10-17 15:07 442,368 a------- c:\windows\system32\vp6vfw.dll
2009-10-16 16:49 <DIR> --d----- c:\docume~1\herman~1\applic~1\URSoft
2009-10-16 10:52 <DIR> --d----- c:\docume~1\herman~1\applic~1\Malwarebytes
2009-10-16 10:52 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-16 10:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-16 10:52 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-16 10:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-15 14:32 <DIR> a-dshr-- C:\cmdcons
2009-10-15 13:59 236,544 a------- c:\windows\PEV.exe
2009-10-15 13:59 161,792 a------- c:\windows\SWREG.exe
2009-10-15 13:59 98,816 a------- c:\windows\sed.exe
2009-10-14 11:15 <DIR> --d----- c:\program files\Real Desktop
2009-10-13 13:52 <DIR> --d----- c:\documents and settings\herman nehru\1st Security Agent
2009-10-13 13:52 <DIR> --d----- C:\1st Security Agent
2009-10-13 13:52 <DIR> --d----- c:\program files\1st Security Agent
2009-10-13 12:05 <DIR> --d----- c:\program files\HÑÑ
2009-10-13 08:28 <DIR> --d----- c:\docume~1\herman~1\applic~1\WinPatrol
2009-10-13 08:28 <DIR> --d----- c:\program files\BillP Studios
2009-10-12 00:06 <DIR> --d----- c:\program files\PowerISO
2009-10-11 23:18 <DIR> --d----- C:\[Smad-Cage]
2009-10-10 15:19 <DIR> --d----- c:\docume~1\herman~1\applic~1\The Labyrinth Plus! Edition
2009-10-10 15:19 0 a------- c:\windows\RussSqr.INI
2009-10-10 09:49 <DIR> --d----- c:\program files\Microsoft Plus!
2009-10-07 19:55 68 a------- c:\windows\MyProg.ini
2009-10-06 16:53 <DIR> --d----- c:\program files\AskPBar
2009-10-06 16:00 <DIR> --d----- c:\program files\Raxco
2009-10-04 22:14 <DIR> --d----- c:\program files\FreeCommander
2009-10-04 21:50 17,264 a------- c:\windows\system32\drivers\mprifl.sys
2009-10-04 21:50 <DIR> --d----- c:\program files\My Lockbox
2009-10-04 19:03 41,984 a------- c:\windows\system32\dwlGina3.dll
2009-10-04 19:03 3,712 a------- c:\windows\system32\dwlkbf.sys
2009-10-04 19:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Deskman9
2009-10-03 23:51 <DIR> --d----- c:\docume~1\herman~1\applic~1\Thinstall
2009-10-03 20:26 387,104 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-10-03 20:26 5,612 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-10-03 20:23 148,496 a------- c:\windows\system32\drivers\86909831.sys
2009-10-03 20:06 <DIR> --d----- c:\program files\Vista Start Menu

==================== Find3M ====================

2009-10-15 09:02 108,059 a------- c:\windows\system32\drivers\klin.dat
2009-10-15 09:02 95,259 a------- c:\windows\system32\drivers\klick.dat
2009-10-01 02:03 128,016 a------- c:\windows\system32\drivers\kl1.sys
2009-09-30 23:53 604,140 a--sh--- c:\windows\system32\drivers\ISwift3.dat
2009-09-30 23:27 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-09-13 20:41 1,580,544 a------- c:\windows\system32\SfcFiles.dll
2009-09-13 20:40 219,648 a------- c:\windows\system32\uxtheme.dll
2009-09-11 07:33 133,632 a------- c:\windows\system32\msv1_0.dll
2009-09-07 23:28 288,256 a------- c:\windows\system32\fmodex.dll
2009-09-04 13:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-03 00:47 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-31 10:07 81,984 a------- c:\windows\system32\bdod.bin
2009-08-30 01:44 152,904 a------- c:\windows\system32\vghd.scr
2009-08-29 22:22 132 a------- C:\httpdwl.dat
2009-08-29 01:08 916,480 -------- c:\windows\system32\wininet.dll
2009-08-26 01:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-21 15:51 126,464 a------- c:\windows\system32\RTPScan.dll
2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-16 20:35 272,868 a------- c:\windows\system32\Windows XP Media Center Edition Screen Saver.scr
2009-08-14 19:23 25,600 a------- c:\windows\twunk_32.exe
2009-08-10 18:57 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-08-10 18:57 362,240 a------- c:\windows\system32\TuneUpDefragService.exe
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-06 12:38 13,537,280 a------- c:\windows\system32\nvcpl.dll
2009-08-06 11:29 69,120 a------- c:\windows\NOTEPAD.EXE
2009-08-05 02:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 06:58 2,136,064 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 06:13 2,015,744 -------- c:\windows\system32\ntkrnlpa.exe
2009-03-16 14:35 525,128 a------- c:\program files\DXSETUP.exe
2009-03-16 14:35 94,024 a------- c:\program files\DSETUP.dll

============= FINISH: 18:04:01.25 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-13.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/11/2009 15:12:00
System Uptime: 10/31/2009 15:43:15 (3 hours ago)

Motherboard: Acer, Inc. | | Grasmoor
Processor: AMD Turion(tm) X2 Dual-Core Mobile RM-72 | Socket M2/S1G1 | 2100/133mhz
Processor: AMD Turion(tm) X2 Dual-Core Mobile RM-72 | Socket M2/S1G1 | 1092/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 50 GiB total, 26.979 GiB free.
D: is FIXED (NTFS) - 99 GiB total, 18.009 GiB free.
F: is CDROM ()
G: is CDROM ()
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_14E4&DEV_1684&SUBSYS_014A1025&REV_10\4&2CBACCCA&0&0098
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_14E4&DEV_1684&SUBSYS_014A1025&REV_10\4&2CBACCCA&0&0098
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Atheros AR5B91 Wireless Network Adapter
Device ID: PCI\VEN_168C&DEV_002A&SUBSYS_03031A32&REV_01\4&2C3DDF0&0&00A8
Manufacturer: Atheros
Name: Atheros AR5B91 Wireless Network Adapter
PNP Device ID: PCI\VEN_168C&DEV_002A&SUBSYS_03031A32&REV_01\4&2C3DDF0&0&00A8
Service: AR5416

Class GUID:
Description:
Device ID: ROOT\GR_AVGFWMP\SYSTEM
Manufacturer:
Name:
PNP Device ID: ROOT\GR_AVGFWMP\SYSTEM
Service:

==== System Restore Points ===================

RP1: 10/15/2009 13:59:47 - System Checkpoint
RP2: 10/15/2009 21:42:16 - Software Distribution Service 3.0
RP3: 10/16/2009 16:43:21 - Systweak System Optimizer Fri, Oct 16, 09 16:43
RP4: 10/16/2009 17:13:25 - Software Distribution Service 3.0
RP5: 10/17/2009 15:24:34 - Installed DirectX 9.0
RP6: 10/18/2009 01:05:58 - Software Distribution Service 3.0
RP7: 10/18/2009 17:58:30 - Software Distribution Service 3.0
RP8: 10/18/2009 23:46:20 - Software Distribution Service 3.0
RP9: 10/22/2009 10:00:10 - ComboFix created restore point
RP10: 10/22/2009 17:00:19 - Software Distribution Service 3.0
RP11: 10/22/2009 23:14:28 - Software Distribution Service 3.0
RP12: 10/24/2009 16:09:14 - Removed COWON Media Center - jetAudio Basic
RP13: 10/28/2009 12:09:08 - ComboFix created restore point

==== Installed Programs ======================

.NETSpeedBoost 6.5 Professional Edition
1st Security Agent
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.3
Advanced System Optimizer
Alky for Applications (Windows XP)
Altysoft Free Video Converter 2.1
Ask Toolbar
Atheros for Acer Driver 5.3.0.67_Foxconn Installation Program
Avatar - Path of Zuko
biohazard 4
CCleaner
Cheatbook Database 2009
Concise Oxford English Dictionary (Eleventh Edition)
Cooliris for Internet Explorer
Delicious Add-on for Internet Explorer
Delta Force - Black Hawk Down
ESET Online Scanner v3
Foxit PDF Editor
Free Unit Converter 2.11
FreeCommander 2009.02
Gadget Extractor
Google Chrome
HDAUDIO Soft Data Fax Modem with SmartCP
Hide Folders 2009 3.2 for Windows XP/Vista
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
K-Lite Codec Pack 5.0.0 (Full)
Kaspersky Internet Security 2010
Launch Manager
LG PC Suite
LG USB Modem driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! for Windows XP
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Theme Nunavut
Monopoly by Parker Brothers
Mozilla Firefox (3.5.4)
Mozilla Thunderbird (2.0.0.22)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
My Lockbox 1.2 for Windows 2000/XP
Need for Speed™ Most Wanted
Nero 7 Essentials
Norton 360
NVIDIA Drivers
ObjectDock Plus
Opera 10.00
Orbit Downloader
PC Connectivity Solution
PerfectDisk 10 Professional
Photo Story 3 for Windows
PHS100
Plants vs. Zombies
RocketDock 1.3.5
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
SamsungConnectivityCableDriver
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Snagit 9.1.2
Synaptics Pointing Device Driver
TuneUp Utilities 2009
Tweak UI
UberIcon 1.0.4
Uniblue DriverScanner 2009
Uniblue RegistryBooster 2009
Uniblue SpeedUpMyPC 2009
Unlocker 1.8.7
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (KB974810)
Update for Windows Internet Explorer 8 (KB971930)
USB 2.0 Card Reader
USB Disk Security 5.2.0.5
VC 9.0 Runtime
WebFldrs XP
WIDCOMM Bluetooth Software
Winamp
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Sidebar
WinPatrol 2009
WinRAR archiver
WinZip 12.0
Yahoo! Widgets

==== Event Viewer Messages From Past Week ========

10/28/2009 12:10:41, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/28/2009 12:10:41, error: PlugPlayManager [11] - The device Root\LEGACY_UNLOCKERDRIVER5\0000 disappeared from the system without first being prepared for removal.
10/28/2009 12:09:38, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
10/28/2009 12:09:38, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
10/28/2009 12:09:38, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
10/26/2009 09:47:42, error: Service Control Manager [7034] - The TuneUp Program Statistics Service service terminated unexpectedly. It has done this 1 time(s).
10/26/2009 09:47:42, error: Service Control Manager [7034] - The PDAgent service terminated unexpectedly. It has done this 1 time(s).
10/26/2009 09:47:42, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
10/26/2009 09:47:42, error: Service Control Manager [7034] - The FSPro Filter Service service terminated unexpectedly. It has done this 1 time(s).
10/26/2009 09:47:42, error: Service Control Manager [7034] - The DeskSaverService service terminated unexpectedly. It has done this 1 time(s).
10/26/2009 09:47:42, error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/25/2009 18:18:06, error: Service Control Manager [7000] - The PCMAV RealTime Protector Service service failed to start due to the following error: The system cannot find the file specified.
10/25/2009 17:14:59, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
10/25/2009 13:44:18, error: Srv [2000] - The server's call to a system service failed unexpectedly.
10/25/2009 11:18:23, error: DCOM [10000] - Unable to start a DCOM Server: {AC746233-E9D3-49CD-862F-068F7B7CCCA4}. The error: "%5" Happened while starting this command: C:\Program Files\Internet Download Manager\IDMan.exe -Embedding
10/24/2009 11:15:58, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Internet Download Manager\IDMan.exe. Reference error message: The operation completed successfully. .
10/24/2009 11:15:58, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Internet Download Manager\IDMan.exe" on line 0.
10/24/2009 11:15:58, error: DCOM [10000] - Unable to start a DCOM Server: {AC746233-E9D3-49CD-862F-068F7B7CCCA4}. The error: "%14001" Happened while starting this command: C:\Program Files\Internet Download Manager\IDMan.exe -Embedding

==== End Of File ===========================

extremeboy · 10-31-2009, 11:36 AM

Yup. That looks good. The ESET log can actually be found in the C:\Program Files\ESET Folder but if nothing was detected I don't really need to see the log anymore.

It is recommended that you update your Windows XP to Service Pack 3.

You can do that when you have time via Windows Updates or manually from here: http://support.microsoft.com/kb/322389

We can cleanup now though.

Let's cleanup our mess and remove the tools we have used.

Please follow/read the steps below to remove the tools we used and for some more information. :)

Uninstall ComboFix

Remove Combofix now that we're done with it.

Click on your Start Menu, then Run....
Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
When shown the disclaimer, Select "2"

This will remove files/folders assoicated with combofix and uninstall it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

Download OTC by OldTimer and save it to your desktop.
Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
Then Click the big button.
You will get a prompt saying "Being Cleanup Process". Please select Yes.
Restart your computer when prompted.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in this thread (PC running slow...?)

Congratulations! You now appear clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!

Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
Update ALL Critical updates and any other Windows updates for services/programs that you use.
If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
Note that it will download them for you, but you still have to actually click install.

Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and thank you for choosing TechSupportForum as you malware removal source.
Don't forget to tell your friends about us and Good luck

If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

rappokalling · 10-31-2009, 09:24 PM

Thank you very much for all helps, EB,

It seems one more thing ... when trying to run 'ComboFix /u' .... a popup message says: 'Windows cannot find ComboFix. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click search'.

Is that okay? You know I save ComboFix in my drive D. Should I delete it manually due to the above condition?

I have used OTC by OldTimer and it's done.

If nothing is wrong up to this point, well I would like to express appreciation to you and all guys in this forum.

Right now, I have more questions, but it might be in other topic.

Best Regards

extremeboy · 11-02-2009, 02:34 PM

Apologies about that. Combofix should be on your desktop but that seems to be the old instructions. I remember changing it but forgot to on this site.. Anyways, Combofix could of been removed like this for future reference or something...

Uninstall ComboFix

Remove Combofix now that we're done with it.

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
Please follow the prompts to uninstall Combofix.
You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

--

Since you already ran OTC, manually purge a system restore point...

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then use Disk Cleanup to remove all but the most recently created Restore Point.
Go to Start > Run and type: Cleanmgr
Click "Ok"
Disk Cleanup will scan your files for several minutes, then open.
Click the "More Options" Tab.
Click the "Clean up" button under System Restore.
Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
Click Yes, then click Ok.
Click Yes again when prompted with "Are you sure you want to perform these actions?"
Disk Cleanup will remove the files and close automatically.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Let me know if there's anything else. If not, I'll let a mod know so they can move this topic away.

Cheers.

~EB

rappokalling · 11-02-2009, 06:35 PM

Hello EB,

Finally, it's done.

Well, I would like to express my deep appreciation to you on helping me settling this problem in my system. It is such a great learning and new experience I have had since I joined this forum.

Thank you once again and wish this forum may even be better in the future. ...... keep up with the good work guys.

Best Regards from indonesia,

extremeboy · 11-03-2009, 01:54 PM

No problem.

Glad we were able to help out. Thanks for your kind words, it's appreciated. :)

Happy surfing again and good luck in the future!

Take care,
Extremeboy

extremeboy · 11-03-2009, 01:55 PM

Hello.

Since this issue appears resolved, this topic will now be archived.
If you need continued support, please begin a new thread, and provide a link to this topic if needed.

This applies only to the original topic starter only.

Everyone else please begin a New Topic in the Virus/Trojan/Spyware Help by following the steps outlined over here

Good luck!

With Regards,
Extremeboy

10-23-2009, 06:46 PM	#21 (permalink)
rappokalling Registered User Join Date: Oct 2009 Posts: 28 OS: xp	Re: Cannot delete file AUTORUN.INF Hi EB, When I tried it, unlocker gave a false notification that said 'The Object was deleted' ... but the folder zzzzz still remains in the drive D. Even after I rebooted my system, it is still there. Seems nothing happened. Does it have something to do with 'permission'? I was doing all the fixes so far as Administrator. Well, I am more curious with this folder. Best Regards,

10-24-2009, 04:25 PM	#22 (permalink)
extremeboy Analyst, Security Team Join Date: Jan 2009 Posts: 553 OS: N/A	Re: Cannot delete file AUTORUN.INF Hello. Let's try the following to delete that folder by giving your user account (Herman Nehru) full control... Please go to Start >> Run... >> In the open field box please type in the following in bold and blue: cmd Now press Ok. This shall open a black command prompt window. Please copy the following in blue below and then right-click and press paste in the command prompt window to paste what you have copied onto the command prompt window: cacls D:\zzzzz /G Herman Nehru :F Then press enter on your keyboard. You shall then recieve a message saying it was completed successfully. Now try delete that folder. -- Then, if it doesn't get deleted I want to see what message OTM says deleting that folder.. Download and Run OTM Please download OTM by OldTimer and save it to your desktop. Double click the icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator. Paste the following code under the [acronym=Paste Fix Here][/acronym] area. Do not include the word "Code". Code: :files D:\zzzzz D:\uo :commands [EmptyTemp] [Reboot] Click the large [acronym=MoveIt][/acronym] button. If OTM requires are reboot, please allow it to do so. Copy/Paste the contents under the [acronym=Results][/acronym] line here in your next reply. Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter .log and press the Enter key, navigate to the C:\_OTM\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. ~Extremeboy __________________ If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

10-24-2009, 09:31 PM	#23 (permalink)
rappokalling Registered User Join Date: Oct 2009 Posts: 28 OS: xp	Re: Cannot delete file AUTORUN.INF Thanks EB, I have tried the Command Prompt. When I entered "cacls D:\zzzzz /G Herman Nehru :F" ... I received this: Invalid arguments. Displays or modifies access control lists (ACLs) of files. CACLS filename [/T] [/E] ... and soon. But I didn't receive a message saying 'It was completed successfully". What should I do? I have downloaded OTM but not run it yet due to the matter above, or should I just run OTM? Best Regards,

10-25-2009, 08:03 AM	#24 (permalink)
extremeboy Analyst, Security Team Join Date: Jan 2009 Posts: 553 OS: N/A	Re: Cannot delete file AUTORUN.INF That was my mistake.. Sorry, please continue with running OTM. __________________ If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

10-25-2009, 08:23 PM	#25 (permalink)
rappokalling Registered User Join Date: Oct 2009 Posts: 28 OS: xp	Re: Cannot delete file AUTORUN.INF Hi EB, Thanks for your help. This is what OTM made to the folder. After trying to delete it, it rebooted my system, but the folder still remains. ... trying to delete it manually as well but no result ... what a tough! All processes killed ========== FILES ========== Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652}\úø . scheduled to be moved on reboot. Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652} scheduled to be moved on reboot. Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ scheduled to be moved on reboot. Folder move failed. D:\ZZZZZ scheduled to be moved on reboot. File/Folder D:\zzzzzz.zz not found. File move failed. D:\com1 scheduled to be moved on reboot. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: Guest ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: Herman Nehru ->Temp folder emptied: 1036992 bytes File delete failed. C:\Documents and Settings\Herman Nehru\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 5387183 bytes ->FireFox cache emptied: 165781493 bytes ->Google Chrome cache emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: TEMP ->Temp folder emptied: 212992 bytes ->Temporary Internet Files folder emptied: 402 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 2142714 bytes %systemroot%\System32 .tmp files removed: 2577 bytes Windows Temp folder emptied: 2686548 bytes RecycleBin emptied: 35495577 bytes Total Files Cleaned = 202.89 mb OTM by OldTimer - Version 3.0.0.6 log created on 10262009_094741 Files moved on Reboot... File D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652}\úø . not found! File move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652} scheduled to be moved on reboot. Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652}\úø . scheduled to be moved on reboot. Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652} scheduled to be moved on reboot. Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ scheduled to be moved on reboot. Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652}\úø . scheduled to be moved on reboot. Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ\com1.{d3e34b21-9d75-101a-8c3d-00aa001a1652} scheduled to be moved on reboot. Folder move failed. D:\ZZZZZ\ZZZZZZ.ZZ scheduled to be moved on reboot. Folder move failed. D:\ZZZZZ scheduled to be moved on reboot. File move failed. D:\com1 scheduled to be moved on reboot. Registry entries deleted on Reboot...

10-26-2009, 03:05 PM	#26 (permalink)
extremeboy Analyst, Security Team Join Date: Jan 2009 Posts: 553 OS: N/A	Re: Cannot delete file AUTORUN.INF Hello. Let's try something else here.. Please download and save SWXCACLS from this page and save it to your C:\Windows folder: http://www.xs4all.nl/~fstaal01/swxcacls-us.html (The download link is near the bottom) Next, please open cmd. To do this go please go to Start >> Run... >> In the open field box please type in the following in bold and blue: cmd Now press Ok. This shall open a black command prompt window. Please copy the following in blue below and then right-click and press paste in the command prompt window to paste what you have copied onto the command prompt window: cacls SWXCACLS D:\ZZZZZ /RESET Then press enter on your keyboard. You shall then recieve a message saying it was processed successfully. Now try delete that folder. If it doesn't work try the following in the cmd window: cacls SWXCACLS D:\ZZZZZ /OA This will give the administrator group user ownership and try deleting it now with administrative powers. Let me know how it goes. With Regards, Extremeboy __________________ If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

10-26-2009, 07:16 PM	#27 (permalink)
rappokalling Registered User Join Date: Oct 2009 Posts: 28 OS: xp	Re: Cannot delete file AUTORUN.INF Hello EB. I have used the method you asked me to, but still this folder does not go away from my drive. It gave the same message like before '.... Cannot find the specified file ...'. I Wonder what this folder/file really is ... I' m still good to go to kill this. Best Regards,

10-27-2009, 03:10 PM	#28 (permalink)
extremeboy Analyst, Security Team Join Date: Jan 2009 Posts: 553 OS: N/A	Re: Cannot delete file AUTORUN.INF Run ComboFix with CFScript We will run ComboFix again. This time, the instructions are slightly different. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how. Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it: Code: KillAll:: Folder:: D:\ZZZZZ D:\com1 Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.) Refering to the picture above, drag CFScript into ComboFix.exe. When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log. Do not mouseclick ComboFix's window while it's running. That may cause it to stall __________________ If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

10-28-2009, 02:08 PM	#30 (permalink)
extremeboy Analyst, Security Team Join Date: Jan 2009 Posts: 553 OS: N/A	Re: Cannot delete file AUTORUN.INF You're welcome. I would also like to thank Tetonbob for mentioning it to me as well to script it out with Combofix. I wasn't thinking too hard on something else when this could of been dealt easily and thought more of the perms side. Glad it's removed, thanks bob. Just a few things we can remove and we should be good. Please Update Combofix. This can be done when Combofix prompts you to update itself instead of running in "Reduced Functionality". Alternatively, you can delete the exisiting copy of Combofix you have and re-download a new copy from one of those 2 links to your desktop. Run ComboFix with CFScript We will run ComboFix again. This time, the instructions are slightly different. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how. Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it: Code: RegLock:: [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{fc28d12f-953c-4768-98c7-cebe59a1a05e}] [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}] File:: c:\windows\popcinfo.dat Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.) Refering to the picture above, drag CFScript into ComboFix.exe. When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log. Do not mouseclick ComboFix's window while it's running. That may cause it to stall I suggest you not use the Beta copy of FireFox (Mozilla Firefox 3.5 Beta 4) and instead download the latest version and uninstall the beta copy. Let me know how your computer is running now as well. Thanks. ~Extremeboy __________________ If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

10-30-2009, 02:17 PM	#32 (permalink)
extremeboy Analyst, Security Team Join Date: Jan 2009 Posts: 553 OS: N/A	Re: Cannot delete file AUTORUN.INF Hello. I apologies for the delay. Yup, those look good. Let's run one last online scan, just to make sure all is good and a new scan to see your machine and we'll be good if all is good of course. Run ESET Online Scan Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. Check Click the button. Accept any security warnings from your browser. Check Push the Start button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, push Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Push the button. Push You can refer to this animation by neomage if needed. Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Thanks. With Regards, Extremeboy __________________ If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

10-31-2009, 11:36 AM	#34 (permalink)
extremeboy Analyst, Security Team Join Date: Jan 2009 Posts: 553 OS: N/A	Re: Cannot delete file AUTORUN.INF Yup. That looks good. The ESET log can actually be found in the C:\Program Files\ESET Folder but if nothing was detected I don't really need to see the log anymore. It is recommended that you update your Windows XP to Service Pack 3. You can do that when you have time via Windows Updates or manually from here: http://support.microsoft.com/kb/322389 We can cleanup now though. Let's cleanup our mess and remove the tools we have used. Please follow/read the steps below to remove the tools we used and for some more information. :) Uninstall ComboFix Remove Combofix now that we're done with it. Click on your Start Menu, then Run.... Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/". When shown the disclaimer, Select "2" This will remove files/folders assoicated with combofix and uninstall it. Download and Run OTC We will now remove the tools we used during this fix using OTC. Download OTC by OldTimer and save it to your desktop. Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator Then Click the big button. You will get a prompt saying "Being Cleanup Process". Please select Yes. Restart your computer when prompted. System A bit Slow? Try StartupLight You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If that does not work, you can try the steps mentioned in this thread (PC running slow...?) Congratulations! You now appear clean! Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: Preventing Infections in the Future Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection: So How did I get infected? Miekies' prevention suggestions Hardening Windows Security - Part 1 & Part 2. Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Vist the WindowsUpdate Site Regularly I recommend you regularly visit the Windows Update Site! Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating. Update ALL Critical updates and any other Windows updates for services/programs that you use. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates. Note that it will download them for you, but you still have to actually click install. Update Non-Microsoft Programs It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates. Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there: Simple and easy ways to keep your computer safe and secure on the Internet Glad I was able to help and thank you for choosing TechSupportForum as you malware removal source. Don't forget to tell your friends about us and Good luck If you have no more questions, comments or problems please tell us, so we can close off the topic. Thanks :) With Regards, Extremeboy __________________ If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

10-31-2009, 09:24 PM	#35 (permalink)
rappokalling Registered User Join Date: Oct 2009 Posts: 28 OS: xp	Re: Cannot delete file AUTORUN.INF Thank you very much for all helps, EB, It seems one more thing ... when trying to run 'ComboFix /u' .... a popup message says: 'Windows cannot find ComboFix. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click search'. Is that okay? You know I save ComboFix in my drive D. Should I delete it manually due to the above condition? I have used OTC by OldTimer and it's done. If nothing is wrong up to this point, well I would like to express appreciation to you and all guys in this forum. Right now, I have more questions, but it might be in other topic. Best Regards

11-02-2009, 02:34 PM	#36 (permalink)
extremeboy Analyst, Security Team Join Date: Jan 2009 Posts: 553 OS: N/A	Re: Cannot delete file AUTORUN.INF Apologies about that. Combofix should be on your desktop but that seems to be the old instructions. I remember changing it but forgot to on this site.. Anyways, Combofix could of been removed like this for future reference or something... Uninstall ComboFix Remove Combofix now that we're done with it. Please press the Windows Key and R on your keyboard. This will bring up the Run... command. Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/") Please follow the prompts to uninstall Combofix. You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself. This will uninstall Combofix and anything assoicated with it. -- Since you already ran OTC, manually purge a system restore point... Create a New System Restore Point<- Very Important Now you should Create a New Restore Point *to prevent possible reinfection* from an old one*. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is: Go to Start* > Programs > Accessories > System Tools and click "System Restore". Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go to Start > Run and type: Cleanmgr Click "Ok" Disk Cleanup will scan your files for several minutes, then open. Click the "More Options" Tab. Click the "Clean up" button under System Restore. Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?" Click Yes, then click Ok. Click Yes again when prompted with "Are you sure you want to perform these actions?" Disk Cleanup will remove the files and close automatically. Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup. Let me know if there's anything else. If not, I'll let a mod know so they can move this topic away. Cheers. ~EB __________________ If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

11-02-2009, 06:35 PM	#37 (permalink)
rappokalling Registered User Join Date: Oct 2009 Posts: 28 OS: xp	Re: Cannot delete file AUTORUN.INF Hello EB, Finally, it's done. Well, I would like to express my deep appreciation to you on helping me settling this problem in my system. It is such a great learning and new experience I have had since I joined this forum. Thank you once again and wish this forum may even be better in the future. ...... keep up with the good work guys. Best Regards from indonesia,

11-03-2009, 01:54 PM	#38 (permalink)
extremeboy Analyst, Security Team Join Date: Jan 2009 Posts: 553 OS: N/A	Re: Cannot delete file AUTORUN.INF No problem. Glad we were able to help out. Thanks for your kind words, it's appreciated. :) Happy surfing again and good luck in the future! Take care, Extremeboy __________________ If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

11-03-2009, 01:55 PM	#39 (permalink)
extremeboy Analyst, Security Team Join Date: Jan 2009 Posts: 553 OS: N/A	Re: Cannot delete file AUTORUN.INF Hello. Since this issue appears resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic if needed. This applies only to the original topic starter only. Everyone else please begin a New Topic in the Virus/Trojan/Spyware Help by following the steps outlined over here Good luck! With Regards, Extremeboy __________________ If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.