Solved Browser Hijacked Randomly

Status
Not open for further replies.
Bootkit

It displayed a warning message saying it will use SCSI instead of ATA.
I was able to copy paste the following:

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Ultimate Edition (build 7600), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive1 at offset 0x00000000`06500000
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
29 GB \\.\PhysicalDrive1 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit..

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Ultimate Edition (build 7600), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive1 at offset 0x00000000`06500000
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
29 GB \\.\PhysicalDrive1 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit..
 
That looks good :)

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
OTL

Hi Broni,

I tried running OTL but it hangs when scanning the system32\drivers directory. I tried several times and left it running for several hours it still hangs. Let me know if I should try to run it in safe mode.

Thank you,

Stat1
 
Hi Broni

I skipped that line as you said, and it still hanged on the previous line:
%systemroot%\system32\system32\*.*
So I removed that one too, then it hanged and the one before that:
%ALLUSERSPROFILE%\*.dat /x
So I removed that one too, and again it hanged on C:\Windows\

I give up :) Could be something wrong with OTL.

Otherwise the computer is working fine (no more redirections at all)

Stat1
 
OTL Part 1

zOTL logfile created on: 4/11/2011 11:39:52 - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Nader\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 60.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 29.72 Gb Total Space | 1.07 Gb Free Space | 3.62% Space Free | Partition Type: NTFS
Drive D: | 882.68 Gb Total Space | 123.52 Gb Free Space | 13.99% Space Free | Partition Type: NTFS
Drive E: | 698.64 Gb Total Space | 8.82 Gb Free Space | 1.26% Space Free | Partition Type: NTFS
Drive F: | 48.83 Gb Total Space | 1.80 Gb Free Space | 3.69% Space Free | Partition Type: NTFS
Drive G: | 530.93 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 931.51 Gb Total Space | 67.82 Gb Free Space | 7.28% Space Free | Partition Type: NTFS
Drive I: | 1.46 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive K: | 1863.01 Gb Total Space | 88.43 Gb Free Space | 4.75% Space Free | Partition Type: NTFS

Computer Name: WINDOWS7 | User Name: Nader | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/07 22:53:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Nader\Desktop\OTL.exe
PRC - [2011/03/25 20:49:22 | 000,399,736 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2011/03/23 00:55:40 | 015,921,152 | ---- | M] (SugarSync, Inc.) -- D:\Program Files\SugarSync\SugarSyncManager.exe
PRC - [2011/03/04 14:37:00 | 000,135,336 | ---- | M] (Avira GmbH) -- D:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/03/04 14:36:52 | 000,269,480 | ---- | M] (Avira GmbH) -- D:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/03/04 14:36:51 | 000,281,768 | ---- | M] (Avira GmbH) -- D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2011/02/15 01:02:38 | 002,771,968 | ---- | M] (SoftPerfect Research) -- D:\Program Files\NetWorx\networx.exe
PRC - [2011/01/17 16:07:04 | 000,355,432 | ---- | M] () -- D:\Program Files\EVGA Precision\EVGAPrecision.exe
PRC - [2011/01/13 15:17:26 | 001,589,208 | ---- | M] (PC Tools) -- D:\Program Files\Spyware Doctor\pctsGui.exe
PRC - [2011/01/07 22:06:12 | 000,803,432 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
PRC - [2011/01/07 14:54:12 | 000,108,496 | ---- | M] (Threat Expert Ltd.) -- D:\Program Files\Spyware Doctor\BDT\FGuard.exe
PRC - [2011/01/07 14:54:08 | 000,247,760 | ---- | M] (Threat Expert Ltd.) -- D:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2010/10/27 21:21:54 | 001,155,072 | ---- | M] (Last.fm) -- D:\Program Files\Last.fm\LastFM.exe
PRC - [2010/10/17 20:06:56 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Users\Nader\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
PRC - [2010/10/07 15:04:44 | 001,919,504 | ---- | M] (Avid) -- C:\Program Files\Avid\Mbox\AudioDevMon.exe
PRC - [2010/06/16 03:11:32 | 000,077,824 | ---- | M] (Avid Technology, Inc.) -- D:\Program Files\Digidesign\Digidesign\Drivers\MMERefresh.exe
PRC - [2010/06/11 17:40:38 | 001,919,504 | ---- | M] (Avid) -- C:\Program Files\Avid\Mbox Pro\AudioDevMon.exe
PRC - [2010/05/06 11:38:58 | 001,919,504 | ---- | M] (Avid) -- C:\Program Files\Avid\Mbox Mini\AudioDevMon.exe
PRC - [2010/03/17 06:05:40 | 000,264,704 | ---- | M] () -- D:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe
PRC - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2010/01/22 10:26:11 | 001,172,992 | ---- | M] (Vitalwerks LLC) -- E:\Program Files\No-IP 2.2.1\DUC20.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- D:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/10/31 01:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/10/26 21:21:04 | 000,114,774 | ---- | M] (http://subversion.tigris.org/) -- c:\Program Files\Subversion\bin\svnserve.exe
PRC - [2009/08/29 02:00:12 | 000,966,656 | ---- | M] () -- C:\Users\Nader\Local Settings\Apps\F.lux\flux.exe
PRC - [2009/08/05 13:48:06 | 000,378,384 | ---- | M] () -- C:\Program Files\Core Temp.exe
PRC - [2009/07/13 21:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 21:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2009/06/04 01:55:16 | 000,025,600 | ---- | M] (Creative Technology Ltd) -- C:\Windows\System32\Ctxfihlp.exe
PRC - [2009/06/04 01:49:56 | 001,213,440 | ---- | M] (Creative Technology Ltd) -- C:\Windows\System32\CTxfispi.exe
PRC - [2009/03/12 21:18:48 | 000,602,624 | ---- | M] () -- C:\Program Files\Everything\Everything.exe
PRC - [2009/02/23 12:43:54 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2008/10/29 00:08:44 | 000,326,192 | ---- | M] (VMware, Inc.) -- C:\Windows\System32\vmnetdhcp.exe
PRC - [2008/10/29 00:07:56 | 000,113,200 | ---- | M] (VMware, Inc.) -- E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
PRC - [2008/10/29 00:07:20 | 000,399,920 | ---- | M] (VMware, Inc.) -- C:\Windows\System32\vmnat.exe
PRC - [2008/05/10 19:44:02 | 000,540,672 | ---- | M] (Simon Tatham) -- E:\Documents and Settings\Nader\My Documents\Putty\secure.exe
PRC - [2007/08/14 22:07:50 | 000,299,792 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\vncclipboard.exe
PRC - [2007/08/14 22:07:44 | 000,914,160 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe
PRC - [2007/01/01 17:22:02 | 003,739,648 | ---- | M] (Google) -- C:\Program Files\Google\Google Talk\googletalk.exe


========== Modules (SafeList) ==========

MOD - [2011/04/07 22:53:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Nader\Desktop\OTL.exe
MOD - [2010/08/21 01:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (WPFFontCache_v0400)
SRV - File not found [On_Demand | Stopped] -- -- (Steam Client Service)
SRV - File not found [On_Demand | Stopped] -- -- (odserv)
SRV - File not found [On_Demand | Stopped] -- -- (FLEXnet Licensing Service)
SRV - File not found [On_Demand | Stopped] -- -- (Creative Audio Engine Licensing Service)
SRV - File not found [Auto | Stopped] -- -- (ABBYY.Licensing.FineReader.Professional.10.0)
SRV - [2011/03/04 14:37:00 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- D:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/03/04 14:36:52 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- D:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/01/07 14:54:08 | 000,247,760 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- D:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2010/12/31 09:39:54 | 008,133,120 | ---- | M] () [On_Demand | Stopped] -- d:\wamp\bin\mysql\mysql5.5.8\bin\mysqld.exe -- (wampmysqld)
SRV - [2010/12/31 09:39:42 | 000,020,549 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- d:\wamp\bin\apache\apache2.2.17\bin\httpd.exe -- (wampapache)
SRV - [2010/11/19 06:57:14 | 001,150,936 | ---- | M] (PC Tools) [On_Demand | Stopped] -- D:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2010/10/07 15:04:44 | 001,919,504 | ---- | M] (Avid) [Auto | Running] -- C:\Program Files\Avid\Mbox\AudioDevMon.exe -- (MboxAudioDevMon)
SRV - [2010/06/16 03:11:32 | 000,077,824 | ---- | M] (Avid Technology, Inc.) [Auto | Running] -- D:\Program Files\Digidesign\Digidesign\Drivers\MMERefresh.exe -- (DigiRefresh)
SRV - [2010/06/16 02:34:20 | 000,159,744 | ---- | M] (Avid Technology, Inc.) [On_Demand | Stopped] -- D:\Program Files\Digidesign\Digidesign\Pro Tools\digiSPTIService.exe -- (digiSPTIService)
SRV - [2010/06/11 17:40:38 | 001,919,504 | ---- | M] (Avid) [Auto | Running] -- C:\Program Files\Avid\Mbox Pro\AudioDevMon.exe -- (MboxProAudioDevMon)
SRV - [2010/05/06 11:38:58 | 001,919,504 | ---- | M] (Avid) [Auto | Running] -- C:\Program Files\Avid\Mbox Mini\AudioDevMon.exe -- (MboxMiniAudioDevMon)
SRV - [2010/03/17 06:05:42 | 000,039,936 | ---- | M] () [On_Demand | Stopped] -- D:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2010/03/15 14:02:36 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- D:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2010/03/13 00:01:45 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- e:\Program Files\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2010/02/19 14:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- D:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2010/01/09 20:18:00 | 000,149,352 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2009/10/26 21:21:04 | 000,114,774 | ---- | M] (http://subversion.tigris.org/) [Auto | Running] -- c:\program files\subversion\bin\svnserve.exe -- (svn)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:15:31 | 000,396,288 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2009/07/13 21:15:31 | 000,396,288 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2009/07/13 21:14:53 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2009/07/02 15:10:16 | 003,217,744 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- D:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90)
SRV - [2009/02/23 12:43:54 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/29 00:08:44 | 000,326,192 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\System32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2008/10/29 00:07:56 | 000,113,200 | ---- | M] (VMware, Inc.) [Auto | Running] -- E:\Program Files\VMware\VMware Workstation\vmware-authd.exe -- (VMAuthdService)
SRV - [2008/10/29 00:07:20 | 000,399,920 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\System32\vmnat.exe -- (VMware NAT Service)
SRV - [2008/10/02 19:25:42 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- E:\Program Files\VMware\VMware Workstation\vmware-ufad.exe -- (ufad-ws60)
SRV - [2007/08/14 22:07:44 | 000,914,160 | ---- | M] (RealVNC Ltd.) [Auto | Stopped] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (ALSysIO)
DRV - [2011/03/04 16:11:12 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/03/04 14:37:13 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/01/27 01:11:00 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) [Kernel | System | Running] -- C:\Windows\System32\drivers\pssdk42.sys -- (PSSDK42)
DRV - [2011/01/07 23:27:00 | 010,467,656 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/12/10 13:24:12 | 000,239,168 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/11/21 17:48:06 | 000,420,920 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/11/09 15:35:30 | 000,021,992 | ---- | M] (CPUID) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\cpuz135_x32.sys -- (cpuz135)
DRV - [2010/10/27 04:59:16 | 006,573,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2010/10/26 22:14:02 | 000,229,888 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010/10/07 15:04:38 | 000,023,312 | ---- | M] (Avid) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AvidMbox_DFU.sys -- (MBOXDFU)
DRV - [2010/10/07 15:04:34 | 000,398,224 | ---- | M] (Avid) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AvidMbox.sys -- (MBOX)
DRV - [2010/09/24 08:46:24 | 000,102,416 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AtihdW73.sys -- (AtiHDAudioService)
DRV - [2010/09/02 15:07:24 | 000,026,624 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tap0901.sys -- (tap0901)
DRV - [2010/07/16 14:59:54 | 000,656,320 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\Windows\system32\drivers\pctEFA.sys -- (pctEFA)
DRV - [2010/07/16 14:59:54 | 000,338,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\pctDS.sys -- (pctDS)
DRV - [2010/07/09 14:18:56 | 000,020,328 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\cpuz134_x32.sys -- (cpuz134)
DRV - [2010/07/01 18:52:18 | 000,044,432 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dc3d.sys -- (dc3d)
DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/16 05:57:02 | 000,016,400 | ---- | M] (Avid Technology, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\diginet.sys -- (DigiNet)
DRV - [2010/06/09 18:05:38 | 000,039,736 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\nm3.sys -- (nm3)
DRV - [2010/06/02 16:06:44 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010/05/27 16:02:40 | 000,389,696 | ---- | M] (access) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VirusUSB.sys -- (VIRUSUSB)
DRV - [2010/05/27 16:02:38 | 000,039,488 | ---- | M] (usb-audio.de) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vtiaudio.sys -- (VTIAUDIO)
DRV - [2010/04/22 08:24:14 | 000,035,336 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SaiU0CCB.sys -- (SaiU0CCB)
DRV - [2010/04/22 03:24:16 | 000,043,528 | ---- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SaiBus.sys -- (SaiNtBus)
DRV - [2010/04/22 03:24:16 | 000,020,744 | ---- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SaiMini.sys -- (SaiMini)
DRV - [2010/04/22 03:24:12 | 000,138,760 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SaiK0CCB.sys -- (SaiK0CCB)
DRV - [2010/02/09 03:12:08 | 000,147,416 | ---- | M] (EldoS Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\cbfs.sys -- (CbFs)
DRV - [2010/02/03 15:56:56 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2010/01/30 09:06:41 | 000,223,440 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\Windows\System32\drivers\truecrypt.sys -- (truecrypt)
DRV - [2010/01/27 12:22:02 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2009/12/23 12:32:26 | 000,086,016 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TPkd.sys -- (TPkd)
DRV - [2009/12/08 21:24:26 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys -- (VSPerfDrv100)
DRV - [2009/11/12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/07/13 21:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/13 21:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/13 21:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/13 19:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 19:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 19:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/13 18:02:53 | 000,545,792 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netr73.sys -- (netr73)
DRV - [2009/07/13 18:02:52 | 000,347,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvm62x32.sys -- (NVENETFD)
DRV - [2009/06/04 03:48:12 | 001,177,624 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2009/06/04 03:48:00 | 000,095,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\emupia2k.sys -- (emupia)
DRV - [2009/06/04 03:47:50 | 000,158,744 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2009/06/04 03:47:42 | 000,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2009/06/04 03:47:34 | 000,130,072 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2009/06/04 03:47:24 | 000,347,080 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2009/06/04 03:47:14 | 000,526,232 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2009/06/04 03:47:06 | 000,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2009/06/04 03:46:56 | 001,324,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CTEXFIFX.SYS -- (CTEXFIFX.SYS)
DRV - [2009/06/04 03:46:56 | 001,324,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CTEXFIFX.sys -- (CTEXFIFX)
DRV - [2009/06/04 03:46:42 | 000,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CTHWIUT.SYS -- (CTHWIUT.SYS)
DRV - [2009/06/04 03:46:42 | 000,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CTHWIUT.sys -- (CTHWIUT)
DRV - [2009/06/04 03:46:34 | 000,171,032 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CT20XUT.SYS -- (CT20XUT.SYS)
DRV - [2009/06/04 03:46:34 | 000,171,032 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CT20XUT.sys -- (CT20XUT)
DRV - [2009/05/29 17:15:20 | 000,056,136 | ---- | M] (Kemper Digital Gmbh) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vtimidi.sys -- (VTIMIDEV01)
DRV - [2009/03/30 04:09:28 | 000,239,336 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\System32\drivers\RsFx0103.sys -- (RsFx0103)
DRV - [2009/02/24 19:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/10/29 00:08:58 | 000,054,960 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmci.sys -- (vmci)
DRV - [2008/10/29 00:08:58 | 000,026,288 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2008/10/29 00:08:56 | 000,023,216 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2008/10/29 00:08:54 | 000,857,392 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmx86.sys -- (vmx86)
DRV - [2008/10/29 00:08:52 | 000,032,304 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\hcmon.sys -- (hcmon)
DRV - [2008/10/28 18:03:28 | 000,031,280 | R--- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2008/10/28 18:03:28 | 000,031,280 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmusb.sys -- (vmusb)
DRV - [2008/10/28 18:03:28 | 000,016,560 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2008/10/02 19:24:48 | 000,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- E:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2007/08/14 15:15:58 | 000,003,072 | ---- | M] (RealVNC Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vncmirror.sys -- (vncmirror)
DRV - [2005/05/25 15:39:06 | 000,004,608 | ---- | M] () [Kernel | On_Demand | Running] -- D:\Program Files\EVGA Precision\RTCore32.sys -- (RTCore32)
DRV - [2005/01/31 11:20:04 | 000,211,712 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LV561AV.SYS -- (PID_0928) Logitech QuickCam Express(PID_0928)
DRV - [2005/01/31 11:12:46 | 000,022,016 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.orbitdownloader.com
IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - D:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.ca/ig"

FF - HKLM\software\mozilla\Firefox\Extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: D:\Program Files\Spyware Doctor\BDT\Firefox\ [2011/04/03 16:40:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/03 16:38:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/30 09:25:27 | 000,000,000 | ---D | M]

[2011/03/30 09:25:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Nader\AppData\Roaming\Mozilla\Extensions
[2010/03/25 01:18:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Nader\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/02/27 18:23:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Nader\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2011/04/06 23:01:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Nader\AppData\Roaming\Mozilla\Firefox\Profiles\1mpuxu2x.default\extensions
[2011/04/03 16:38:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/20 09:02:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/03 09:10:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/03 23:11:55 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/03 10:05:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
File not found (No name found) --
() (No name found) -- C:\USERS\NADER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1MPUXU2X.DEFAULT\EXTENSIONS\{15E67A59-BD3D-49AE-90DD-B3D3FD14C2ED}.XPI
() (No name found) -- C:\USERS\NADER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1MPUXU2X.DEFAULT\EXTENSIONS\{D4DD63FA-01E4-46A7-B6B1-EDAB7D6AD389}.XPI
[2011/03/18 13:53:24 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/04/07 09:41:06 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - D:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - File not found
O2 - BHO: (Microsoft Web Test Recorder 10.0 Helper) - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll (Microsoft Corporation)
O2 - BHO: (SMTTB2009 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\HyperCam Toolbar\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - D:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (&NetWorx Desk Band) - {FEEA54B4-D80F-41C7-87B9-DC08E6D3255F} - D:\Program Files\NetWorx\deskband.dll (SoftPerfect Research)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&NetWorx Desk Band) - {FEEA54B4-D80F-41C7-87B9-DC08E6D3255F} - D:\Program Files\NetWorx\deskband.dll (SoftPerfect Research)
O4 - HKLM..\Run: [avgnt] D:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CTxfiHlp] C:\Windows\System32\Ctxfihlp.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DigidesignMMERefresh] D:\Program Files\Digidesign\Digidesign\Drivers\MMERefresh.exe (Avid Technology, Inc.)
O4 - HKLM..\Run: [Everything] C:\Program Files\Everything\Everything.exe ()
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [ISTray] D:\Program Files\Spyware Doctor\pctsGui.exe (PC Tools)
O4 - HKLM..\Run: [NetWorx] D:\Program Files\NetWorx\networx.exe (SoftPerfect Research)
O4 - HKLM..\Run: [openvpn-gui] D:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe ()
O4 - HKLM..\Run: [PCTools FGuard] D:\Program Files\Spyware Doctor\BDT\FGuard.exe (Threat Expert Ltd.)
O4 - HKCU..\Run: [Core Temp] C:\Program Files\Core Temp.exe ()
O4 - HKCU..\Run: [F.lux] C:\Users\Nader\Local Settings\Apps\F.lux\flux.exe ()
O4 - HKCU..\Run: [SugarSync] D:\Program Files\SugarSync\SugarSyncManager.exe (SugarSync, Inc.)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - Startup: C:\Users\Nader\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\No-IP DUC.lnk = E:\Program Files\No-IP 2.2.1\DUC20.exe (Vitalwerks LLC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyMusic = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - D:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - D:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - D:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000046 - D:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\Program Files\HmelyoffLabs\VHToolkit\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O22 - SharedTaskScheduler: {1984DD45-52CF-49cd-AB77-18F378FEA264} - FencesShellExt - D:\Program Files\Stardock\Fences\FencesMenu.dll (Stardock)
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/01/22 15:29:55 | 000,000,033 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/03/13 12:02:19 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/29 19:54:45 | 000,000,047 | R--- | M] () - G:\Autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\knp.exe" -a "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\knp.exe" -a "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*
 
OTL Part 2

========== Files/Folders - Created Within 30 Days ==========

[2011/04/11 09:04:33 | 000,000,000 | ---D | C] -- C:\Users\Nader\Desktop\New folder
[2011/04/11 01:36:09 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Nader\My Documents\REAPER Media
[2011/04/11 00:50:38 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\REAPER
[2011/04/11 00:50:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\REAPER
[2011/04/11 00:50:26 | 000,000,000 | ---D | C] -- C:\Program Files\REAPER
[2011/04/10 11:33:46 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ASIO4ALL v2
[2011/04/10 10:40:02 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\Celemony Software GmbH
[2011/04/10 10:40:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Celemony Software GmbH
[2011/04/09 17:25:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PSPaudioware
[2011/04/09 16:04:49 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Celemony
[2011/04/09 16:04:45 | 000,000,000 | ---D | C] -- D:\Program Files\Common Files\VST3
[2011/04/07 22:53:25 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Nader\Desktop\OTL.exe
[2011/04/07 09:45:24 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/04/07 09:45:24 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Local\temp
[2011/04/07 09:45:23 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/04/07 09:27:57 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/04/07 09:27:57 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/04/07 09:27:57 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/04/07 09:27:36 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/04/07 09:27:35 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/04/07 09:26:14 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/07 09:25:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/04/07 09:25:53 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2011/04/03 16:40:52 | 000,656,320 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctEFA.sys
[2011/04/03 16:40:52 | 000,338,880 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctDS.sys
[2011/04/03 16:40:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Tools Security
[2011/04/03 15:51:06 | 002,000,848 | ---- | C] (Threat Expert Ltd.) -- C:\Windows\PCTBDCore.dll
[2011/04/03 15:51:06 | 001,533,904 | ---- | C] (Threat Expert Ltd.) -- C:\Windows\PCTBDRes.dll
[2011/04/03 15:51:06 | 000,149,456 | ---- | C] (PC Tools) -- C:\Windows\SGDetectionTool.dll
[2011/04/03 15:44:46 | 000,251,560 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2011/04/03 15:44:46 | 000,103,232 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2011/04/03 15:44:43 | 000,239,168 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2011/04/03 15:44:43 | 000,160,448 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2011/04/03 15:44:39 | 000,070,536 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2011/04/03 15:44:29 | 000,000,000 | ---D | C] -- D:\Program Files\Common Files\PC Tools
[2011/04/03 15:44:29 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\PC Tools
[2011/04/03 15:44:29 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2011/04/03 13:05:36 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Nader\My Documents\Electronic Arts
[2011/04/03 11:50:59 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft WSE
[2011/04/03 08:38:26 | 000,000,000 | ---D | C] -- C:\Users\Nader\Desktop\Tabs and Notes
[2011/04/02 11:44:25 | 000,000,000 | ---D | C] -- C:\Users\Nader\Desktop\Can Torkgoz
[2011/04/02 00:08:47 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\Guitar Pro 6
[2011/04/02 00:08:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Guitar Pro 6
[2011/04/01 23:18:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Guitar Pro 6
[2011/04/01 20:29:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/03/30 09:24:09 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\Avira
[2011/03/30 09:19:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
[2011/03/30 09:19:09 | 000,137,656 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2011/03/30 09:19:09 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2011/03/30 09:19:09 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2011/03/30 09:19:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2011/03/28 23:21:41 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2011/03/28 23:21:40 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\SUPERAntiSpyware.com
[2011/03/28 11:18:41 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\Malwarebytes
[2011/03/28 11:18:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/03/27 15:34:03 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sonalksis
[2011/03/27 15:26:12 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\Sonalksis
[2011/03/27 13:46:33 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NINJAM
[2011/03/27 13:46:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NINJAM
[2011/03/27 11:01:25 | 000,000,000 | ---D | C] -- C:\AVG10
[2011/03/26 00:12:34 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Nader\My Documents\reading the mind_files
[2011/03/25 09:07:38 | 000,000,000 | ---D | C] -- C:\Users\Nader\Desktop\Fatal Placard
[2011/03/24 19:03:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ZSoft
[2011/03/24 07:14:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2011/03/24 07:14:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype
[2011/03/23 21:01:57 | 000,000,000 | ---D | C] -- C:\Users\Nader\dwhelper
[2011/03/21 23:05:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/03/21 23:04:29 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/03/21 23:03:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/03/21 23:02:10 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/03/21 21:00:38 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sample Modeling Mr. Sax T
[2011/03/21 21:00:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sample Modeling Mr. Sax T
[2011/03/21 21:00:16 | 000,393,216 | ---- | C] (Native Instruments Software GmbH) -- C:\Windows\System32\NI_IRC_1_2.dll
[2011/03/21 21:00:16 | 000,061,440 | ---- | C] (Native Instruments Software GmbH) -- C:\Windows\System32\NI_DFD_1_5.dll
[2011/03/21 19:39:18 | 000,000,000 | ---D | C] -- C:\Users\Nader\Desktop\AKAI EWI
[2011/03/15 23:25:35 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Nader\My Documents\KMPlayer
[2011/03/13 12:34:10 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Nader\My Documents\Virtual Machines
[2011/03/13 10:01:39 | 000,000,000 | ---D | C] -- C:\Users\Nader\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Press Training Kit Exam Prep
[2011/03/13 10:01:38 | 000,000,000 | ---D | C] -- C:\Windows\System32\WinNTDlls
[2011/03/13 10:01:38 | 000,000,000 | ---D | C] -- C:\Windows\System32\Win98Dlls
[2010/09/17 18:47:05 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Nader\AppData\Roaming\pcouffin.sys
[2009/06/04 01:57:38 | 000,060,928 | ---- | C] ( ) -- C:\Windows\System32\a3d.dll
[2009/06/04 01:32:54 | 000,012,800 | ---- | C] ( ) -- C:\Windows\System32\killapps.exe

========== Files - Modified Within 30 Days ==========

[2011/04/11 12:12:00 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1781405395-3741976201-142666947-1000UA.job
[2011/04/11 11:46:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/11 08:13:25 | 000,000,434 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.ics
[2011/04/11 08:13:17 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/11 02:00:38 | 000,055,756 | ---- | M] () -- C:\Windows\System32\BMXStateBkp-{00000005-00000000-0000000A-00001102-00000005-00211102}.rfx
[2011/04/11 02:00:38 | 000,055,756 | ---- | M] () -- C:\Windows\System32\BMXState-{00000005-00000000-0000000A-00001102-00000005-00211102}.rfx
[2011/04/11 02:00:38 | 000,001,080 | ---- | M] () -- C:\Windows\System32\settingsbkup.sfm
[2011/04/11 02:00:38 | 000,001,080 | ---- | M] () -- C:\Windows\System32\settings.sfm
[2011/04/11 02:00:38 | 000,000,788 | ---- | M] () -- C:\Windows\System32\DVCState-{00000005-00000000-0000000A-00001102-00000005-00211102}.rfx
[2011/04/11 01:19:27 | 000,784,396 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/11 01:19:27 | 000,516,558 | ---- | M] () -- C:\Windows\System32\perfh011.dat
[2011/04/11 01:19:27 | 000,166,074 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/11 01:19:27 | 000,165,738 | ---- | M] () -- C:\Windows\System32\perfc011.dat
[2011/04/11 01:19:22 | 000,010,208 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/11 01:19:22 | 000,010,208 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/11 01:14:22 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/11 01:13:59 | 2213,441,536 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/11 01:09:03 | 000,000,072 | ---- | M] () -- C:\Users\Nader\Desktop\Reaper NINJAM Setup - Cockos Confederated Forums.URL
[2011/04/11 00:50:29 | 000,000,944 | ---- | M] () -- C:\Users\Public\Desktop\REAPER.lnk
[2011/04/10 20:12:00 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1781405395-3741976201-142666947-1000Core.job
[2011/04/09 17:25:05 | 006,617,600 | ---- | M] () -- C:\Windows\System32\PSP VintageWarmer2.dll
[2011/04/09 17:25:05 | 006,578,688 | ---- | M] () -- C:\Windows\System32\PSP MicroWarmer.dll
[2011/04/09 17:25:04 | 006,610,432 | ---- | M] () -- C:\Windows\System32\PSP VintageWarmer.dll
[2011/04/08 21:55:17 | 001,346,650 | ---- | M] () -- C:\Users\Nader\Desktop\dd65_en_om.pdf
[2011/04/07 22:53:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Nader\Desktop\OTL.exe
[2011/04/07 18:54:33 | 000,868,704 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2011/04/07 09:41:06 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/04/06 22:09:45 | 000,000,756 | ---- | M] () -- C:\Program Files\CoreTemp.ini
[2011/04/06 09:08:50 | 000,000,869 | ---- | M] () -- C:\Users\Nader\Desktop\Downloads.lnk
[2011/04/05 23:31:25 | 000,000,068 | ---- | M] () -- C:\Users\Nader\Desktop\UPDATED 8-step VirusesSpywareMalware Preliminary Removal Instructions - TechSpot OpenBoards.URL
[2011/04/05 21:57:23 | 000,000,117 | ---- | M] () -- C:\Users\Nader\Desktop\Reddit, what's a little-known site you think everyone should know about AskReddit.URL
[2011/04/04 20:09:49 | 000,000,050 | ---- | M] () -- C:\Users\Nader\Desktop\Eric Whitacre – Composer and Conductor.URL
[2011/04/04 08:55:46 | 000,765,107 | ---- | M] () -- C:\Users\Nader\Desktop\simple recipes.jpg
[2011/04/03 15:51:45 | 000,011,444 | -HS- | M] () -- C:\ProgramData\7s2pe1q5j6f2k0cn2w6ndd0asw4fv7j73kk2gs86
[2011/04/01 23:18:56 | 000,000,654 | ---- | M] () -- C:\Users\Public\Desktop\Guitar Pro 6.lnk
[2011/04/01 20:29:12 | 000,012,804 | -HS- | M] () -- C:\Users\Nader\AppData\Local\7s2pe1q5j6f2k0cn2w6ndd0asw4fv7j73kk2gs86
[2011/04/01 19:14:34 | 000,012,804 | -HS- | M] () -- C:\ProgramData\2562034582
[2011/03/30 09:14:30 | 000,001,333 | ---- | M] () -- C:\Users\Nader\Desktop\credentials.lnk
[2011/03/30 09:09:36 | 000,001,621 | ---- | M] () -- C:\Users\Nader\Desktop\secure.lnk
[2011/03/26 21:56:38 | 003,682,096 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/03/26 00:12:34 | 000,059,176 | ---- | M] () -- E:\Documents and Settings\Nader\My Documents\reading the mind.html
[2011/03/18 23:11:02 | 000,002,671 | ---- | M] () -- C:\Users\Nader\Desktop\Microsoft Office Word Viewer 2003.lnk
[2011/03/14 01:10:45 | 000,000,023 | ---- | M] () -- C:\Windows\BlendSettings.ini

========== Files Created - No Company Name ==========

[2011/04/11 01:09:03 | 000,000,072 | ---- | C] () -- C:\Users\Nader\Desktop\Reaper NINJAM Setup - Cockos Confederated Forums.URL
[2011/04/11 00:50:29 | 000,000,944 | ---- | C] () -- C:\Users\Public\Desktop\REAPER.lnk
[2011/04/09 17:25:05 | 006,578,688 | ---- | C] () -- C:\Windows\System32\PSP MicroWarmer.dll
[2011/04/09 17:25:04 | 006,617,600 | ---- | C] () -- C:\Windows\System32\PSP VintageWarmer2.dll
[2011/04/09 17:25:04 | 006,610,432 | ---- | C] () -- C:\Windows\System32\PSP VintageWarmer.dll
[2011/04/08 21:55:29 | 001,346,650 | ---- | C] () -- C:\Users\Nader\Desktop\dd65_en_om.pdf
[2011/04/07 09:27:57 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/04/07 09:27:57 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/04/07 09:27:57 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/04/07 09:27:57 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/04/07 09:27:57 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/04/06 09:08:50 | 000,000,869 | ---- | C] () -- C:\Users\Nader\Desktop\Downloads.lnk
[2011/04/05 23:31:25 | 000,000,068 | ---- | C] () -- C:\Users\Nader\Desktop\UPDATED 8-step VirusesSpywareMalware Preliminary Removal Instructions - TechSpot OpenBoards.URL
[2011/04/05 21:57:23 | 000,000,117 | ---- | C] () -- C:\Users\Nader\Desktop\Reddit, what's a little-known site you think everyone should know about AskReddit.URL
[2011/04/04 20:09:49 | 000,000,050 | ---- | C] () -- C:\Users\Nader\Desktop\Eric Whitacre – Composer and Conductor.URL
[2011/04/04 08:55:45 | 000,765,107 | ---- | C] () -- C:\Users\Nader\Desktop\simple recipes.jpg
[2011/04/03 16:40:53 | 000,868,704 | ---- | C] () -- C:\Windows\System32\drivers\Cat.DB
[2011/04/03 16:38:51 | 000,001,111 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/04/03 15:51:06 | 000,767,952 | ---- | C] () -- C:\Windows\BDTSupport.dll
[2011/04/03 15:51:06 | 000,002,125 | ---- | C] () -- C:\Windows\UDB.zip
[2011/04/03 15:51:06 | 000,000,882 | ---- | C] () -- C:\Windows\RegSDImport.xml
[2011/04/03 15:51:06 | 000,000,879 | ---- | C] () -- C:\Windows\RegISSImport.xml
[2011/04/03 15:51:06 | 000,000,131 | ---- | C] () -- C:\Windows\IDB.zip
[2011/04/03 15:44:46 | 000,007,387 | ---- | C] () -- C:\Windows\System32\drivers\pctgntdi.cat
[2011/04/03 15:44:39 | 000,007,383 | ---- | C] () -- C:\Windows\System32\drivers\pctplsg.cat
[2011/04/01 23:18:56 | 000,000,654 | ---- | C] () -- C:\Users\Public\Desktop\Guitar Pro 6.lnk
[2011/04/01 09:46:02 | 000,012,804 | -HS- | C] () -- C:\Users\Nader\AppData\Local\7s2pe1q5j6f2k0cn2w6ndd0asw4fv7j73kk2gs86
[2011/04/01 09:46:02 | 000,012,804 | -HS- | C] () -- C:\ProgramData\2562034582
[2011/04/01 09:45:55 | 000,011,444 | -HS- | C] () -- C:\ProgramData\7s2pe1q5j6f2k0cn2w6ndd0asw4fv7j73kk2gs86
[2011/03/31 21:34:19 | 000,001,258 | ---- | C] () -- E:\Documents and Settings\Nader\My Documents\hosts
[2011/03/30 09:14:30 | 000,001,333 | ---- | C] () -- C:\Users\Nader\Desktop\credentials.lnk
[2011/03/30 09:09:36 | 000,001,621 | ---- | C] () -- C:\Users\Nader\Desktop\secure.lnk
[2011/03/26 00:12:33 | 000,059,176 | ---- | C] () -- E:\Documents and Settings\Nader\My Documents\reading the mind.html
[2011/03/18 23:24:18 | 000,002,671 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Word Viewer 2003.lnk
[2011/03/18 23:13:13 | 000,002,671 | ---- | C] () -- C:\Users\Nader\Desktop\Microsoft Office Word Viewer 2003.lnk
[2011/02/16 21:00:28 | 000,000,023 | ---- | C] () -- C:\Windows\BlendSettings.ini
[2011/02/13 17:06:26 | 000,001,456 | ---- | C] () -- C:\Users\Nader\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/02/06 01:04:04 | 000,004,608 | ---- | C] () -- C:\Users\Nader\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/22 15:42:31 | 000,047,104 | ---- | C] () -- C:\Windows\System32\KMVIDC32.DLL
[2010/12/25 17:50:14 | 000,000,005 | ---- | C] () -- C:\Windows\pellnoba.ini
[2010/12/10 20:13:52 | 000,823,296 | ---- | C] () -- C:\Windows\j3dcore-d3d.dll
[2010/12/10 20:13:52 | 000,163,840 | ---- | C] () -- C:\Windows\j3dcore-ogl.dll
[2010/12/10 20:13:52 | 000,049,152 | ---- | C] () -- C:\Windows\j3dcore-ogl-chk.dll
[2010/12/10 20:13:52 | 000,040,960 | ---- | C] () -- C:\Windows\j3dcore-ogl-cg.dll
[2010/11/25 21:12:48 | 000,000,093 | ---- | C] () -- C:\Users\Nader\AppData\Local\fusioncache.dat
[2010/11/21 17:10:25 | 000,000,116 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2010/11/18 21:11:58 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010/11/01 08:49:25 | 000,000,565 | ---- | C] () -- C:\Users\Nader\AppData\Roaming\myMPQ.ini
[2010/10/27 03:13:04 | 000,023,040 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2010/09/22 19:27:52 | 000,223,990 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2010/09/19 22:40:57 | 000,000,005 | ---- | C] () -- C:\Windows\ljndfenn.ini
[2010/09/17 19:17:02 | 000,002,888 | ---- | C] () -- C:\Windows\System32\atipblag.dat
[2010/09/17 18:47:35 | 000,001,057 | ---- | C] () -- C:\Users\Nader\AppData\Roaming\vso_ts_preview.xml
[2010/09/17 18:47:05 | 000,007,887 | ---- | C] () -- C:\Users\Nader\AppData\Roaming\pcouffin.cat
[2010/09/17 18:47:05 | 000,001,144 | ---- | C] () -- C:\Users\Nader\AppData\Roaming\pcouffin.inf
[2010/09/06 16:31:51 | 000,000,056 | ---- | C] () -- C:\Windows\System32\nets12.dll
[2010/09/01 07:07:07 | 000,000,622 | ---- | C] () -- C:\Windows\DMN.INI
[2010/08/31 22:19:24 | 000,209,040 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2010/08/31 22:19:24 | 000,204,944 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2010/08/31 22:19:24 | 000,196,752 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2010/08/31 22:19:24 | 000,196,752 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2010/08/31 22:19:24 | 000,192,656 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2010/08/31 22:19:24 | 000,024,720 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2010/08/29 19:55:25 | 000,000,005 | ---- | C] () -- C:\Windows\apneilka.ini
[2010/06/19 10:31:15 | 000,007,168 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2010/04/17 15:07:47 | 000,053,248 | ---- | C] () -- C:\Windows\System32\zlib.dll
[2010/03/30 20:07:58 | 000,141,988 | ---- | C] () -- C:\Windows\System32\perfi011.dat
[2010/03/30 20:07:57 | 000,516,558 | ---- | C] () -- C:\Windows\System32\perfh011.dat
[2010/03/30 20:07:57 | 000,165,738 | ---- | C] () -- C:\Windows\System32\perfc011.dat
[2010/03/30 20:07:57 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd011.dat
[2010/03/25 01:18:57 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/03/22 22:44:22 | 000,001,029 | ---- | C] () -- C:\Windows\ARPR.INI
[2010/03/18 21:24:40 | 000,000,005 | ---- | C] () -- C:\Windows\knplpkmm.ini
[2010/03/16 08:50:36 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat
[2010/03/05 21:05:12 | 000,000,011 | ---- | C] () -- C:\Program Files\Plugins.ini
[2010/03/05 21:05:11 | 000,000,756 | ---- | C] () -- C:\Program Files\CoreTemp.ini
[2010/03/05 20:59:43 | 000,378,384 | ---- | C] () -- C:\Program Files\Core Temp.exe
[2010/03/01 23:20:17 | 000,000,048 | ---- | C] () -- C:\Windows\msocreg32.dat
[2010/02/27 00:34:50 | 000,055,856 | ---- | C] () -- C:\Windows\System32\vnetinst.dll
[2010/02/10 08:37:25 | 000,001,025 | ---- | C] () -- C:\Windows\System32\grcauth2.dll
[2010/02/10 08:37:25 | 000,001,025 | ---- | C] () -- C:\Windows\System32\grcauth1.dll
[2010/02/10 08:37:25 | 000,001,025 | ---- | C] () -- C:\Windows\System32\clauth2.dll
[2010/02/10 08:37:25 | 000,001,025 | ---- | C] () -- C:\Windows\System32\clauth1.dll
[2010/02/10 08:37:25 | 000,001,025 | ---- | C] () -- C:\Windows\System32\a69u0zk.dll
[2010/02/10 08:37:25 | 000,000,204 | ---- | C] () -- C:\Windows\System32\i6u1wqr.dll
[2010/02/10 08:37:25 | 000,000,100 | ---- | C] () -- C:\Windows\System32\prsgrc.dll
[2010/02/10 08:37:25 | 000,000,072 | ---- | C] () -- C:\Windows\System32\ssprs.dll
[2010/02/10 08:37:25 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\qmtn7ft.dll
[2010/02/10 08:37:25 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\jm1ixs2.dll
[2010/02/10 08:37:25 | 000,000,000 | ---- | C] () -- C:\Windows\System32\serauth2.dll
[2010/02/10 08:37:25 | 000,000,000 | ---- | C] () -- C:\Windows\System32\serauth1.dll
[2010/02/10 08:37:25 | 000,000,000 | ---- | C] () -- C:\Windows\System32\nsprs.dll
[2010/01/20 10:33:08 | 000,430,080 | ---- | C] () -- C:\Windows\System32\ZSHP1020.EXE
[2010/01/20 00:35:18 | 003,682,096 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/01/19 23:28:46 | 000,148,480 | ---- | C] () -- C:\Windows\System32\APOMngr.DLL
[2010/01/19 23:28:46 | 000,073,728 | ---- | C] () -- C:\Windows\System32\CmdRtr.DLL
[2010/01/19 21:41:10 | 000,000,600 | ---- | C] () -- C:\Users\Nader\AppData\Roaming\winscp.rnd
[2010/01/19 21:40:28 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/11/06 11:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/09/01 16:27:32 | 000,319,488 | ---- | C] () -- C:\Windows\win-get.exe
[2009/09/01 16:27:30 | 000,324,608 | ---- | C] () -- C:\Windows\wget.exe
[2009/09/01 13:09:07 | 000,031,232 | ---- | C] () -- C:\Windows\System32\cmdow.exe
[2009/09/01 13:09:07 | 000,026,013 | ---- | C] () -- C:\Windows\System32\sleep.exe
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 22:05:48 | 000,784,396 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,166,074 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 20:19:49 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2009/06/04 02:37:08 | 000,021,093 | ---- | C] () -- C:\Windows\System32\instwdm.ini
[2009/06/04 02:37:06 | 000,000,054 | ---- | C] () -- C:\Windows\System32\ctzapxx.ini
[2009/06/04 01:55:20 | 000,002,560 | ---- | C] () -- C:\Windows\System32\CtxfiRes.dll
[2009/06/04 01:55:20 | 000,002,560 | ---- | C] () -- C:\Windows\CTXFIRES.DLL
[2009/06/04 01:40:44 | 000,321,512 | ---- | C] () -- C:\Windows\System32\ctdlang.dat
[2009/06/04 01:40:44 | 000,056,509 | ---- | C] () -- C:\Windows\System32\ctdnlstr.dat
[2009/06/04 01:36:30 | 000,016,384 | ---- | C] () -- C:\Windows\System32\regplib.exe
[2009/06/04 01:33:04 | 000,007,680 | ---- | C] () -- C:\Windows\System32\enlocstr.exe
[2009/05/27 10:49:00 | 000,000,285 | ---- | C] () -- C:\Windows\System32\kill.ini
[2007/07/23 10:03:32 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2007/07/23 10:03:32 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2007/07/23 10:03:32 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2007/07/23 10:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2007/07/23 10:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2007/07/23 10:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2007/07/23 10:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2007/07/23 10:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2007/07/23 10:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2006/07/17 07:57:40 | 000,069,632 | ---- | C] () -- C:\Windows\System32\FxShared.dll
[2006/07/17 07:57:40 | 000,069,632 | ---- | C] () -- C:\Windows\System32\com.fxpansion.fxshared.dll
[2005/01/31 09:37:58 | 000,009,255 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2002/09/18 00:45:00 | 000,119,808 | ---- | C] () -- C:\Windows\lsb_un20.exe

========== LOP Check ==========

[2010/06/26 22:57:41 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\.anki
[2011/02/22 23:38:42 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\.minecraft
[2010/05/30 19:19:26 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Ableton
[2011/02/12 09:56:14 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Antares
[2010/12/19 09:59:09 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Ashampoo
[2011/04/02 09:12:00 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Audacity
[2010/11/28 12:19:58 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\AVG10
[2010/03/08 23:51:38 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\AVG9
[2010/02/10 10:09:23 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Bioshock2
[2011/01/03 21:12:08 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Braid
[2010/06/19 10:31:28 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Canneverbe Limited
[2011/04/10 10:40:02 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Celemony Software GmbH
[2010/07/08 09:00:21 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Curl Corporation
[2010/11/21 17:37:33 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\DAEMON Tools
[2010/11/21 17:46:47 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\DAEMON Tools Pro
[2011/04/11 01:35:28 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Digidesign
[2010/12/26 23:24:33 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Downloaded Installations
[2010/11/13 16:30:07 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Dropbox
[2010/01/19 21:44:57 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\ESET
[2010/01/31 10:00:31 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\FabFilter
[2010/07/10 10:39:32 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Folding@home-x86
[2011/04/11 08:27:55 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\foobar2000
[2010/03/25 20:56:08 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Foxit Software
[2010/02/04 19:59:58 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\freephoneline.ca
[2010/10/18 23:52:55 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\GrabPro
[2011/04/02 00:10:08 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Guitar Pro 6
[2010/01/25 10:29:52 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Helios
[2010/02/24 01:13:16 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\ICSharpCode
[2010/10/19 09:35:08 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\ID3 renamer
[2010/12/20 23:36:37 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\IObit
[2010/02/27 11:51:38 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\iZotope
[2010/02/10 09:50:01 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\JAM Software
[2010/03/31 23:14:50 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\JetBrains
[2010/02/27 16:14:58 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Leadertech
[2010/12/12 10:32:58 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\LimeWire
[2010/11/24 21:53:38 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\LINQPad
[2010/03/26 22:15:19 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Movienizer
[2010/06/26 09:56:06 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\mplayer
[2010/12/27 00:38:58 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Mumble
[2011/01/06 19:03:55 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\MusicLab
[2010/10/10 22:43:50 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Neuratron
[2010/09/12 23:57:30 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Nik Software
[2010/02/24 01:05:06 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Nokia
[2011/02/14 21:19:50 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Notepad++
[2010/12/21 22:06:47 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Octoshape
[2011/04/03 16:36:42 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Orbit
[2010/12/24 10:07:29 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\PACE Anti-Piracy
[2010/03/26 21:29:44 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Personal Video Database
[2010/02/07 01:25:27 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Polynomial
[2010/10/18 23:25:45 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\ProgSense
[2010/09/20 22:15:22 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Publish Providers
[2010/12/12 10:51:14 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Python-Eggs
[2010/12/21 21:35:49 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\RayV
[2011/04/11 01:55:20 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\REAPER
[2011/01/22 16:28:02 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Red Alert 3
[2011/03/27 15:27:25 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Sonalksis
[2010/09/20 23:30:14 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Sony
[2010/11/25 09:17:38 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Stardock
[2010/05/24 20:54:53 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Steinberg
[2010/02/23 10:11:09 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Subversion
[2011/01/16 01:06:01 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Telerik
[2011/02/09 21:41:13 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Thinstall
[2011/01/12 22:04:03 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\TileRacer
[2010/12/24 10:08:48 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Trillium Lane
[2010/03/30 19:56:27 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\TrueCrypt
[2010/11/25 22:31:29 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Ubisoft
[2010/09/02 06:31:54 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Ulead Systems
[2011/04/11 12:17:08 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\uTorrent
[2010/12/21 21:31:24 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Vso
[2010/01/30 10:51:33 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Waves
[2010/01/30 10:40:50 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Waves Audio
[2010/01/30 10:51:42 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Waves Preferences
[2011/02/06 20:44:48 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\Wing IDE 3
[2010/09/20 10:35:11 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\ZumoDrive
[2011/04/05 23:32:51 | 000,032,636 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2009/06/05 02:08:09 | 000,000,068 | ---- | M] ()(E:\Documents and Settings\Nader\My Documents\YouTube - ??????????? Sugar Blessing singing ?????.url) -- E:\Documents and Settings\Nader\My Documents\YouTube - シュガーブレッシングは Sugar Blessing singing かえりみち.url
[2009/06/05 02:08:09 | 000,000,068 | ---- | C] ()(E:\Documents and Settings\Nader\My Documents\YouTube - ??????????? Sugar Blessing singing ?????.url) -- E:\Documents and Settings\Nader\My Documents\YouTube - シュガーブレッシングは Sugar Blessing singing かえりみち.url

========== Alternate Data Streams ==========

@Alternate Data Stream - 182 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 1376 bytes -> D:\Program Files\Common Files\microsoft shared:ph452BqwAkc38Virok8CNEZ
@Alternate Data Stream - 1371 bytes -> D:\Program Files\Common Files\microsoft shared:OiggSqmLGjWPvIbcpHjYmKJ5jUA
@Alternate Data Stream - 1363 bytes -> C:\ProgramData\Microsoft:iKNP3W7pXupY60tGak
@Alternate Data Stream - 1356 bytes -> C:\ProgramData\Microsoft:sP6DlGvCY6WZUpwUSDX
@Alternate Data Stream - 1301 bytes -> C:\ProgramData\Microsoft:KorUr2LVku3POKIGi7LF0jhVxB
@Alternate Data Stream - 1281 bytes -> C:\ProgramData\Microsoft:CakalxSobwG50d8blSBD4or
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 1229 bytes -> D:\Program Files\Common Files\microsoft shared:j65njlSI1R8g4i6s3iAEenVbA
@Alternate Data Stream - 1184 bytes -> C:\ProgramData\Microsoft:gbvCqLZkLJr1PrIEDZGsxqtY4s
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:D74B6CF5

< End of report >
 
1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

======================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\knp.exe" -a "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\knp.exe" -a "%1" %*
[2011/03/27 11:01:25 | 000,000,000 | ---D | C] -- C:\AVG10
[2011/04/03 15:51:45 | 000,011,444 | -HS- | M] () -- C:\ProgramData\7s2pe1q5j6f2k0cn2w6ndd0asw4fv7j73kk2gs86
[2011/04/01 20:29:12 | 000,012,804 | -HS- | M] () -- C:\Users\Nader\AppData\Local\7s2pe1q5j6f2k0cn2w6ndd0asw4fv7j73kk2gs86
[2011/04/01 19:14:34 | 000,012,804 | -HS- | M] () -- C:\ProgramData\2562034582
[2010/11/28 12:19:58 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\AVG10
[2010/03/08 23:51:38 | 000,000,000 | ---D | M] -- C:\Users\Nader\AppData\Roaming\AVG9
@Alternate Data Stream - 182 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 1376 bytes -> D:\Program Files\Common Files\microsoft sharedh452BqwAkc38Virok8CNEZ
@Alternate Data Stream - 1371 bytes -> D:\Program Files\Common Files\microsoft shared:OiggSqmLGjWPvIbcpHjYmKJ5jUA
@Alternate Data Stream - 1363 bytes -> C:\ProgramData\Microsoft:iKNP3W7pXupY60tGak
@Alternate Data Stream - 1356 bytes -> C:\ProgramData\Microsoft:sP6DlGvCY6WZUpwUSDX
@Alternate Data Stream - 1301 bytes -> C:\ProgramData\Microsoft:KorUr2LVku3POKIGi7LF0jhVxB
@Alternate Data Stream - 1281 bytes -> C:\ProgramData\Microsoft:CakalxSobwG50d8blSBD4or
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 1229 bytes -> D:\Program Files\Common Files\microsoft shared:j65njlSI1R8g4i6s3iAEenVbA
@Alternate Data Stream - 1184 bytes -> C:\ProgramData\Microsoft:gbvCqLZkLJr1PrIEDZGsxqtY4s
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:D74B6CF5

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

=====================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
Yes. I am sorry for the delay. I did all the steps except ESET Online Scanner. I will run it now. :)
 
OTL

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C55BBCD6-41AD-48AD-9953-3609C48EACC7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\'' updated successfully.
File "C:\Windows\system32\config\systemprofile\AppData\Local\knp.exe" -a "%1" %* not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\shell\open\command\\|"%1" %* /E : value set successfully!
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\AVG10\cfgall folder moved successfully.
C:\AVG10 folder moved successfully.
C:\ProgramData\7s2pe1q5j6f2k0cn2w6ndd0asw4fv7j73kk2gs86 moved successfully.
C:\Users\Nader\AppData\Local\7s2pe1q5j6f2k0cn2w6ndd0asw4fv7j73kk2gs86 moved successfully.
C:\ProgramData\2562034582 moved successfully.
C:\Users\Nader\AppData\Roaming\AVG10\cfgall folder moved successfully.
C:\Users\Nader\AppData\Roaming\AVG10 folder moved successfully.
C:\Users\Nader\AppData\Roaming\AVG9\cfgall folder moved successfully.
C:\Users\Nader\AppData\Roaming\AVG9 folder moved successfully.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
Unable to delete ADS D:\Program Files\Common Files\microsoft sharedh452BqwAkc38Virok8CNEZ .
ADS D:\Program Files\Common Files\microsoft shared:OiggSqmLGjWPvIbcpHjYmKJ5jUA deleted successfully.
ADS C:\ProgramData\Microsoft:iKNP3W7pXupY60tGak deleted successfully.
ADS C:\ProgramData\Microsoft:sP6DlGvCY6WZUpwUSDX deleted successfully.
ADS C:\ProgramData\Microsoft:KorUr2LVku3POKIGi7LF0jhVxB deleted successfully.
ADS C:\ProgramData\Microsoft:CakalxSobwG50d8blSBD4or deleted successfully.
ADS C:\ProgramData\TEMP:430C6D84 deleted successfully.
ADS D:\Program Files\Common Files\microsoft shared:j65njlSI1R8g4i6s3iAEenVbA deleted successfully.
ADS C:\ProgramData\Microsoft:gbvCqLZkLJr1PrIEDZGsxqtY4s deleted successfully.
ADS C:\ProgramData\TEMP:A8ADE5D8 deleted successfully.
ADS C:\ProgramData\TEMP:D74B6CF5 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Classic .NET AppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Nader
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 866912 bytes
->Java cache emptied: 110301 bytes
->FireFox cache emptied: 215757632 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 8183 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 207.00 mb


[EMPTYFLASH]

User: All Users

User: Classic .NET AppPool

User: Default

User: Default User

User: Nader
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04142011_214537

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
SecurityCheck

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Virus TI Software Suite
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Spyware Doctor 8.0
Java(TM) 6 Update 24
Java 3D 1.5.1
Out of date Java installed!
Adobe Flash Player 10.2.153.1
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
ESET ESET Online Scanner OnlineScannerApp.exe
ESET ESET Online Scanner OnlineCmdLineScanner.exe
``````````End of Log````````````
 
Still running

OK Java 3D is removed. ESET is still running. It will probably run all night. I have a looot of files. :)
 
Eset

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\4f9f18cd-6a05b12f a variant of Win32/Kryptik.MFO trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\4811cb02-21e42a3d a variant of Win32/Injector.FQG trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\68308ed9-7e9d1c2a multiple threats
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\4d89e41a-22bdeed4 a variant of Win32/Kryptik.MLA trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\a985b43-191bbe4d a variant of Win32/Injector.FQG trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\3c9b96df-355dce62 Win32/Adware.SafetyAntiSpyware.A application
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\751a0764-62eef325 a variant of Win32/Kryptik.MFO trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\542ee56c-49ee984a multiple threats
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\27902aba-1ba7639f a variant of Win32/Injector.FQG trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\197cf447-5cd787b0 a variant of Win32/Injector.FQG trojan
E:\Documents and Settings\Nader\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-72f6eee6 multiple threats
E:\Documents and Settings\Nader\Local Settings\Temp\frs!syr2_final.zip probably a variant of Win32/Agent.KBRAVYV trojan
E:\Documents and Settings\Nader\My Documents\NaderChehab3\My Programs\Sash.zip probably unknown NewHeur_PE virus
E:\Documents and Settings\Nader\My Documents\Programming\My C# Projects\nader.ubermetal.zip probably unknown NewHeur_PE virus
E:\Documents and Settings\Nader\My Documents\Programming\My C# Projects\nader.ubermetal\nader.ubermetal.com\programming\cpp\sash.zip probably unknown NewHeur_PE virus
E:\Program Files\Unlocker\eBay_shortcuts_1016.exe Win32/Adware.ADON application
E:\WINDOWS\system32\auelalwj.dll a variant of Win32/Kryptik.OF trojan
E:\WINDOWS\system32\bmwjef.dll a variant of Win32/Kryptik.OF trojan
E:\WINDOWS\system32\DfehkUtv.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\DfehkUtv.ini2 Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\dgtkvnfb.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\eKTvCfhk.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\eKTvCfhk.ini2 Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\emigabws.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\epqvdced.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\gxmcanob.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\gyovixgm.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\kdthost.exe probably a variant of Win32/IRCBot.KWKUUBZ trojan
E:\WINDOWS\system32\KnqYxyxx.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\KnqYxyxx.ini2 Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\lwsdtkbc.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\mlkauqfj.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\oWvFeMoq.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\oWvFeMoq.ini2 Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\rxwvyhyi.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\ssbdohet.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\tmhqytbh.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\viqvfcyv.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\vuCIRqss.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\vuCIRqss.ini2 Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\xfpehwmw.ini Win32/Adware.Virtumonde.NEO application
E:\WINDOWS\system32\xxyxYqnK.dll.vir Win32/Adware.Virtumonde.FP application
E:\WINDOWS\system32\ybjgbrgb.ini Win32/Adware.Virtumonde.NEO application
K:\Backup\My Documents\My Dropbox\Programs\eac-0.99pb4.exe a variant of Win32/Adware.ADON application
K:\Backup\My Documents\NaderChehab3\My Programs\Sash.zip probably unknown NewHeur_PE virus
K:\Backup\My Documents\Programming\My C# Projects\nader.ubermetal.zip probably unknown NewHeur_PE virus
K:\Backup\My Documents\Programming\My C# Projects\nader.ubermetal\nader.ubermetal.com\programming\cpp\sash.zip probably unknown NewHeur_PE virus
 
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL

:Services

:Reg

:Files
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\4f9f18cd-6a05b12f 
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\4811cb02-21e42a3d 
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\68308ed9-7e9d1c2a 
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\4d89e41a-22bdeed4 
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\a985b43-191bbe4d 
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\3c9b96df-355dce62 
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\751a0764-62eef325 
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\542ee56c-49ee984a 
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\27902aba-1ba7639f 
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\197cf447-5cd787b0
E:\Documents and Settings\Nader\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-72f6eee6 
E:\Documents and Settings\Nader\Local Settings\Temp\frs!syr2_final.zip 
E:\Documents and Settings\Nader\My Documents\NaderChehab3\My Programs\Sash.zip p
E:\Documents and Settings\Nader\My Documents\Programming\My C# Projects\nader.ubermetal.zip
E:\Documents and Settings\Nader\My Documents\Programming\My C# Projects\nader.ubermetal\nader.ubermetal.com\programming\cpp\sash.zip 
E:\Program Files\Unlocker\eBay_shortcuts_1016.exe
E:\WINDOWS
K:\Backup\My Documents\My Dropbox\Programs\eac-0.99pb4.exe 
K:\Backup\My Documents\NaderChehab3\My Programs\Sash.zip 
K:\Backup\My Documents\Programming\My C# Projects\nader.ubermetal.zip 
K:\Backup\My Documents\Programming\My C# Projects\nader.ubermetal\nader.ubermetal.com\programming\cpp\sash.zip 

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.
 
Otl1

Here's the first OTL result. I ran the first step twice by mistake that's probably why it says files not found

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File\Folder C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\4f9f18cd-6a05b12f not found.
File\Folder C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\4811cb02-21e42a3d not found.
File\Folder C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\68308ed9-7e9d1c2a not found.
File\Folder C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\4d89e41a-22bdeed4 not found.
File move failed. C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\a985b43-191bbe4d scheduled to be moved on reboot.
File move failed. C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\3c9b96df-355dce62 scheduled to be moved on reboot.
File move failed. C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\751a0764-62eef325 scheduled to be moved on reboot.
File\Folder C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\542ee56c-49ee984a not found.
File move failed. C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\27902aba-1ba7639f scheduled to be moved on reboot.
File move failed. C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\197cf447-5cd787b0 scheduled to be moved on reboot.
File\Folder E:\Documents and Settings\Nader\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-72f6eee6 not found.
File\Folder E:\Documents and Settings\Nader\Local Settings\Temp\frs!syr2_final.zip not found.
File\Folder E:\Documents and Settings\Nader\My Documents\NaderChehab3\My Programs\Sash.zip p not found.
File\Folder E:\Documents and Settings\Nader\My Documents\Programming\My C# Projects\nader.ubermetal.zip not found.
File\Folder E:\Documents and Settings\Nader\My Documents\Programming\My C# Projects\nader.ubermetal\nader.ubermetal.com\programming\cpp\sash.zip not found.
File\Folder E:\Program Files\Unlocker\eBay_shortcuts_1016.exe not found.
Item E:\WINDOWS is whitelisted and cannot be moved.
K:\Backup\My Documents\My Dropbox\Programs\eac-0.99pb4.exe moved successfully.
File\Folder K:\Backup\My Documents\NaderChehab3\My Programs\Sash.zip not found.
K:\Backup\My Documents\Programming\My C# Projects\nader.ubermetal.zip moved successfully.
File\Folder K:\Backup\My Documents\Programming\My C# Projects\nader.ubermetal\nader.ubermetal.com\programming\cpp\sash.zip not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Classic .NET AppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Nader
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 774138 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 120261046 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 4752 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 2681316 bytes

Total Files Cleaned = 118.00 mb


[EMPTYFLASH]

User: All Users

User: Classic .NET AppPool

User: Default

User: Default User

User: Nader
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04232011_120841

Files\Folders moved on Reboot...
File move failed. C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\a985b43-191bbe4d scheduled to be moved on reboot.
File move failed. C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\3c9b96df-355dce62 scheduled to be moved on reboot.
File move failed. C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\751a0764-62eef325 scheduled to be moved on reboot.
File move failed. C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\27902aba-1ba7639f scheduled to be moved on reboot.
File move failed. C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\197cf447-5cd787b0 scheduled to be moved on reboot.

Registry entries deleted on Reboot...
 
Otl 2

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Classic .NET AppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Nader
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 28489843 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 999 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 27.00 mb


[EMPTYFLASH]

User: All Users

User: Classic .NET AppPool

User: Default

User: Default User

User: Nader
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb



OTL by OldTimer - Version 3.2.22.3 log created on 04232011_131137

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
Status
Not open for further replies.

Similar threads

D
Criminals hijacked more than 8,000 trusted domains, sent millions of malicious emails
Replies
2
Views
115
toooooot
T
midian182
Google's AI-powered search can recommend malicious sites, including scams and malware
Replies
6
Views
116
James Ryan
J
D
Rogue Chrome extensions can steal passwords from websites such as Gmail, Amazon & Facebook
Replies
2
Views
370
Eldritch
Eldritch

Latest posts

Back