Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Recycler virus, maybe more?

Started by praxidice , May 05 2010 06:35 PM

Please log in to reply

#1
praxidice

Posted 05 May 2010 - 06:35 PM

Member

Member
164 posts

Hello,

I followed the steps in the Malware Removal Guide, and no viruses were found when I ran Avira. However, I can see "RECYCLER" and "System Volume Information" and some other associated folders (notable for being "hidden", or light-colored) in both my hard drives.

I had this virus before from a USB stick, and thought I had removed it by scanning the USB stick -- Avira caught it then.

My computer is slowing down more and more. First it was slow to start, now programs take ages to open, and the internet has stopped working intermittently (the connection is fine, others can use it). I had difficulty downloading some of the programs in the Guide. Usually my system runs smoothly and quickly.

Avira took 13 hours and change to run, and that has never happened before.

Here are my logs. Thanks!

MBAM
________________________
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4064

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/05/2010 22:34:37
mbam-log-2010-05-04 (22-34-37).txt

Scan type: Quick scan
Objects scanned: 130757
Time elapsed: 1 hour(s), 45 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

__________________________
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-06 03:00:22
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADRIEN~1\LOCALS~1\Temp\uwtdapob.sys

---- System - GMER 1.0.15 ----

SSDT F7C10456 ZwCreateKey
SSDT F7C1044C ZwCreateThread
SSDT F7C1045B ZwDeleteKey
SSDT F7C10465 ZwDeleteValueKey
SSDT F7C1046A ZwLoadKey
SSDT F7C10438 ZwOpenProcess
SSDT F7C1043D ZwOpenThread
SSDT F7C10474 ZwReplaceKey
SSDT F7C1046F ZwRestoreKey
SSDT F7C10460 ZwSetValueKey
SSDT F7C10447 ZwTerminateProcess

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[176] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3392] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

Device \Driver\usbuhci \Device\USBPDO-0 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbuhci \Device\USBPDO-1 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbuhci \Device\USBPDO-2 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbehci \Device\USBPDO-3 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0001 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbuhci \Device\USBPDO-4 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0002 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbhub \Device\USBPDO-5 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0003 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0010 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0004 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0011 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0005 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0006 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\IntelIde \Device\Ide\PciIde0Channel0-0 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0014 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0007 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbhub \Device\00000081 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0016 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbhub \Device\00000082 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbhub \Device\00000083 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbhub \Device\00000084 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbhub \Device\00000085 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbuhci \Device\USBFDO-0 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbuhci \Device\USBFDO-1 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbuhci \Device\USBFDO-2 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBFDO-3 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)
Device \Driver\usbehci \Device\USBFDO-4 Achernar.sys (Achernar.sys/NewSoft Technology Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 155997
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9DDAA0A6-A7EE-4C56-BB44-0CA1D71AB968}@DhcpRetryTime 314
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore@Count 29264

---- EOF - GMER 1.0.15 ----
----------------------------
OTL

OTL logfile created on: 06/05/2010 04:11:50 - Run 3
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Downloads\Software
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 273.00 Mb Available Physical Memory | 27.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 1140 2280 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 10.31 Gb Free Space | 18.44% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 149.05 Gb Total Space | 47.40 Gb Free Space | 31.80% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PCFRED
Current User Name: XXX
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/06 03:58:43 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Downloads\Software\OTL(1).exe
PRC - [2010/04/07 03:44:14 | 000,247,856 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe
PRC - [2010/04/02 23:33:31 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/01 08:24:08 | 000,194,608 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\hsswd.exe
PRC - [2010/03/27 03:07:02 | 000,331,824 | ---- | M] (AnchorFree Inc.) -- C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
PRC - [2009/10/20 18:34:46 | 009,258,440 | ---- | M] (Foxit Software) -- C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
PRC - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 16:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/03/02 13:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/01/31 03:45:14 | 003,399,727 | ---- | M] (FreeDownloadManager.ORG) -- C:\Program Files\Free Download Manager\fdm.exe
PRC - [2008/08/04 23:22:18 | 000,164,896 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2008/04/14 18:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/08/29 19:05:35 | 000,360,448 | ---- | M] () -- C:\Program Files\SpywareGuard\sgmain.exe
PRC - [2003/08/29 11:14:56 | 000,233,472 | ---- | M] () -- C:\Program Files\SpywareGuard\sgbhp.exe

========== Modules (SafeList) ==========

MOD - [2010/05/06 03:58:43 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Downloads\Software\OTL(1).exe
MOD - [2008/04/14 18:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/04/07 03:44:46 | 000,057,640 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Hotspot Shield\bin\HssTrayService.exe -- (HssTrayService)
SRV - [2010/04/07 03:44:14 | 000,247,856 | ---- | M] () [Auto | Start_Pending] -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe -- (HotspotShieldService)
SRV - [2010/04/01 08:24:08 | 000,194,608 | ---- | M] () [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\hsswd.exe -- (HssWd)
SRV - [2010/03/27 03:07:02 | 000,331,824 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe -- (HssSrv)
SRV - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2008/08/04 23:22:18 | 000,164,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2007/03/11 20:24:50 | 000,217,088 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Running] -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)

========== Driver Services (SafeList) ==========

DRV - [2010/04/28 17:20:52 | 000,229,208 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VMM.sys -- (vmm)
DRV - [2009/12/08 19:51:13 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/11/20 15:26:50 | 000,025,984 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2009/11/13 05:42:16 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
DRV - [2009/05/11 10:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 10:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/03/25 06:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2009/02/13 12:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/08/04 23:22:20 | 001,964,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VX3000.sys -- (VX3000)
DRV - [2008/04/14 07:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/09/15 09:09:44 | 000,213,696 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/07/26 07:44:28 | 002,210,048 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2007/06/05 09:56:40 | 000,044,928 | ---- | M] (Panda Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SDTHOOK.SYS -- (SDTHOOK)
DRV - [2007/02/05 11:15:26 | 000,018,432 | ---- | M] (NewSoft Technology Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\Achernar.sys -- (Achernar)
DRV - [2007/01/29 06:20:34 | 000,059,280 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMNetSrv.sys -- (VPCNetS2)
DRV - [2006/10/26 16:48:38 | 000,027,136 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tapvpn.sys -- (tapvpn)
DRV - [2006/03/22 06:41:30 | 000,349,696 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
DRV - [2006/03/22 06:40:46 | 000,038,144 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)
DRV - [2006/03/19 01:14:49 | 000,028,672 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CO_Mon.sys -- (CO_Mon)
DRV - [2005/05/09 20:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cledx.sys -- (CLEDX)
DRV - [2005/02/25 22:34:14 | 000,371,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/02/11 08:52:36 | 000,157,056 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2004/12/15 06:18:34 | 000,207,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/12/15 06:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/15 06:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/04/14 22:36:50 | 000,007,432 | ---- | M] (Hewlett-Packard Company) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2003/06/07 02:46:16 | 000,005,220 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2001/08/18 03:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2001/08/17 23:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "https://www.google.c...t&ltmplcache=2"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: [email protected]:0.11
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.74
FF - prefs.js..extensions.enabledItems: [email protected]:1.5.3
FF - prefs.js..extensions.enabledItems: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9}:2.6.3
FF - prefs.js..extensions.enabledItems: [email protected]:2.3.3
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.21
FF - prefs.js..extensions.enabledItems: [email protected]:1.3.4
FF - prefs.js..network.proxy.socks_version: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/20 23:32:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/20 23:32:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2009/10/09 18:12:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Mozilla\Extensions
[2009/10/09 18:12:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Mozilla\Extensions\[email protected]
[2010/05/05 12:48:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions
[2010/04/11 19:28:23 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010/04/28 00:07:57 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/07 17:54:20 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/05/03 13:26:30 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/06/04 21:00:10 | 000,000,000 | ---D | M] (IE Tab) -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2010/03/13 22:42:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2010/05/01 10:03:01 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/05/03 13:26:20 | 000,000,000 | ---D | M] (Redirect Remover) -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
[2009/10/01 10:07:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\[email protected]
[2010/04/13 21:02:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\[email protected]
[2010/03/07 15:08:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\[email protected]
[2008/08/03 11:52:47 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\searchplugins\wikipedia.xml
[2010/05/05 12:48:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/02/05 06:02:56 | 001,642,496 | ---- | M] (LizardTech) -- C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll
[2008/11/25 05:49:33 | 000,056,576 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2007/03/09 12:30:04 | 000,155,776 | ---- | M] (INITECH ©) -- C:\Program Files\Mozilla Firefox\plugins\npINISAFEWeb60.dll
[2006/06/05 06:12:13 | 000,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll

O1 HOSTS File: ([2010/04/24 14:41:56 | 000,001,095 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 66.207.162.66 freedur.com
O1 - Hosts: 66.207.162.66 www.freedur.com
O1 - Hosts: 66.207.162.66 freedur.net
O1 - Hosts: 66.207.162.66 www.freedur.net
O1 - Hosts: 66.207.162.66 freedur.org
O1 - Hosts: 66.207.162.66 www.freedur.org
O1 - Hosts: 109.123.89.16 www.skydur.com
O1 - Hosts: 109.123.89.16 skydur.com
O1 - Hosts: 109.123.89.16 secure.skydur.com
O1 - Hosts: 109.123.89.16 www.skydurvpn.com
O1 - Hosts: 109.123.89.16 skydurvpn.com
O1 - Hosts: 109.123.89.16 secure.skydurvpn.com
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (SpywareGuardDLBLOCK.CBrowserHelper) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll (AnchorFree Inc.)
O3 - HKLM\..\Toolbar: (ToggleEN Toolbar) - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTogg.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKCU..\Run: [cdloader] C:\Documents and Settings\XXX\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - Startup: C:\Documents and Settings\XXX\Start Menu\Programs\Startup\SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleNetIDList = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {81559C35-8464-49F7-BB0E-07A383BEF910} - C:\Program Files\SpywareGuard\spywareguard.dll ()
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{139ac085-315e-11df-8722-0016361457a9}\Shell\AutoRun\command - "" = E:\Launch.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/08/08 18:00:48 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 90 Days ==========

[2010/04/28 02:02:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXX\My Documents\My Virtual Machines
[2010/04/28 01:52:34 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Virtual PC
[2010/04/24 22:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXX\Application Data\dvdcss
[2010/04/24 22:33:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXX\Application Data\vlc
[2010/04/24 10:59:29 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2010/04/24 10:56:42 | 000,000,000 | ---D | C] -- C:\Program Files\ToggleEN
[2010/04/23 19:02:55 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/04/22 11:34:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXX\My Documents\Presto! VideoWorks
[2010/04/22 11:34:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\NewSoft
[2010/04/21 20:34:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2010/04/20 23:26:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/04/11 19:35:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXX\My Documents\FlashGot
[2010/04/11 19:33:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXX\Application Data\Free Download Manager
[2010/04/11 19:32:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
[2010/04/11 19:32:32 | 000,000,000 | ---D | C] -- C:\Program Files\Free Download Manager
[2010/04/11 19:15:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXX\Application Data\iPodder
[2010/04/11 19:15:00 | 000,000,000 | ---D | C] -- C:\Program Files\Juice
[2010/04/10 04:09:58 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/07 18:13:30 | 000,000,000 | ---D | C] -- C:\Program Files\Kap.SATr
[2010/04/06 13:31:39 | 000,000,000 | ---D | C] -- C:\Program Files\AdvancedDVDPlayerPro
[2010/04/06 13:23:29 | 000,000,000 | ---D | C] -- C:\Program Files\Easy DVD Player
[2010/03/19 22:22:37 | 000,086,016 | ---- | C] (MindVision Software) -- C:\WINDOWS\unvise32.exe
[2010/03/19 22:22:09 | 000,000,000 | ---D | C] -- C:\Longman iBT Prep 2.0
[2010/03/15 22:26:20 | 000,000,000 | ---D | C] -- C:\Program Files\ETS
[2010/03/15 17:26:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macromedia
[2010/03/15 17:26:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\A3W_DATA
[2010/03/15 16:59:38 | 000,000,000 | ---D | C] -- C:\ETS
[2010/03/11 18:10:26 | 000,000,000 | ---D | C] -- C:\Program Files\ESL Pro Systems
[2010/03/10 14:39:48 | 000,098,304 | ---- | C] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/03/04 09:30:33 | 000,000,000 | ---D | C] -- C:\Hotspot Shield
[2010/03/03 21:04:54 | 000,000,000 | ---D | C] -- C:\Program Files\Longman Intro
[2010/03/02 21:56:37 | 000,000,000 | ---D | C] -- C:\Ptoeflibt_4e_CDrom
[2010/02/24 10:41:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop
[2010/02/12 23:36:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/02/12 23:30:05 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/02/11 23:58:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\XXX\Corel
[2010/02/11 23:52:51 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/02/11 23:52:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple

========== Files - Modified Within 90 Days ==========

[2010/05/04 22:41:30 | 000,000,052 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/04 20:51:52 | 000,001,053 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\magicJack.lnk
[2010/05/04 20:24:54 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/04 16:47:04 | 010,223,616 | ---- | M] () -- C:\Documents and Settings\XXX\ntuser.dat
[2010/05/04 16:47:04 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\XXX\ntuser.ini
[2010/05/04 10:40:22 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/04 10:40:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/04 10:40:06 | 1063,768,064 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/04 09:00:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\Disk Cleanup.job
[2010/05/03 23:20:52 | 000,000,607 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\NTREGOPT.lnk
[2010/05/03 23:20:51 | 000,000,594 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\ERUNT.lnk
[2010/05/01 18:31:56 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\XXX\PUTTY.RND
[2010/04/30 22:40:35 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/30 16:00:22 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\grace.doc
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 20:02:47 | 000,464,412 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/28 20:02:47 | 000,079,232 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/28 20:02:46 | 000,550,988 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/28 18:06:44 | 000,011,654 | ---- | M] () -- C:\OpenVPN-AS_1.3.5.vhd.vmc
[2010/04/28 02:11:45 | 000,000,527 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\Books.lnk
[2010/04/28 01:36:36 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/28 01:36:36 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/27 21:34:34 | 000,126,084 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\wf rewards charge.pdf
[2010/04/27 13:15:56 | 000,000,288 | ---- | M] () -- C:\WINDOWS\Aware35.mch
[2010/04/27 10:18:59 | 000,000,455 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\Shortcut to IB.lnk
[2010/04/27 09:24:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\FOXIT_PDF
[2010/04/27 09:24:28 | 000,076,705 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\flowers.pdf
[2010/04/25 22:49:32 | 000,080,584 | ---- | M] () -- C:\Documents and Settings\XXX\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/24 19:10:48 | 000,345,112 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/24 14:41:56 | 000,001,095 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/24 12:14:13 | 000,005,798 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/04/24 12:13:46 | 000,000,088 | RHS- | M] () -- C:\Documents and Settings\All Users\Application Data\7656562C9F.sys
[2010/04/23 19:02:41 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/23 14:57:29 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\Eunice.doc
[2010/04/22 22:58:17 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\XXX\My Documents\Important Stuff.xls
[2010/04/22 10:29:16 | 000,119,296 | ---- | M] () -- C:\Documents and Settings\XXX\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/14 18:29:42 | 000,158,142 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\citi privacy.PDF
[2010/04/01 10:54:26 | 000,000,235 | ---- | M] () -- C:\WINDOWS\QTW.INI
[2010/03/25 18:25:50 | 000,435,200 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\U995.exe
[2010/03/22 22:01:57 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\XXX\My Documents\Established band needs drums.doc
[2010/03/21 20:45:50 | 000,082,048 | ---- | M] () -- C:\Documents and Settings\XXX\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/15 17:00:42 | 000,000,045 | ---- | M] () -- C:\WINDOWS\OSA.INI
[2010/03/14 21:20:35 | 000,000,503 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\Jehosaphat Blow.lnk
[2010/03/11 13:06:36 | 004,294,028 | -H-- | M] () -- C:\Documents and Settings\XXX\Local Settings\Application Data\IconCache.db
[2010/03/10 14:39:48 | 000,098,304 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/03/08 21:55:15 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\XXX\Desktop\Contesta Rock Har.doc
[2010/03/06 13:05:36 | 969,126,912 | ---- | M] () -- C:\OpenVPN-AS_1.3.5.vhd
[2010/03/02 20:51:22 | 000,042,149 | ---- | M] () -- C:\Documents and Settings\XXX\index.html
[2010/02/14 16:48:55 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\XXX\My Documents\[bleep].doc
[2010/02/12 23:09:55 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/02/12 23:09:55 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/02/12 00:09:17 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\cd.dat
[2010/02/11 23:38:23 | 000,000,014 | ---- | M] () -- C:\WINDOWS\System32\systeminfo.dll

========== Files Created - No Company Name ==========

[2010/05/05 21:34:57 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\XXX\Desktop\gmer.exe
[2010/05/03 23:20:52 | 000,000,607 | ---- | C] () -- C:\Documents and Settings\XXX\Desktop\NTREGOPT.lnk
[2010/05/03 23:20:51 | 000,000,594 | ---- | C] () -- C:\Documents and Settings\XXX\Desktop\ERUNT.lnk
[2010/04/29 15:28:18 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\XXX\Desktop\grace.doc
[2010/04/28 17:46:28 | 000,011,654 | ---- | C] () -- C:\OpenVPN-AS_1.3.5.vhd.vmc
[2010/04/28 03:41:15 | 969,126,912 | ---- | C] () -- C:\OpenVPN-AS_1.3.5.vhd
[2010/04/27 21:35:32 | 000,126,084 | ---- | C] () -- C:\Documents and Settings\XXX\Desktop\wf rewards charge.pdf
[2010/04/27 10:18:59 | 000,000,455 | ---- | C] () -- C:\Documents and Settings\XXX\Desktop\Shortcut to IB.lnk
[2010/04/27 09:24:27 | 000,076,705 | ---- | C] () -- C:\Documents and Settings\XXX\Desktop\flowers.pdf
[2010/04/23 14:32:48 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\XXX\Desktop\Eunice.doc
[2010/04/14 18:30:20 | 000,158,142 | ---- | C] () -- C:\Documents and Settings\XXX\Desktop\citi privacy.PDF
[2010/03/25 18:25:50 | 000,435,200 | ---- | C] () -- C:\Documents and Settings\XXX\Desktop\U995.exe
[2010/03/24 15:36:00 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\XXX\PUTTY.RND
[2010/03/22 22:01:57 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\XXX\My Documents\Established band needs drums.doc
[2010/03/15 17:30:42 | 000,000,288 | ---- | C] () -- C:\WINDOWS\Aware35.mch
[2010/03/15 17:00:42 | 000,000,045 | ---- | C] () -- C:\WINDOWS\OSA.INI
[2010/03/15 17:00:41 | 000,157,696 | ---- | C] () -- C:\WINDOWS\System\STORAGE.DLL
[2010/03/15 17:00:41 | 000,027,026 | ---- | C] () -- C:\WINDOWS\System\OLE2.REG
[2010/03/14 21:20:35 | 000,000,503 | ---- | C] () -- C:\Documents and Settings\XXX\Desktop\Jehosaphat Blow.lnk
[2010/03/08 21:55:02 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\XXX\Desktop\Contesta Rock Har.doc
[2010/03/02 21:01:16 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\XXX\index.html.1
[2010/03/02 20:51:21 | 000,042,149 | ---- | C] () -- C:\Documents and Settings\XXX\index.html
[2010/02/14 16:48:54 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\XXX\My Documents\[bleep].doc
[2010/02/12 00:09:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\cd.dat
[2010/02/11 23:58:41 | 000,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\7656562C9F.sys
[2010/02/11 23:53:00 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/11 23:38:23 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\systeminfo.dll
[2009/11/27 13:11:17 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/09/20 19:50:06 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\Nsvideo.dll
[2009/08/23 15:51:23 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\Crypto.dll
[2009/06/05 22:01:23 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/05/23 15:35:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\muveeapp.INI
[2009/05/04 13:31:25 | 000,000,145 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2009/04/16 20:05:04 | 000,905,290 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2009/01/01 21:11:33 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX3000.ini
[2008/12/26 19:57:09 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\securenet.dll
[2008/08/26 17:49:29 | 000,003,953 | R--- | C] () -- C:\WINDOWS\System32\coinst.dll
[2008/08/26 17:49:28 | 000,015,576 | R--- | C] () -- C:\WINDOWS\System32\drivers\usbbc.sys
[2008/08/26 17:46:40 | 000,000,075 | ---- | C] () -- C:\WINDOWS\USBBC.ini
[2008/08/26 17:46:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MDI.INI
[2008/07/21 23:14:10 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/02/05 01:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/09/27 17:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 17:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 17:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/06/20 22:03:43 | 000,000,127 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/03/27 09:45:22 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[2006/08/01 05:56:25 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2006/08/01 05:56:25 | 000,027,648 | ---- | C] () -- C:\WINDOWS\PFPICK.DLL
[2006/08/01 05:56:12 | 000,000,123 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2006/08/01 05:54:20 | 000,000,235 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2006/05/25 01:44:48 | 000,011,740 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/03/19 00:46:18 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\drivers\CO_Mon.sys
[2006/02/22 03:04:38 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/08 19:53:43 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/08/08 19:53:43 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/08/08 19:53:43 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/08/08 19:53:43 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/08/08 19:53:43 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/08/08 19:53:43 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/02/12 16:33:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/07 21:16:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 21:10:08 | 000,000,883 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2002/10/07 02:42:57 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/10/05 07:04:25 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2002/10/05 07:04:24 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002/10/05 07:04:17 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[1999/01/23 02:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2009/06/16 22:19:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\BitDefender
[2009/10/01 10:19:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\CCTV
[2009/10/09 18:12:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Flickr
[2008/11/25 05:49:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Foxit
[2010/05/06 04:32:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Free Download Manager
[2008/02/11 04:11:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\FrostWire
[2007/05/11 02:50:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\InterVideo
[2010/04/11 19:15:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\iPodder
[2006/04/05 23:16:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Leadertech
[2008/02/11 11:06:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\LimeWire
[2010/05/04 20:52:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\mjusbsp
[2009/01/03 21:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\OfficeUpdate12
[2008/11/21 21:17:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\OpenOffice.org
[2010/04/22 09:46:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\PPStream
[2007/12/28 12:25:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\RegClean
[2009/04/16 20:16:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Steinberg
[2009/09/17 18:25:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Tencent
[2007/12/25 03:53:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Uniblue
[2008/11/01 18:26:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\uTorrent
[2008/12/29 20:00:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Windows Desktop Search
[2008/12/30 18:24:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\XXX\Application Data\Windows Search
[2009/06/16 23:35:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BitDefender
[2009/10/01 10:11:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CCTV
[2009/05/08 17:07:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/04/11 19:32:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
[2009/01/01 01:25:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Graboid Inc
[2008/08/04 22:18:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2009/01/11 06:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Launcher
[2007/10/06 00:55:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2005/08/08 20:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2009/07/20 22:48:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/09/20 12:28:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Newsoft
[2009/08/27 17:58:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2008/11/02 23:56:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Soulseek
[2010/05/04 09:00:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\Tasks\Disk Cleanup.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/04/14 16:44:52 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/04/28 01:36:36 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/02/11 23:40:28 | 000,000,000 | ---- | M] () -- C:\dxva.log
[2010/05/04 10:40:06 | 1063,768,064 | -HS- | M] () -- C:\hiberfil.sys
[2006/04/27 17:20:21 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/05/04 16:58:48 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2006/04/27 17:20:21 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 16:00:00 | 000,047,564 | RHS- | M] () -- C:\ntdetect.com
[2008/08/03 13:45:41 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/03/06 13:05:36 | 969,126,912 | ---- | M] () -- C:\OpenVPN-AS_1.3.5.vhd
[2010/04/28 18:06:44 | 000,011,654 | ---- | M] () -- C:\OpenVPN-AS_1.3.5.vhd.vmc
[2010/05/04 10:39:49 | 1195,376,640 | -HS- | M] () -- C:\pagefile.sys
[2010/02/11 23:40:28 | 000,000,000 | ---- | M] () -- C:\VO.log

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/07 13:45:26 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/07 13:45:26 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/07 13:45:26 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 21:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/02/11 20:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys
[2010/04/28 17:20:52 | 000,229,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\VMM.sys
< End of report >

#2
RKinner

Posted 08 May 2010 - 11:38 AM

Malware Expert

Expert
24,624 posts

Don't see anything. The folders you report are normal and they are supposed to have hidden, system attributes.

You can run combofix to be sure.

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Ron

#3
praxidice

Posted 09 May 2010 - 09:50 AM

Member

Topic Starter
Member
164 posts

Hi there! Thanks for your reply. I am very curious as to what is going on with my system if it's not malware. Hmm...

Here's the ComboFix log. Thank you very much.

---------------
ComboFix 10-05-08.03 - XXX 09/05/2010 22:06:48.2.1 - x86
Running from: c:\documents and settings\XXX\Desktop\george.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\450534
c:\windows\system32\450534\51d1fb.txt
c:\windows\system32\450534\e0629d.txt
c:\windows\system32\systeminfo.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-04-28 09:20 . 2010-04-28 09:20 229208 ----a-w- c:\windows\system32\drivers\VMM.sys
2010-04-27 17:52 . 2010-04-27 17:53 -------- d-----w- c:\program files\Microsoft Virtual PC
2010-04-24 14:33 . 2010-05-01 16:55 -------- d-----w- c:\documents and settings\XXX\Application Data\dvdcss
2010-04-24 14:33 . 2010-05-07 05:38 -------- d-----w- c:\documents and settings\XXX\Application Data\vlc
2010-04-24 04:36 . 2010-04-24 04:44 -------- d-----w- c:\documents and settings\XXX\Application Data\dvdcss
2010-04-24 04:35 . 2010-04-24 11:55 -------- d-----w- c:\documents and settings\XXX\Application Data\vlc
2010-04-24 03:15 . 2010-04-24 03:15 -------- d-----w- c:\documents and settings\XXX\Application Data\Corel
2010-04-24 03:15 . 2010-04-24 03:15 -------- d-----w- c:\documents and settings\XXX\Corel
2010-04-24 02:59 . 2010-04-24 02:59 -------- d-----w- c:\documents and settings\XXX\Local Settings\Application Data\Conduit
2010-04-24 02:59 . 2010-04-24 02:59 -------- d-----w- c:\program files\Conduit
2010-04-24 02:57 . 2010-04-24 02:57 -------- d-----w- c:\documents and settings\XXX\Local Settings\Application Data\ToggleEN
2010-04-24 02:56 . 2010-04-24 02:59 -------- d-----w- c:\program files\ToggleEN
2010-04-23 11:02 . 2010-04-23 11:02 -------- d-----w- c:\program files\Microsoft
2010-04-21 12:34 . 2010-04-21 12:45 -------- d-----w- c:\windows\system32\Adobe
2010-04-20 15:26 . 2010-04-20 15:26 -------- d-----w- c:\program files\Common Files\Apple
2010-04-11 11:33 . 2010-05-09 13:49 -------- d-----w- c:\documents and settings\XXX\Application Data\Free Download Manager
2010-04-11 11:32 . 2010-04-11 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2010-04-11 11:32 . 2010-04-11 11:33 -------- d-----w- c:\program files\Free Download Manager
2010-04-11 11:15 . 2010-04-11 11:15 -------- d-----w- c:\documents and settings\XXX\Application Data\iPodder
2010-04-11 11:15 . 2010-04-12 10:19 -------- d-----w- c:\program files\Juice
2010-04-09 20:09 . 2010-04-20 15:31 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 12:52 . 2009-12-26 04:44 -------- d-----w- c:\documents and settings\XXX\Application Data\mjusbsp
2010-05-04 09:02 . 2007-05-29 04:07 -------- d-----w- c:\documents and settings\XXX\Application Data\GetRightToGo
2010-05-04 08:58 . 2008-08-03 03:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 15:38 . 2008-10-15 12:05 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-03 11:46 . 2009-02-16 19:47 -------- d-----w- c:\documents and settings\XXX\Application Data\Skype
2010-05-03 08:03 . 2009-02-16 19:49 -------- d-----w- c:\documents and settings\XXX\Application Data\skypePM
2010-04-29 07:39 . 2008-08-03 03:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 07:39 . 2008-08-03 03:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 09:45 . 2010-04-27 18:01 165232 ---ha-w- c:\documents and settings\XXX\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2010-04-25 14:49 . 2006-05-03 09:20 80584 ----a-w- c:\documents and settings\XXX\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-24 04:14 . 2009-12-10 10:33 5798 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-24 04:14 . 2009-12-10 10:33 5798 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-24 04:13 . 2010-02-11 15:58 88 --sh--r- c:\documents and settings\All Users\Application Data\7656562C9F.sys
2010-04-24 04:13 . 2010-02-11 15:58 88 --sh--r- c:\documents and settings\All Users\Application Data\7656562C9F.sys
2010-04-24 01:09 . 2006-04-22 11:29 82048 ----a-w- c:\documents and settings\XXX\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-23 14:52 . 2009-01-26 06:13 -------- d-----w- c:\program files\JkDefrag-3.34
2010-04-22 01:46 . 2009-09-12 15:26 -------- d-----w- c:\documents and settings\XXX\Application Data\PPStream
2010-04-20 15:28 . 2005-08-08 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-17 18:47 . 2009-07-28 09:57 -------- d-----w- c:\program files\Hotspot Shield
2010-04-11 11:28 . 2010-04-11 11:28 181096 ----a-w- c:\documents and settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\FlashGot.exe
2010-04-11 11:03 . 2006-03-16 19:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 10:34 . 2010-04-06 05:31 -------- d-----w- c:\program files\AdvancedDVDPlayerPro
2010-04-11 10:34 . 2010-04-06 05:23 -------- d-----w- c:\program files\Easy DVD Player
2010-04-07 10:13 . 2010-04-07 10:13 -------- d-----w- c:\program files\Kap.SATr
2010-04-02 01:15 . 2010-04-02 01:15 2360784 ----a-w- c:\documents and settings\All Users\Application Data\CCTV\tv\Reli_CCTV.dll
2010-03-26 02:33 . 2010-04-07 09:54 1496064 ----a-w- c:\documents and settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 02:33 . 2010-04-07 09:54 43008 ----a-w- c:\documents and settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 02:33 . 2010-04-07 09:54 339456 ----a-w- c:\documents and settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 02:32 . 2010-04-07 09:54 346112 ----a-w- c:\documents and settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-15 14:26 . 2010-03-15 14:26 -------- d-----w- c:\program files\ETS
2010-03-15 09:26 . 2010-03-15 09:26 -------- d-----w- c:\program files\Common Files\Macromedia
2010-03-11 10:12 . 2010-03-11 10:10 -------- d-----w- c:\program files\ESL Pro Systems
2010-03-10 06:39 . 2010-03-10 06:39 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-10 06:15 . 2004-08-04 08:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-05-04 12:50 6870864 ---ha-w- c:\documents and settings\XXX\Application Data\mjusbsp\in00000\setup.exe
2010-02-26 23:51 . 2010-03-02 13:27 6870864 ---ha-w- c:\documents and settings\XXX\Application Data\mjusbsp\Upgrade\setup1.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-04-26 12:24 743872 ---ha-w- c:\documents and settings\XXX\Application Data\mjusbsp\ar00000\install.exe
2010-02-26 23:45 . 2010-03-02 13:27 743872 ---ha-w- c:\documents and settings\XXX\Application Data\mjusbsp\Upgrade\install1.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\cdloader2.exe
2010-02-25 06:24 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 08:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 03:10 . 2008-11-21 13:18 1 ----a-w- c:\documents and settings\XXX\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-22 03:07 . 2010-02-22 03:07 568832 ----a-w- c:\documents and settings\XXX\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\89.tmp_\sun-pdfimport.oxt\msvcp90.dll
2010-02-22 03:07 . 2010-02-22 03:07 686080 ----a-w- c:\documents and settings\XXX\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\89.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2010-02-22 03:07 . 2010-02-22 03:07 655872 ----a-w- c:\documents and settings\XXX\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\89.tmp_\sun-pdfimport.oxt\msvcr90.dll
2010-02-22 03:07 . 2010-02-22 03:07 583168 ----a-w- c:\documents and settings\XXX\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\89.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2010-02-22 03:07 . 2010-02-22 03:07 224768 ----a-w- c:\documents and settings\XXX\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\89.tmp_\sun-pdfimport.oxt\msvcm90.dll
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 01:10 . 2004-08-04 08:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 08:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 08:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 16:09 . 2010-02-11 16:09 0 ----a-w- c:\windows\system32\cd.dat
2010-02-11 12:02 . 2004-08-04 08:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2008-08-03 03:47 . 2008-08-03 03:47 50688 ----a-w- c:\program files\ATF_Cleaner.exe
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2010-04-17 18:46 220208 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTogg.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\XXX\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\XXX\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleNetIDList"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^XXX^Start Menu^Programs^Startup^Shortcut to Broadband Connection.lnk]
path=c:\documents and settings\XXX\Start Menu\Programs\Startup\Shortcut to Broadband Connection.lnk
backup=c:\windows\pss\Shortcut to Broadband Connection.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KSI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KSI.lnk
backup=c:\windows\pss\KSI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to Broadband Connection.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to Broadband Connection.lnk
backup=c:\windows\pss\Shortcut to Broadband Connection.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^XXX^Start Menu^Programs^Startup^C4A68A.lnk]
path=c:\documents and settings\XXX\Start Menu\Programs\Startup\C4A68A.lnk
backup=c:\windows\pss\C4A68A.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2010-02-26 23:43 50520 ----a-w- c:\documents and settings\XXX\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2004-11-05 20:52 233534 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
2004-12-03 20:24 290816 ----a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-10-22 16:00 385024 ----a-w- c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-01-21 20:40 790528 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-07-19 01:06 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-07-19 01:10 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-07-19 01:09 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 23:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 23:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2008-08-04 15:22 160800 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 20:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 07:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QQ2009]
2009-09-07 13:34 136512 ----a-w- c:\program files\Tencent\QQ2009\Bin\QQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 13:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-02-04 11:27 23975720 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-13 19:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-09-15 01:27 1015808 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-11-04 18:40 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-15 01:29 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-08 04:41 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2008-08-04 15:22 721936 ----a-w- c:\windows\vVX3000.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Tencent\\QQ2009\\Bin\\QQ.exe"=
"c:\\Documents and Settings\\XXX\\Desktop\\U995.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\XXX\\Application Data\\mjusbsp\\magicJack.exe"=

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [20/09/2009 19:51 18432]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [15/09/2009 17:21 108289]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [01/04/2010 08:24 194608]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [16/04/2009 20:07 33792]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [03/01/2008 06:32 44928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-05-04 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 10:42]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
TCP: {8047F3A1-7007-439C-A420-C5F66D2640BE} = 10.51.40.1
TCP: {C557467B-F392-4A16-A024-914F5D4A7C9E} = 180.168.255.18 116.228.111.118
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\XXX\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\extensions\[email protected]\plugins\npCCTVplayer.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npINISAFEWeb60.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
MSConfigStartUp-C4A68A - c:\windows\system32\5AD888\C4A68A.EXE
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
MSConfigStartUp-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
MSConfigStartUp-Free Download Manager - f:\hot pockets\Program Files\Free Download Manager\fdm.exe
MSConfigStartUp-Google Update - c:\documents and settings\XXX\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-hpqSRMon - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-PPS Accelerator - c:\program files\PPStream\ppsap.exe
MSConfigStartUp-RoboForm - c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-VeohPlugin - c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
AddRemove-Adobe PageMaker 6.5 - c:\pm65\DeIsL1.isu
AddRemove-GSpot - f:\hot pockets\Program Files\GSpot\Uninstall.exe
AddRemove-KLiteCodecPack_is1 - f:\hot pockets\Program Files\K-Lite Codec Pack\unins000.exe
AddRemove-SopCast - f:\hot pockets\Program Files\SopCast\uninst.exe
AddRemove-Timeworks Millenium Pack - c:\audio\TIMEWO~1\UNWISE.EXE
AddRemove-VLC media player - f:\hot pockets\Program Files\VLC\uninstall.exe
AddRemove-{B7050CBDB2504B34BC2A9CA0A692CC29} - f:\hot pockets\Program Files\DivX\DivXWebPlayerUninstall.exe
AddRemove-CCTVBox - f:\hot pockets\cctvbox\tv\CCTVPlayerOcxReg.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 23:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-09 23:16:08
ComboFix-quarantined-files.txt 2010-05-09 15:15

Pre-Run: 17,117,995,008 bytes free
Post-Run: 17,968,521,216 bytes free

- - End Of File - - D255B7EBA5BBE82907204FC8C3B0FA26

#4
RKinner

Posted 09 May 2010 - 10:28 AM

Malware Expert

Expert
24,624 posts

Get SIW

http://www.snapfiles.com/get/siw.html

Run it and under Hardware look for Sensors. Click on Sensors and look in the right pane there should be some temperature readings. What are they? Watch a video for a little bit then look again. Are the temps going up?

Get Process Explorer

http://live.sysinter...com/procexp.exe

Save it to your desktop then run it. Click once or twice on the CPU column header and to sort things by CPU usage with the big hitters at the top. What do you see in the top 5 and what percentage does each use. File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

Ron

#5
praxidice

Posted 11 May 2010 - 09:56 AM

Member

Topic Starter
Member
164 posts

Hi Ron,

For SIW, the temps were all at 48C and did not go up when I played video for a while. However, my laptop did get warmer to the touch.

For the others, logs are below.

Thanks!!

A.

-------------------------------------
Process Explorer

Process PID CPU Description Company Name
System Idle Process 0 89.23
Interrupts n/a 9.23 Hardware Interrupts
procexp.exe 2308 1.54 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
wuauclt.exe 1984 Windows Update Microsoft Corporation
WLIDSVCM.EXE 548 Microsoft® Windows Live ID Service Monitor Microsoft Corporation
WLIDSVC.EXE 616 Microsoft® Windows Live ID Service Microsoft Corporation
winlogon.exe 816 Windows NT Logon Application Microsoft Corporation
System 4
svchost.exe 1160 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1292 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1452 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1044 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1552 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1772 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 380 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 580 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1652 Spooler SubSystem App Microsoft Corporation
smss.exe 744 Windows NT Session Manager Microsoft Corporation
sgmain.exe 780 SpywareGuard
sgbhp.exe 1096 SG Browser Hijacking Protection
services.exe 860 Services and Controller app Microsoft Corporation
searchprotocolhost.exe 2364 Microsoft Windows Search Protocol Host Microsoft Corporation
searchindexer.exe 1372 Microsoft Windows Search Indexer Microsoft Corporation
searchfilterhost.exe 2540 Microsoft Windows Search Filter Host Microsoft Corporation
sched.exe 1700 Antivirus Scheduler Avira GmbH
MSCamS32.exe 472 MsCamSvc.exe Microsoft Corporation
LSSrvc.exe 452
lsass.exe 872 LSA Shell (Export Version) Microsoft Corporation
firefox.exe 3300 Firefox Mozilla Corporation
explorer.exe 200 Windows Explorer Microsoft Corporation
DPCs n/a Deferred Procedure Calls
ctfmon.exe 676 CTF Loader Microsoft Corporation
csrss.exe 792 Client Server Runtime Process Microsoft Corporation
avguard.exe 308 Antivirus On-Access Service Avira GmbH
avgnt.exe 1996 Antivirus System Tray Tool Avira GmbH
alg.exe 2764 Application Layer Gateway Service Microsoft Corporation

======================================
Event viewer tool – system log

Vino's Event Viewer v01c run on Windows XP in English
Report run at 11/05/2010 23:50:14

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 11/05/2010 23:44:09
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 11/05/2010 23:44:09
Type: error Category: 0
Event: 7009 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

Log: 'System' Date/Time: 11/05/2010 23:43:39
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The HP CUE DeviceDiscovery Service service hung on starting.

Log: 'System' Date/Time: 11/05/2010 23:28:57
Type: error Category: 0
Event: 7032 Source: Service Control Manager
The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Hotspot Shield Service service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Log: 'System' Date/Time: 11/05/2010 23:28:57
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Hotspot Shield Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Log: 'System' Date/Time: 11/05/2010 20:27:30
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 20:23:59
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 20:17:32
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 20:16:42
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 20:15:53
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 19:29:30
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 19:29:02
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 19:28:27
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 19:23:52
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 19:19:14
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 19:11:38
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 19:10:42
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 19:06:25
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 19:04:15
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Log: 'System' Date/Time: 11/05/2010 19:03:53
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 11/05/2010 23:39:45
Type: warning Category: 0
Event: 1007 Source: Dhcp
Your computer has automatically configured the IP address for the Network Card with network address 0016361457A9. The IP address being used is 169.254.227.132.

Log: 'System' Date/Time: 11/05/2010 21:47:57
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<firefox.exe> C:\...ult\sessionstore-1.js

Log: 'System' Date/Time: 11/05/2010 21:47:26
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<firefox.exe> C:\...ult\sessionstore-1.js

Log: 'System' Date/Time: 11/05/2010 21:16:37
Type: warning Category: 0
Event: 52 Source: Disk
The driver has detected that device \Device\Harddisk0\DR0 has predicted that it will fail. Immediately back up your data and replace your hard disk drive. A failure may be imminent.

Log: 'System' Date/Time: 11/05/2010 20:23:59
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 20:17:32
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 20:15:53
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:29:02
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:28:27
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:23:52
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:11:38
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:10:42
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:06:25
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:04:15
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:03:53
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:03:25
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:02:45
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:02:08
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:00:30
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

Log: 'System' Date/Time: 11/05/2010 19:00:00
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

======================================
Event viewer tool – application log

Vino's Event Viewer v01c run on Windows XP in English
Report run at 11/05/2010 23:54:37

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 08/05/2010 21:56:01
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application firefox.exe, version 1.9.2.3743, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 03/05/2010 23:11:46
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application fdm.exe, version 3.0.848.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 03/05/2010 22:04:13
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application TFC.exe, version 3.1.5.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 01/05/2010 18:32:49
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\RECENT\VIEW.PHP.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:32:49
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\RECENT\VIEW.PHP.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:19:40
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\MY DOCUMENTS\FREELANCE\IB\TRAINING MARKING\SAMPLE MARKS.DOC> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:19:40
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\MY DOCUMENTS\FREELANCE\IB\TRAINING MARKING\SAMPLE MARKS.DOC> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:17:09
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\MY DOCUMENTS\AAE\TOEFL\MATERIALS\WORKSHEETS\WQ2\WQ2 WK2 OUTLINING.DOC> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:16:37
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\RECENT\AAE.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:16:37
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\RECENT\AAE.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:13:54
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\RECENT\WQ2 WK4 TRANSITIONS.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:13:54
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\RECENT\WQ2 WK4 TRANSITIONS.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:11:38
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\RECENT\Q3 WK4 RELATING THE TWO PASSAGES.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:11:38
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\RECENT\Q3 WK4 RELATING THE TWO PASSAGES.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:09:03
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\RECENT\WQ2 WK3 OUTLINING.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:09:03
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\RECENT\WQ2 WK3 OUTLINING.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:06:16
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\RECENT\WQ2 WK2 BRAINSTORMING.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 01/05/2010 18:06:16
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\RECENT\WQ2 WK2 BRAINSTORMING.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 28/04/2010 18:02:36
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application openvpnas.exe, version 0.0.0.0, faulting module openvpnas.exe, version 0.0.0.0, fault address 0x00008f63.

Log: 'Application' Date/Time: 28/04/2010 02:41:30
Type: error Category: 3
Event: 3013 Source: Windows Search Service
The entry <C:\DOCUMENTS AND SETTINGS\XXX\MY DOCUMENTS\AAE\TOEFL\MATERIALS\WORKSHEETS\Q5\Q5 WK2 PREPARING TO ANSWER.DOC> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 03/05/2010 13:32:45
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'HTML/Infected.WebPage.Gen' in the file C:\Documents and Settings\XXX\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ic17ruo.default\Cache\CCE4B9F7d01

Log: 'Application' Date/Time: 24/04/2010 11:33:15
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'ADSPY/Agent.NND' in the file C:\Documents and Settings\XXX\Local Settings\Application Data\Mozilla\Firefox\Profiles\c3talk0n.default\Cache\941FE9C1d01

Log: 'Application' Date/Time: 24/04/2010 11:33:15
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'ADSPY/Agent.NND' in the file C:\Documents and Settings\XXX\My Documents\Downloads\Cdvd.exe

Log: 'Application' Date/Time: 24/04/2010 11:33:15
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'ADSPY/Agent.NND' in the file C:\Documents and Settings\XXX\My Documents\Downloads\Cdvd.exe

Log: 'Application' Date/Time: 23/04/2010 19:34:56
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Configuration section system.serviceModel.activation already exists in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.

Log: 'Application' Date/Time: 23/04/2010 19:34:56
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Configuration section system.runtime.serialization already exists in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.

Log: 'Application' Date/Time: 23/04/2010 19:34:53
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Configuration section system.serviceModel already exists in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.

Log: 'Application' Date/Time: 23/04/2010 19:34:47
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Could not detect IIS installation or IIS is disabled, skipping the Web Host Script Mappings component since it depends upon IIS to function properly. If you believe this message is an error, check your IIS installation to make sure it is installed properly.

Log: 'Application' Date/Time: 23/04/2010 19:24:11
Type: warning Category: 1
Event: 1020 Source: ASP.NET 2.0.50727.0
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

Log: 'Application' Date/Time: 21/04/2010 21:11:16
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'HTML/Crypted.Gen' in the file C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files\Content.IE5\223H6K6R\download[4].htm

Log: 'Application' Date/Time: 21/04/2010 21:06:13
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'HTML/Crypted.Gen' in the file C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files\Content.IE5\223H6K6R\download[3].htm

Log: 'Application' Date/Time: 21/04/2010 21:06:02
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'HTML/Crypted.Gen' in the file C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files\Content.IE5\G26J1N22\download[3].htm

Log: 'Application' Date/Time: 21/04/2010 21:05:28
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'HTML/Crypted.Gen' in the file C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files\Content.IE5\223H6K6R\download[2].htm

Log: 'Application' Date/Time: 21/04/2010 21:05:18
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'HTML/Crypted.Gen' in the file C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files\Content.IE5\G26J1N22\download[1].htm

Log: 'Application' Date/Time: 21/04/2010 21:05:07
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'HTML/Crypted.Gen' in the file C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files\Content.IE5\LWSUFTD9\download[1].htm

Log: 'Application' Date/Time: 21/04/2010 21:04:08
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'HTML/Crypted.Gen' in the file C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files\Content.IE5\ETYUV12G\download[2].htm

Log: 'Application' Date/Time: 21/04/2010 20:39:35
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'HTML/Crypted.Gen' in the file C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files\Content.IE5\ETYUV12G\download[2].htm

Log: 'Application' Date/Time: 21/04/2010 20:38:30
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'HTML/Crypted.Gen' in the file C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files\Content.IE5\G26J1N22\download[1].htm

Log: 'Application' Date/Time: 21/04/2010 20:38:00
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'HTML/Crypted.Gen' in the file C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files\Content.IE5\ETYUV12G\download[1].htm

Log: 'Application' Date/Time: 21/04/2010 19:45:35
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'HTML/Crypted.Gen' in the file C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files\Content.IE5\ETYUV12G\download[1].htm

#6
RKinner

Posted 11 May 2010 - 09:49 PM

Malware Expert

Expert
24,624 posts

Looks BAD! Your Hard drive is dying which is why we are seeing the hardware interrupts and the slow performance. Has to retry several times to get the right data.

Log: 'System' Date/Time: 11/05/2010 21:16:37
Type: warning Category: 0
Event: 52 Source: Disk
The driver has detected that device \Device\Harddisk0\DR0 has predicted that it will fail. Immediately back up your data and replace your hard disk drive. A failure may be imminent.

Log: 'System' Date/Time: 11/05/2010 20:23:59
Type: warning Category: 0
Event: 51 Source: Disk
An error was detected on device \Device\Harddisk0\D during a paging operation.

If you run SIW again and look under Hardware, Storage Devices then Disk 0 it will tell you who makes your drive and the model number. Go to the website for the drive maker and download their test tool. Usually there are two tests. The quick one and the extended one. If the drive passes the Quick test then run the extended test. (It will run many hours.) Make sure it says it is non-destructive.

Ron

#7
praxidice

Posted 12 May 2010 - 01:16 AM

Member

Topic Starter
Member
164 posts

Yes, bad indeed. After I restarted, after running those tests, I got the message re: hard drive will fail. I back up regularly, although I admit it's because I had a hard drive die once before!

I'll follow your instructions ASAP. It takes me a while because the comp is so slow.

Thanks! Be back soon.

A.

#8
praxidice

Posted 13 May 2010 - 02:45 AM

Member

Topic Starter
Member
164 posts

First, my comp slowed to such a crawl that it wasn't responding at all. Out of desperation I did a system restore from the Erunt point (before my first post here). Now it's at least running again, though still slowly.

I ran both the short and long tests and both passed!

However, whenever I (re)boot the system I get the "failure may be imminent" message. Then I press F1 per instructions and it boots merrily (read: slowly) on.

So, I guess the hard drive will die soon, and I'll just wait around and hold its hand until it passes into the great beyond...?

What fun.

Edited by praxidice, 13 May 2010 - 02:45 AM.

#9
RKinner

Posted 13 May 2010 - 08:59 AM

Malware Expert

Expert
24,624 posts

You can get a new hard drive, connect it up with a USB adapter then use the software from the new drive to clone your old drive then replace the drive.

The adapters aren't very expensive. I've used these before:

http://www.amazon.co...p;redirect=true

This is for a SATA laptop drive. If you have an older laptop with an IDE drive then you need this one which I have also used:
http://www.amazon.co...d_bxgy_e_text_b

To see which drive you have get SIW
http://www.snapfiles.com/get/siw.html
Under Hardware find Storage Devices and click on it. It will tell you the Make and Model and Interface type of your hard drive.
Amazon carries a bunch of drives at decent prices but you may want to try and get a bigger one than you have. It's usually only about $10 more.

Even if you don't feel up to changing out the drive you can save all of your data to the new drive and let a repair shop do the physical work.

Ron

#10
praxidice

Posted 16 May 2010 - 04:44 AM

Member

Topic Starter
Member
164 posts

Thanks for the info! I think I can handle that.

So, I think that's all?

I'm still confused about the RECYCLER folder that I see in both of my hard drives. It wasn't there before, and the last time I saw that, it turned out to be a virus. It's really nothing?

#11
RKinner

Posted 16 May 2010 - 07:03 AM

Malware Expert

Expert
24,624 posts

The RECYCLER folder is the recycle bin. The recycle bin on your desktop is simply a shortcut to all the RECYCLER folders in your computer. If you have a C:\ D:\ and E:\, your recycle bin shows the contents of C:\RECYCLER D:\RECYCLER and E:\RECYCLER. Having these RECYCLER folders on each drive saves the OS from having to copy a deleted file or folder from any other drive to the C:\ drive. http://forums.techgu...ler-folder.html

Normally you don't see it because it is a hidden system file but in the course of malware hunting we make a change so you can see hidden system files:.

To hide hidden files again:

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

Ron