Hi, Yes its Avira AntiVir Personal. I read a dozen articles online and it was a toss up between a few but they said Avira was a bit better at detection, not super at disinfection. I figured with MalWae Bytes and other tools already installed here, I needed more detection/blocking.
The latest detailed symptoms, A long skinny window keeps opening every 1-2 minutes: "8qi0tp.exe...the instruction at 0x7c901e78 [can't write to] 0x71ab4a07...click OK to terminate..." After restarting so many times, I got it to start pretty smooth and when I let Avira do it's scan it took 7 hours,and it produced a log. Here it is for you to check out:
Avira AntiVir Personal
Report file date: Monday, May 23, 2011 17:31
Scanning for 2755815 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Paul G!
Computer name : THEPOWER
Version information:
BUILD.DAT : 10.0.0.648 31823 Bytes 4/1/2011 18:36:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 4/1/2011 21:07:43
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2011 21:07:57
LUKE.DLL : 10.0.3.2 104296 Bytes 4/1/2011 21:07:53
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 20:15:47
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 20:15:47
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 21:28:10
VBASE004.VDF : 7.11.5.226 2048 Bytes 4/7/2011 21:28:10
VBASE005.VDF : 7.11.5.227 2048 Bytes 4/7/2011 21:28:10
VBASE006.VDF : 7.11.5.228 2048 Bytes 4/7/2011 21:28:10
VBASE007.VDF : 7.11.5.229 2048 Bytes 4/7/2011 21:28:10
VBASE008.VDF : 7.11.5.230 2048 Bytes 4/7/2011 21:28:10
VBASE009.VDF : 7.11.5.231 2048 Bytes 4/7/2011 21:28:10
VBASE010.VDF : 7.11.5.232 2048 Bytes 4/7/2011 21:28:11
VBASE011.VDF : 7.11.5.233 2048 Bytes 4/7/2011 21:28:11
VBASE012.VDF : 7.11.5.234 2048 Bytes 4/7/2011 21:28:11
VBASE013.VDF : 7.11.6.28 158208 Bytes 4/11/2011 21:28:13
VBASE014.VDF : 7.11.6.74 116224 Bytes 4/13/2011 21:28:14
VBASE015.VDF : 7.11.6.113 137728 Bytes 4/14/2011 21:28:17
VBASE016.VDF : 7.11.6.150 146944 Bytes 4/18/2011 21:28:18
VBASE017.VDF : 7.11.6.192 138240 Bytes 4/20/2011 21:28:20
VBASE018.VDF : 7.11.6.237 156160 Bytes 4/22/2011 21:28:21
VBASE019.VDF : 7.11.7.45 427520 Bytes 4/27/2011 21:28:26
VBASE020.VDF : 7.11.7.64 192000 Bytes 4/28/2011 21:28:28
VBASE021.VDF : 7.11.7.97 182272 Bytes 5/2/2011 21:28:30
VBASE022.VDF : 7.11.7.127 467968 Bytes 5/4/2011 21:28:35
VBASE023.VDF : 7.11.7.183 185856 Bytes 5/9/2011 21:28:37
VBASE024.VDF : 7.11.7.218 133120 Bytes 5/11/2011 21:28:39
VBASE025.VDF : 7.11.7.234 139776 Bytes 5/11/2011 21:28:41
VBASE026.VDF : 7.11.8.16 147456 Bytes 5/13/2011 21:28:43
VBASE027.VDF : 7.11.8.46 169472 Bytes 5/17/2011 21:28:45
VBASE028.VDF : 7.11.8.47 2048 Bytes 5/17/2011 21:28:46
VBASE029.VDF : 7.11.8.48 2048 Bytes 5/17/2011 21:28:46
VBASE030.VDF : 7.11.8.49 2048 Bytes 5/17/2011 21:28:46
VBASE031.VDF : 7.11.8.107 181248 Bytes 5/23/2011 21:28:48
Engineversion : 8.2.4.242
AEVDF.DLL : 8.1.2.1 106868 Bytes 3/28/2011 20:15:27
AESCRIPT.DLL : 8.1.3.64 1606011 Bytes 5/23/2011 21:29:20
AESCN.DLL : 8.1.7.2 127349 Bytes 3/28/2011 20:15:27
AESBX.DLL : 8.1.3.2 254324 Bytes 3/28/2011 20:15:26
AERDL.DLL : 8.1.9.9 639347 Bytes 3/25/2011 16:21:38
AEPACK.DLL : 8.2.6.8 557430 Bytes 5/23/2011 21:29:16
AEOFFICE.DLL : 8.1.1.22 205178 Bytes 5/23/2011 21:29:13
AEHEUR.DLL : 8.1.2.119 3481976 Bytes 5/23/2011 21:29:12
AEHELP.DLL : 8.1.17.2 246135 Bytes 5/23/2011 21:28:55
AEGEN.DLL : 8.1.5.6 401780 Bytes 5/23/2011 21:28:53
AEEMU.DLL : 8.1.3.0 393589 Bytes 3/28/2011 20:15:19
AECORE.DLL : 8.1.20.5 196983 Bytes 5/23/2011 21:28:51
AEBB.DLL : 8.1.1.0 53618 Bytes 3/28/2011 20:15:19
AVWINLL.DLL : 10.0.0.0 19304 Bytes 3/28/2011 20:15:31
AVPREF.DLL : 10.0.0.0 44904 Bytes 4/1/2011 21:07:42
AVREP.DLL : 10.0.0.10 174120 Bytes 5/23/2011 21:29:21
AVREG.DLL : 10.0.3.2 53096 Bytes 4/1/2011 21:07:42
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 4/1/2011 21:07:43
AVARKT.DLL : 10.0.22.6 231784 Bytes 4/1/2011 21:07:38
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 4/1/2011 21:07:41
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 19:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/28/2011 20:15:30
NETNT.DLL : 10.0.0.0 11624 Bytes 3/28/2011 20:15:39
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 4/1/2011 21:07:58
RCTEXT.DLL : 10.0.58.0 97128 Bytes 3/28/2011 20:15:52
Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Monday, May 23, 2011 17:31
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process '8pyt.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'Yzj.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'presetup.exe' - '1' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Module is infected -> <C:\Documents and Settings\Paul G!\Local Settings\Temp\mdm.exe>
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] Process 'mdm.exe' was terminated
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRpZ> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRpZ> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '4d5f7050.qua'.
Scan process 'avp.exe' - '1' Module(s) have been scanned
Module is infected -> <C:\WINDOWS\avp.exe>
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] Process 'avp.exe' was terminated
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKZe> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKZe> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '55c55fd1.qua'.
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Module is infected -> <C:\WINDOWS\lsass.exe>
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] Process 'lsass.exe' was terminated
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKcuc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKcuc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '07eb053e.qua'.
Scan process 'debug.exe' - '1' Module(s) have been scanned
Module is infected -> <C:\Documents and Settings\Paul G!\Local Settings\Temp\debug.exe>
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] Process 'debug.exe' was terminated
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRnoc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRnoc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '61db4afb.qua'.
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Module is infected -> <C:\WINDOWS\winlogon.exe>
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] Process 'winlogon.exe' was terminated
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKfsc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKfsc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '242b67c9.qua'.
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Module is infected -> <C:\WINDOWS\mdm.exe>
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] Process 'mdm.exe' was terminated
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKcZ> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKcZ> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '5b3f55b5.qua'.
Scan process 'avp32.exe' - '1' Module(s) have been scanned
Module is infected -> <C:\Documents and Settings\Paul G!\Local Settings\Temp\avp32.exe>
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] Process 'avp32.exe' was terminated
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRmSc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRmSc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '178a7985.qua'.
Scan process 'qpvlj2.exe' - '1' Module(s) have been scanned
Module is infected -> <C:\Documents and Settings\Paul G!\Local Settings\Temp\qpvlj2.exe>
[NOTE] Process 'qpvlj2.exe' was terminated
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRqvP> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRqvP> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '6b8839d3.qua'.
Scan process 'etgpnr.exe' - '1' Module(s) have been scanned
Module is infected -> <C:\Documents and Settings\Paul G!\Local Settings\Temp\etgpnr.exe>
[NOTE] Process 'etgpnr.exe' was terminated
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRnuf> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRnuf> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '46c3168b.qua'.
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process '8pyt.exe' - '1' Module(s) have been scanned
Scan process 'pxkcrxne.exe' - '1' Module(s) have been scanned
Scan process 'Ybapea.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'JFL3532.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ymsgr_tray.exe' - '1' Module(s) have been scanned
Scan process 'bcmwltry.exe' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'hpqSTE08.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'CFD.exe' - '1' Module(s) have been scanned
Scan process 'HPWuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Starting to scan executable files (registry).
C:\WINDOWS\system32\iy9a020.dll
[DETECTION] Is the TR/ATRAPS.Gen Trojan
--> Object
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\drweb.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\taskmgr.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\WINDOWS\debug.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\nvsvc32.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\WINDOWS\cmd.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\WINDOWS\iexplarer.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\lsass.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\avp.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\WINDOWS\csrss.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\gdi32.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\user.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\WINDOWS\setup.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\smss.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\WINDOWS\win32.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\services.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\msmgm.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\WINDOWS\msmgm.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\win16.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\WINDOWS\sysmgm.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\WINDOWS\login.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\install.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\sysedit.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\system.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\csrss.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\winlogon.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\WINDOWS\gdi32.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\winamp.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\WINDOWS\wininst.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\WINDOWS\drweb.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
C:\Documents and Settings\Paul G!\Local Settings\Temp\cmd.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
The registry was scanned ( '453' files ).
Beginning disinfection:
C:\Documents and Settings\Paul G!\Local Settings\Temp\cmd.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRnZ> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRnZ> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '5fd42d74.qua'.
C:\WINDOWS\drweb.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKasc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKasc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '33e70152.qua'.
C:\WINDOWS\wininst.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKfre> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKfre> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '424738c4.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\winamp.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRspe> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRspe> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '4c5d080b.qua'.
C:\WINDOWS\gdi32.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKbMc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKbMc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '097f714c.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\winlogon.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRssc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRssc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '007f7412.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\csrss.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRnyc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRnyc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '583a6d69.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\system.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRrxe> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRrxe> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '74cf1497.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\sysedit.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRrtc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRrtc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '4a317455.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\install.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRota> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRota> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '293f5f39.qua'.
C:\WINDOWS\login.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKcrc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKcrc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '0ffb1f3d.qua'.
C:\WINDOWS\sysmgm.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKewe> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKewe> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '3d6364e5.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\win16.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRsPc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRsPc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '37234f93.qua'.
C:\WINDOWS\msmgm.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKctc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKctc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '087f2bc0.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\msmgm.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRptc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRptc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '765327ef.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\services.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRrta> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRrta> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '2320232e.qua'.
C:\WINDOWS\win32.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKfPc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKfPc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '2eb25232.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\smss.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRrg> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRrg> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '32ea4637.qua'.
C:\WINDOWS\setup.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKevc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKevc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '033a0bf9.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\user.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRre> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRre> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '6f1d1f25.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\gdi32.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRoMc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRoMc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '26fb3adb.qua'.
C:\WINDOWS\csrss.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKayc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKayc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '7d6132e3.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\avp.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRme> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRme> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '1bd53e01.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\lsass.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRpuc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRpuc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '4c2a4c92.qua'.
C:\WINDOWS\iexplarer.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKbuqc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKbuqc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '6e331bdd.qua'.
C:\WINDOWS\cmd.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKaZ> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKaZ> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '064f617b.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\nvsvc32.exe
[DETECTION] Is the TR/Ertfor.B.100 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRpw+> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRpw+> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '264a6591.qua'.
C:\WINDOWS\debug.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKaoc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKaoc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '731f2352.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\taskmgr.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRrrb> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRrrb> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '124e02e1.qua'.
C:\Documents and Settings\Paul G!\Local Settings\Temp\drweb.exe
[DETECTION] Is the TR/Ertfor.B.99 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRnsc> was removed successfully.
[NOTE] The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNUMFOXRnsc> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '77fe4005.qua'.
C:\WINDOWS\system32\iy9a020.dll
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{24A123C3-A500-99BD-A120-04B53A2C8952}> was removed successfully.
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24A123C3-A500-99BD-A120-04B53A2C8952}> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '126b34ab.qua'.
End of the scan: Monday, May 23, 2011 17:45
Used time: 09:13 Minute(s)
The scan has been done completely.
0 Scanned directories
1072 Files were scanned
40 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
40 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1032 Files not concerned
6 Archives were scanned
0 Warnings
40 Notes
*******************************************************************************
*******************************************************************************
*******************************************************************************
I haven't been patient enough to sit and babysit it while it takes forever to uninstall...probably! sorry, I guess I'm being a bit pessimistic.lol
The good news, OTL ran and here is the fresh log:
OTL logfile created on: 5/26/2011 5:11:57 PM - Run 10
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Paul G!\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
511.00 Mb Total Physical Memory | 198.00 Mb Available Physical Memory | 39.00% Memory free
864.00 Mb Paging File | 298.00 Mb Available in Paging File | 35.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 23.26 Gb Free Space | 62.44% Space Free | Partition Type: NTFS
Computer Name: THEPOWER | User Name: Paul G! | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ========== PRC - [2011/05/26 16:39:10 | 000,181,760 | ---- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Temp\csrss.exe
PRC - [2011/05/25 16:56:14 | 000,389,120 | ---- | M] (w) -- C:\WINDOWS\system32\ofeo.exe
PRC - [2011/05/25 16:28:30 | 000,179,712 | -H-- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Temp\8qi0tp.exe
PRC - [2011/05/24 18:19:49 | 000,193,024 | ---- | M] () -- C:\Documents and Settings\Paul G!\Application Data\Microsoft\conhost.exe
PRC - [2011/05/24 12:16:09 | 000,141,312 | -H-- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Temp\teofb.exe
PRC - [2011/05/24 06:44:11 | 000,187,392 | ---- | M] () -- C:\Documents and Settings\Paul G!\Application Data\dwm.exe
PRC - [2011/05/24 06:15:49 | 000,090,112 | -H-- | M] ( ) -- C:\Documents and Settings\Paul G!\Local Settings\Temp\o4gnwb.exe
PRC - [2011/05/23 17:00:12 | 000,182,784 | ---- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Temp\pxkcrxne.exe
PRC - [2011/05/23 16:59:28 | 000,238,080 | ---- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Temp\Yzj.exe
PRC - [2011/05/23 16:59:26 | 000,229,376 | ---- | M] () -- C:\WINDOWS\Ybapea.exe
PRC - [2011/05/08 13:40:31 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/04/12 17:15:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe
PRC - [2011/03/28 16:15:53 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011/03/28 16:15:40 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/03/28 16:15:30 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/03/28 16:15:29 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/05/14 12:44:46 | 000,501,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002/09/10 22:26:26 | 000,368,706 | ---- | M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe
========== Modules (SafeList) ========== MOD - [2011/05/23 10:56:12 | 000,011,776 | -HS- | M] (Microsoft Corporation) -- C:\Documents and Settings\Paul G!\Application Data\cleanhlm.dll
MOD - [2011/04/12 17:15:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
========== Win32 Services (SafeList) ========== SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
SRV - File not found [Auto | Stopped] -- -- (itlperf)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (getPlus® Helper) getPlus®
SRV - [2011/05/25 16:52:02 | 000,000,039 | -H-- | M] () [Auto | Stopped] -- C:\WINDOWS\cftnom.bat -- (System Updater)
SRV - [2011/05/24 11:20:59 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\Ipripv32.dll -- (Iprip)
SRV - [2011/05/23 17:01:01 | 000,000,062 | -H-- | M] () [Auto | Stopped] -- C:\Documents and Settings\Paul G!\Local Settings\Temp\MouseDriver.bat -- (MouseDriver)
SRV - [2011/03/28 16:15:40 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/03/28 16:15:30 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
========== Driver Services (SafeList) ========== DRV - [2011/04/01 17:07:59 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/04/01 17:07:59 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 15:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 15:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/06/11 19:34:34 | 000,049,904 | ---- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/13 14:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2007/02/08 15:51:16 | 002,209,408 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2005/11/02 14:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/11/15 16:37:52 | 000,264,440 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2003/09/26 10:41:10 | 000,044,032 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/07/16 12:34:04 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2003/07/16 12:34:04 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2001/08/17 12:11:30 | 000,096,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2001/08/17 12:11:30 | 000,026,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCM4E5.SYS -- (BCM44X2)
DRV - [2001/08/17 12:11:26 | 000,054,271 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm42xx5.sys -- (BCM42XX) Broadcom iLine10™
========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://att.netIE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.sbc.com/dslIE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:64040
========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "
http://search.yahoo....-8&fr=ytff-&p="FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "
http://att.my.yahoo.com/"FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems:
[email protected]:1.0
FF - prefs.js..keyword.URL: "
http://search.yahoo....-8&fr=ytff-&p="FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 64040
FF - prefs.js..network.proxy.type: 1
FF - HKLM\software\mozilla\Firefox\extensions\\{1BCE2519-7FF7-49DB-A945-CBEEA9C6FCD6}: C:\Documents and Settings\Paul G!\Local Settings\Application Data\{1BCE2519-7FF7-49DB-A945-CBEEA9C6FCD6} [2011/05/23 17:03:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/08 13:40:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/08 13:40:36 | 000,000,000 | ---D | M]
[2009/04/21 21:40:19 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Extensions
[2011/05/26 00:22:18 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions
[2010/08/13 14:04:13 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/08 13:41:51 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/04/30 21:58:28 | 000,000,000 | -H-D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2011/05/08 12:46:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/16 18:35:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
File not found (No name found) --
[2011/05/23 17:03:09 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\PAUL G!\LOCAL SETTINGS\APPLICATION DATA\{1BCE2519-7FF7-49DB-A945-CBEEA9C6FCD6}
[2010/11/16 18:35:22 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/08 13:40:31 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/11/16 18:35:22 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/05/08 13:40:33 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
O1 HOSTS File: ([2011/05/23 10:55:58 | 000,000,888 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 184.95.59.205 www.google.com
O1 - Hosts: 184.95.59.206 search.yahoo.com
O2 - BHO: (C:\WINDOWS\system32\iy9a020.dll) - {24A123C3-A500-99BD-A120-04B53A2C8952} - File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [cftmon] C:\WINDOWS\system32\ofeo.exe (w)
O4 - HKLM..\Run: [conhost] C:\Documents and Settings\Paul G!\Application Data\Microsoft\conhost.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [Yxuhegosulizeg] C:\WINDOWS\ezehuqajacu.dll (Adaptec, Inc.)
O4 - HKCU..\Run: [1BGZDODGYQ] C:\WINDOWS\Ybapea.exe ()
O4 - HKCU..\Run: [1U0WFOHZPQ] C:\Documents and Settings\Paul G!\Local Settings\Temp\Yzw.exe ()
O4 - HKCU..\Run: [4ECYTQ9SIC] C:\Documents and Settings\Paul G!\Local Settings\Temp\Yzj.exe ()
O4 - HKCU..\Run: [506E7F42_0] C:\Documents and Settings\Paul G!\Local Settings\Temp\pxkcrxne.exe ()
O4 - HKCU..\Run: [J40NOZ44HU] C:\Documents and Settings\Paul G!\Local Settings\Temp\Y0b.exe ()
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10o_Plugin.exe (Adobe Systems, Inc.)
F3 - HKCU WinNT: Load - (C:\DOCUME~1\PAULG!~1\LOCALS~1\Temp\csrss.exe) - C:\Documents and Settings\Paul G!\Local Settings\Temp\csrss.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: jmwz = C:\WINDOWS\TEMP\8pyt.exe
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 4sgd = C:\DOCUME~1\PAULG!~1\LOCALS~1\Temp\o4gnwb.exe ( )
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: gckt = C:\DOCUME~1\PAULG!~1\LOCALS~1\Temp\teofb.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: nqr41 = C:\DOCUME~1\PAULG!~1\LOCALS~1\Temp\8qi0tp.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
http://www.update.mi...b?1231962780789 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Documents and Settings\Paul G!\Application Data\dwm.exe) - C:\Documents and Settings\Paul G!\Application Data\dwm.exe ()
O20 - Winlogon\Notify\itlnfw32: DllName - itlnfw32.dll - C:\WINDOWS\System32\itlnfw32.dll ()
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - C:\WINDOWS\System32\itlnfw32.dll ()
O22 - SharedTaskScheduler: {24A123C3-A500-99BD-A120-04B53A2C8952} - osklef87hgudufhg87fuyATU7 - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Paul G!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paul G!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/13 17:20:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ========== [2011/05/25 23:05:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/05/25 16:56:12 | 000,389,120 | ---- | C] (w) -- C:\WINDOWS\System32\ofeo.exe
[2011/05/25 16:29:11 | 000,389,120 | ---- | C] (w) -- C:\WINDOWS\System32\zggiw.exe
[2011/05/24 12:21:53 | 000,393,216 | ---- | C] (mz) -- C:\WINDOWS\System32\uukmm.exe
[2011/05/24 06:43:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul G!\Application Data\Avira
[2011/05/23 23:27:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/05/23 17:39:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2011/05/23 17:25:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2011/05/23 17:25:12 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2011/05/23 17:25:10 | 000,137,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/05/23 17:25:10 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2011/05/23 17:25:10 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2011/05/23 17:25:10 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2011/05/23 17:25:03 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/05/23 17:25:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2011/05/23 17:03:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\{1BCE2519-7FF7-49DB-A945-CBEEA9C6FCD6}
[2011/05/21 19:10:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul G!\Desktop\PICS_INFO
[2011/05/21 17:45:57 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/05/16 16:26:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul G!\Desktop\OLD LOGS
[2011/05/12 09:07:51 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/12 09:07:51 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/12 09:07:51 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/12 09:07:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/12 09:05:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[9 C:\Documents and Settings\Paul G!\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Paul G!\Local Settings\Application Data\*.tmp -> ]
========== Files - Modified Within 30 Days ========== [2011/05/26 17:44:25 | 000,000,218 | ---- | M] () -- C:\WINDOWS\System32\winset.ini
[2011/05/26 17:44:14 | 000,000,250 | -H-- | M] () -- C:\WINDOWS\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
[2011/05/26 17:36:27 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FAD007F6-DED4-468A-96A0-73C433BCB61F}.job
[2011/05/26 17:23:46 | 000,000,146 | ---- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\vn1voy5tt.bat
[2011/05/26 17:23:29 | 000,000,094 | -H-- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\MouseDriver.bat
[2011/05/26 17:21:37 | 000,000,217 | ---- | M] () -- C:\Documents and Settings\Paul G!\delme.bat
[2011/05/26 17:21:32 | 000,389,120 | ---- | M] (w) -- C:\WINDOWS\System32\cmqzx.exe
[2011/05/26 17:21:27 | 000,000,292 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011/05/26 17:20:36 | 000,157,696 | -H-- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\qm9bg.exe
[2011/05/26 16:20:08 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/26 16:19:59 | 000,069,987 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/05/26 16:17:59 | 000,030,098 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/05/26 16:17:40 | 000,006,547 | ---- | M] () -- C:\Documents and Settings\Paul G!\Application Data\195E.CD8
[2011/05/26 16:17:32 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\tasks\dwkruf.job
[2011/05/26 16:17:21 | 000,000,352 | -HS- | M] () -- C:\WINDOWS\tasks\taaiponsw.job
[2011/05/26 16:17:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/26 00:13:11 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Qqoxeyogomusig.bin
[2011/05/26 00:01:29 | 000,005,829 | -H-- | M] () -- C:\WINDOWS\Jelly.ini
[2011/05/25 16:56:14 | 000,389,120 | ---- | M] (w) -- C:\WINDOWS\System32\ofeo.exe
[2011/05/25 16:52:02 | 000,000,039 | -H-- | M] () -- C:\WINDOWS\cftnom.bat
[2011/05/25 16:29:12 | 000,389,120 | ---- | M] (w) -- C:\WINDOWS\System32\zggiw.exe
[2011/05/24 12:21:54 | 000,393,216 | ---- | M] (mz) -- C:\WINDOWS\System32\uukmm.exe
[2011/05/24 11:20:59 | 000,053,248 | ---- | M] () -- C:\WINDOWS\System32\Ipripv32.dll
[2011/05/24 11:17:58 | 000,034,816 | ---- | M] () -- C:\WINDOWS\System32\itlnfw32.dll
[2011/05/24 06:44:11 | 000,187,392 | ---- | M] () -- C:\Documents and Settings\Paul G!\Application Data\dwm.exe
[2011/05/24 06:33:02 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Paul G!\Application Data\chrtmp
[2011/05/23 22:43:39 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/23 19:17:16 | 000,053,248 | ---- | M] () -- C:\WINDOWS\System32\Iasv32.dll
[2011/05/23 17:25:39 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/05/23 17:13:37 | 052,676,424 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\avira_antivir_personal_en.exe
[2011/05/23 17:06:30 | 000,000,058 | -HS- | M] () -- C:\WINDOWS\System32\User.ini
[2011/05/23 17:03:12 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Uzohip.dat
[2011/05/23 17:01:01 | 000,073,216 | RHS- | M] () -- C:\WINDOWS\System32\perfwcik.dll
[2011/05/23 16:59:26 | 000,229,376 | ---- | M] () -- C:\WINDOWS\Ybapea.exe
[2011/05/23 10:55:58 | 000,000,888 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/05/23 01:09:00 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\DriverCure.job
[2011/05/22 01:49:11 | 000,034,553 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\HUDC - Shelf Layout v8-2.any
[2011/05/21 17:45:08 | 004,352,705 | R--- | M] () -- C:\Documents and Settings\Paul G!\Desktop\ComboFix.exe
[2011/05/21 16:51:57 | 000,293,775 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\gmer.zip
[2011/05/20 18:07:38 | 000,014,848 | -H-- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/19 05:30:28 | 000,069,987 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2011/05/12 14:38:28 | 000,199,344 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/12 14:35:46 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/05/12 14:30:29 | 000,432,924 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/12 14:30:29 | 000,067,714 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/04 13:54:12 | 000,302,080 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\gmer.exe
[2011/04/29 22:48:19 | 001,116,672 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\RogueKiller.exe
[15 C:\Documents and Settings\Paul G!\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Paul G!\Local Settings\Application Data\*.tmp -> ]
========== Files Created - No Company Name ========== [2011/05/26 17:23:46 | 000,000,146 | ---- | C] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\vn1voy5tt.bat
[2011/05/26 17:23:28 | 000,000,094 | -H-- | C] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\MouseDriver.bat
[2011/05/26 17:23:04 | 000,157,696 | -H-- | C] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\qm9bg.exe
[2011/05/25 01:28:45 | 000,000,292 | -H-- | C] () -- C:\WINDOWS\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
[2011/05/24 12:22:09 | 000,000,217 | ---- | C] () -- C:\Documents and Settings\Paul G!\delme.bat
[2011/05/24 11:20:58 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\Ipripv32.dll
[2011/05/24 06:44:10 | 000,187,392 | ---- | C] () -- C:\Documents and Settings\Paul G!\Application Data\dwm.exe
[2011/05/24 06:33:02 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Paul G!\Application Data\chrtmp
[2011/05/24 06:18:10 | 000,000,218 | ---- | C] () -- C:\WINDOWS\System32\winset.ini
[2011/05/24 06:16:43 | 000,006,547 | ---- | C] () -- C:\Documents and Settings\Paul G!\Application Data\195E.CD8
[2011/05/24 05:53:09 | 000,000,292 | -H-- | C] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011/05/23 19:17:16 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\Iasv32.dll
[2011/05/23 19:16:30 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\itlnfw32.dll
[2011/05/23 17:25:38 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/05/23 17:09:08 | 052,676,424 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\avira_antivir_personal_en.exe
[2011/05/23 17:06:30 | 000,000,058 | -HS- | C] () -- C:\WINDOWS\System32\User.ini
[2011/05/23 17:06:20 | 000,000,039 | -H-- | C] () -- C:\WINDOWS\cftnom.bat
[2011/05/23 17:03:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Qqoxeyogomusig.bin
[2011/05/23 17:03:12 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Uzohip.dat
[2011/05/23 17:01:03 | 000,000,352 | -HS- | C] () -- C:\WINDOWS\tasks\taaiponsw.job
[2011/05/23 17:01:03 | 000,000,316 | -HS- | C] () -- C:\WINDOWS\tasks\dwkruf.job
[2011/05/23 17:01:01 | 000,073,216 | RHS- | C] () -- C:\WINDOWS\System32\perfwcik.dll
[2011/05/23 16:59:45 | 000,229,376 | ---- | C] () -- C:\WINDOWS\Ybapea.exe
[2011/05/22 01:49:16 | 000,034,553 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\HUDC - Shelf Layout v8-2.any
[2011/05/21 16:51:57 | 000,293,775 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\gmer.zip
[2011/05/12 09:07:51 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/12 09:07:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/12 09:07:51 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/12 09:07:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/12 09:07:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/12 09:01:40 | 004,352,705 | R--- | C] () -- C:\Documents and Settings\Paul G!\Desktop\ComboFix.exe
[2011/05/08 13:40:42 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/05/05 16:37:34 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\Mozilla Firefox.lnk
[2011/05/04 13:54:12 | 000,302,080 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\gmer.exe
[2010/11/14 01:00:37 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/10/09 02:31:07 | 000,000,051 | -H-- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/16 21:14:44 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2010/06/16 21:11:33 | 000,110,056 | ---- | C] () -- C:\WINDOWS\hpoins08.dat
[2010/06/16 21:11:32 | 000,007,577 | ---- | C] () -- C:\WINDOWS\hpomdl08.dat
[2010/02/10 18:58:35 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/17 00:21:06 | 000,014,848 | -H-- | C] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/29 18:13:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2009/04/27 21:37:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2009/04/21 21:40:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/04/16 20:07:58 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/04/16 20:07:54 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/04/16 20:07:54 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/04/16 20:07:54 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/04/16 20:07:52 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/04/09 21:39:45 | 000,005,829 | -H-- | C] () -- C:\WINDOWS\Jelly.ini
[2009/04/08 17:03:39 | 000,000,709 | -H-- | C] () -- C:\WINDOWS\AutoCAD 2000 EReg.ini
[2009/04/08 15:54:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack.INI
[2009/04/08 15:50:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\MTSTACK.EXE
[2009/04/08 15:33:31 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/14 16:33:46 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/01/14 15:22:06 | 000,069,987 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2009/01/14 14:48:57 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/01/14 14:48:57 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2009/01/14 14:48:56 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/01/13 17:27:37 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/01/13 17:16:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/01/13 12:07:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/01/13 12:06:26 | 000,199,344 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/07/16 12:48:28 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/07/16 12:48:27 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/07/16 12:35:07 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/07/16 12:35:06 | 000,432,924 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/07/16 12:35:05 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/07/16 12:35:03 | 000,067,714 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/07/16 12:33:18 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/07/16 12:28:25 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/07/16 12:28:14 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/07/16 12:28:08 | 000,049,156 | ---- | C] () -- C:\WINDOWS\System32\certstore.dat
[2003/07/16 12:21:49 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/07/16 12:20:48 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/06 16:30:00 | 000,003,399 | -H-- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
========== LOP Check ========== [2010/04/13 19:09:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2010/10/08 18:38:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/04/13 18:58:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/04/30 21:58:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/04/13 18:58:36 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\DriverCure
[2010/11/17 22:26:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\MP3Rocket
[2011/05/23 01:09:00 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\Tasks\DriverCure.job
[2011/05/26 16:17:32 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\Tasks\dwkruf.job
[2011/05/26 16:17:21 | 000,000,352 | -HS- | M] () -- C:\WINDOWS\Tasks\taaiponsw.job
[2011/05/26 17:36:27 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{FAD007F6-DED4-468A-96A0-73C433BCB61F}.job
[2011/05/26 17:21:27 | 000,000,292 | -H-- | M] () -- C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011/05/26 17:44:14 | 000,000,250 | -H-- | M] () -- C:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
========== Purity Check ========== < End of report >
***********************************************************************************************************
***********************************************************************************************************
***********************************************************************************************************
I hope this helps you! Let me know if there's anything else you need me to do,Thanks! PG
I couldn't send this from home, each time I hit the 'Add Reply' button, the next window says the connection was reset. Don't know what that is, or why, so I'm putting this txt on a thumb drive and sending it from work.
ps Avira keeps detecting 'TR/Buzy.2678' was found in file 'C:\...\nsdmmxz1w.exe' Access to this file was denied. Then I hit the 'Remove' button and get rid of it, but it keeps coming back, about every 3 minutes. The long skinny window I mentioned before still opens every minute or so.
Thanks for your help!
PG
This topic is locked
Sign In
Create Account
