Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Browers (both Firefox & IE)are EXTREMELY slow

Started by jsaklas , Oct 01 2011 10:35 AM

Page 3 of 13
1
2
3
4
5

Please log in to reply

#31
jsaklas

Posted 16 October 2011 - 08:34 PM

Member

Topic Starter
Member
333 posts

CompCav,

When I log off, I get mesages that Windows is shutting down mixer.exe and sometimes something about dwwin.exe failure causes application to shut down.

#32
CompCav

Posted 17 October 2011 - 12:29 PM

Member 5k

Expert
12,454 posts

Step 1.

aswMBR Fix

Click Scan

Posted Image

On completion of the scan
Click the Fix Button

Posted Image

Save the log as before and post in your next reply

Step 2.

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks

Posted Image

When finished, it produces a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Step 3.

Run OTL Scan

Please reopen Posted Image

on your desktop.
Please check Scan All Users
Under Extra Registry select Use SafeList
Please post the OTL.txt and Extras.txt in the next reply.

Step 4.

Please Post:

aswMBR log
Combofix log
Otl.txt
Estras.txt

Please tell me how the computer is performing. Has sound been restored? Has the slowness been resolved

#33
jsaklas

Posted 17 October 2011 - 03:15 PM

Member

Topic Starter
Member
333 posts

CompCav,

The aswMBR ran just fine. The ComboFix did as well, but with a few glitches. I was prompted that I did no have an MS Window Recovery .... and was prompted to load it. ComboFix connected to MS, downloaded it and then continued and all seemed OK.

However, although I disengaged the 3 types of AVIRA Anti virus, some type of Avira was still running because it did not like ComboFix and prompted be to stop, ignore, etc. I just kept clicking on Ignore or Excepted Program and ComboFix kept running to its end.

Also, once I was prompted by WIndows that it must close a file called Pev.exe.

Lastly, I checked my Task Manager after all was over. A file called Pev.3xe was still running (but was not eating up effectively any CPU or Memory). Also, although I unchecked the WD programs via the config window a few days ago, they are still running according to the Task Manager. AND, it appears, although it may be too early to tell, that the svchost.exe program that was running up to 900,000+ K is no longer doing so - A great victory.

Below are the four requested logs.

js

--------------------------------------

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-17 15:16:44
-----------------------------
15:16:44.463 OS Version: Windows 5.1.2600 Service Pack 3
15:16:44.463 Number of processors: 1 586 0x207
15:16:44.463 ComputerName: JAMES-HOME UserName: Baba
15:16:58.977 Initialize success
15:17:31.552 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
15:17:31.552 Disk 0 Vendor: WDC_WD800JB-00FMA0 13.03G13 Size: 76319MB BusType: 3
15:17:31.552 Device \Driver\atapi -> DriverStartIo 8a1ef2c6
15:17:31.583 Disk 0 MBR read successfully
15:17:31.583 Disk 0 MBR scan
15:17:31.583 Disk 0 TDL4@MBR code has been found
15:17:31.583 Disk 0 Windows XP default MBR code found via API
15:17:31.583 Disk 0 MBR hidden
15:17:31.583 Disk 0 MBR [TDL4] **ROOTKIT**
15:17:31.583 Disk 0 trace - called modules:
15:17:31.583 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a1ef49f]<<
15:17:31.583 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2d8ab8]
15:17:31.583 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\0000005d[0x8a2bc9e8]
15:17:31.583 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x8a2bad98]
15:17:31.817 \Driver\atapi[0x8a276030] -> IRP_MJ_CREATE -> 0x8a1ef49f
15:17:31.817 Scan finished successfully
15:17:50.956 Disk 0 MBR read successfully
15:17:50.956 Disk 0 TDL4@MBR code has been found
15:17:50.956 Disk 0 fixing MBR ...
15:18:00.955 Disk 0 MBR restored successfully
15:18:00.955 Verifying disinfection
15:18:11.047 Infection fixed successfully - please reboot ASAP
15:18:42.856 Disk 0 MBR has been saved successfully to "C:\Computer\MBR.dat"
15:18:42.872 The log file has been saved successfully to "C:\Computer\aswMBR 10-17-11.txt"

-------------------------------------

ComboFix 11-10-17.02 - Baba 10/17/2011 15:56:35.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1038 [GMT -4:00]
Running from: c:\desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINDOW2\Application Data\tmp29.tmp
c:\documents and settings\Baba\Application Data\6E92.F8A
c:\documents and settings\Baba\fpfkbfxlzm.tmp
c:\documents and settings\Baba\GoToAssistDownloadHelper.exe
c:\documents and settings\Baba\WINDOWS
c:\documents and settings\James Saklas\WINDOWS
c:\documents and settings\Luli\Application Data\Mozilla\Firefox\Profiles\jb86guyn.default\extensions\{09ee7db3-134a-43b1-9977-7293a87f569c}
c:\documents and settings\Luli\Application Data\Mozilla\Firefox\Profiles\jb86guyn.default\extensions\{09ee7db3-134a-43b1-9977-7293a87f569c}\chrome\xulcache.jar
c:\documents and settings\Luli\Application Data\Mozilla\Firefox\Profiles\jb86guyn.default\extensions\{09ee7db3-134a-43b1-9977-7293a87f569c}\defaults\preferences\xulcache.js
c:\documents and settings\Luli\Application Data\Mozilla\Firefox\Profiles\jb86guyn.default\extensions\{09ee7db3-134a-43b1-9977-7293a87f569c}\install.rdf
c:\documents and settings\Luli\Application Data\Mozilla\Firefox\Profiles\jb86guyn.default\extensions\{9d5b705c-2c3a-47dc-b3a3-fba8cab6431e}
c:\documents and settings\Luli\Application Data\Mozilla\Firefox\Profiles\jb86guyn.default\extensions\{9d5b705c-2c3a-47dc-b3a3-fba8cab6431e}\chrome\xulcache.jar
c:\documents and settings\Luli\Application Data\Mozilla\Firefox\Profiles\jb86guyn.default\extensions\{9d5b705c-2c3a-47dc-b3a3-fba8cab6431e}\defaults\preferences\xulcache.js
c:\documents and settings\Luli\Application Data\Mozilla\Firefox\Profiles\jb86guyn.default\extensions\{9d5b705c-2c3a-47dc-b3a3-fba8cab6431e}\install.rdf
c:\documents and settings\Luli\fpfkbfxlzm.tmp
c:\documents and settings\Luli\Start Menu\Internet Explorer.lnk
c:\window2\desktop
c:\window2\desktop\Install America Online - Free Trial.lnk
c:\window2\Downloaded Program Files\ODCTOOLS
c:\window2\system32\d3d9caps.dat
c:\window2\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-09-17 to 2011-10-17 )))))))))))))))))))))))))))))))
.
.
2011-10-17 19:31 . 2011-10-17 19:32 -------- d-----w- C:\32788R22FWJFW
2011-10-16 13:54 . 2011-10-16 14:09 -------- d-----w- C:\Danae Saklas
2011-10-16 13:54 . 2011-10-16 13:54 -------- d-----w- C:\Danae
2011-10-15 21:04 . 2011-10-15 21:04 1324 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\d3d9caps.tmp
2011-10-15 15:13 . 2011-10-15 15:13 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY.000\UserData
2011-10-15 13:59 . 2011-10-15 13:59 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY.000\UserData
2011-10-14 02:11 . 2011-10-14 02:11 -------- d-----w- c:\documents and settings\Luli\Application Data\Avira
2011-10-13 22:06 . 2011-04-08 20:09 229376 ----a-w- c:\window2\system32\PuranDefragS.exe
2011-10-13 22:06 . 2011-04-08 20:09 221184 ----a-w- c:\window2\system32\PuranDC.exe
2011-10-13 22:06 . 2011-04-08 20:09 1110016 ----a-w- c:\window2\system32\PuranFD.exe
2011-10-13 22:06 . 2011-04-08 20:09 107008 ----a-w- c:\window2\system32\PuranDefragBT.exe
2011-10-13 22:06 . 2010-01-27 17:58 212992 ----a-w- c:\window2\system32\PuranDefrag.dll
2011-10-13 22:06 . 2011-10-14 17:30 -------- d-----w- c:\program files\Puran Defrag
2011-10-13 03:03 . 2011-10-13 03:03 -------- d-----w- c:\documents and settings\Baba\Application Data\Avira
2011-10-13 03:01 . 2011-09-18 12:39 134344 ----a-w- c:\window2\system32\drivers\avipbb.sys
2011-10-13 03:01 . 2011-09-16 03:55 36000 ----a-w- c:\window2\system32\drivers\avkmgr.sys
2011-10-13 03:01 . 2011-09-16 03:55 74640 ----a-w- c:\window2\system32\drivers\avgntflt.sys
2011-10-13 02:59 . 2011-10-13 02:59 -------- d-----w- c:\program files\Avira
2011-10-12 05:41 . 2011-10-12 05:41 -------- d-----w- c:\program files\ESET
2011-10-08 03:30 . 2011-10-08 03:30 -------- d-----w- C:\_OTL
2011-10-02 04:06 . 2011-07-17 02:21 302592 ----a-w- C:\gmer.exe
2011-10-01 16:23 . 2011-10-17 19:18 -------- d-----w- C:\Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-28 15:30 . 2011-05-16 23:16 404640 ----a-w- c:\window2\system32\FlashPlayerCPLApp.cpl
2011-08-31 21:00 . 2010-03-20 01:47 22216 ----a-w- c:\window2\system32\drivers\mbam.sys
2011-08-01 14:15 . 2011-08-24 02:11 23386624 ----a-w- C:\WD Software Upgrader.msi
2011-10-02 22:35 . 2011-03-24 21:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"NSWosCheck"="c:\program files\Norton SystemWorks\osCheck.exe" [2008-09-25 160112]
"NvCplDaemon"="c:\window2\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\window2\system32\NvMcTray.dll" [2008-05-16 86016]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-24 198160]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-05 258512]
.
c:\documents and settings\All Users.WINDOW2\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-29 113664]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOW2^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users.WINDOW2\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\window2\pss\WDDMStatus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOW2^Start Menu^Programs^Startup^WDSmartWare.lnk]
path=c:\documents and settings\All Users.WINDOW2\Start Menu\Programs\Startup\WDSmartWare.lnk
backup=c:\window2\pss\WDSmartWare.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NswUiTray]
2008-09-25 21:52 85360 ----a-w- c:\program files\Norton SystemWorks\NswUiTray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Baba\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 avkmgr;avkmgr;c:\window2\system32\drivers\avkmgr.sys [10/12/2011 11:01 PM 36000]
R1 d8a4fef9-85c1-448f-a6f9-2570fb195020;d8a4fef9-85c1-448f-a6f9-2570fb195020;c:\window2\iprot\d8a4fef9-85c1-448f-a6f9-2570fb195020\PhysMem.sys [12/13/2009 11:57 PM 3584]
R2 AntiVirMailService;Avira Mail Protection;c:\program files\Avira\AntiVir Desktop\avmailc.exe [10/12/2011 11:01 PM 342480]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/12/2011 11:01 PM 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [10/12/2011 11:01 PM 463824]
S3 ivusb;Initio Driver for USB Default Controller;c:\window2\system32\DRIVERS\ivusb.sys --> c:\window2\system32\DRIVERS\ivusb.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\window2\system32\drivers\mbamswissarmy.sys --> c:\window2\system32\drivers\mbamswissarmy.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\window2\system32\drivers\wdcsam.sys [3/2/2011 1:13 AM 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-01 c:\window2\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2008-09-25 21:52]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
Trusted Zone: aol.com\free
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Baba\Application Data\Mozilla\Firefox\Profiles\g7tscgnb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-17 16:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(636)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
Completion time: 2011-10-17 16:25:02
ComboFix-quarantined-files.txt 2011-10-17 20:24
.
Pre-Run: 17,713,474,048 bytes free
Post-Run: 18,271,719,424 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW2
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOW2="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 54290CF81143F94CB290CDE0FBCA0B0F

------------------------------

OTL logfile created on: 10/17/2011 4:27:42 PM - Run 7
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Baba\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.04 Gb Available Physical Memory | 69.31% Memory free
2.11 Gb Paging File | 1.73 Gb Available in Paging File | 81.93% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOW2 | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 17.02 Gb Free Space | 22.83% Space Free | Partition Type: NTFS

Computer Name: JAMES-HOME | User Name: Baba | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/06 02:32:42 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Baba\Desktop\OTL.exe
PRC - [2011/10/05 10:24:34 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011/10/05 10:24:26 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/10/05 10:24:17 | 000,463,824 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
PRC - [2011/10/05 10:24:15 | 000,342,480 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
PRC - [2011/10/05 10:24:14 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2011/10/05 10:24:14 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/11/08 12:43:16 | 000,484,352 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
PRC - [2010/11/08 12:40:14 | 000,237,568 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
PRC - [2008/09/25 17:53:16 | 000,095,600 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOW2\explorer.exe
PRC - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2003/05/08 08:00:58 | 000,049,152 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
PRC - [2002/10/15 14:00:20 | 001,818,624 | ---- | M] (C-Media Electronic Inc. (www.cmedia.com.tw)) -- C:\WINDOW2\mixer.exe

========== Modules (No Company Name) ==========

MOD - [2011/10/05 10:24:28 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2011/07/02 02:00:04 | 000,212,992 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\0f3d321ebd65af974ff0ad424223276d\System.ServiceProcess.ni.dll
MOD - [2011/07/02 01:57:03 | 000,771,584 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\bdaf7904d223589a0f464de58d27e691\System.Runtime.Remoting.ni.dll
MOD - [2011/07/02 01:49:36 | 007,950,848 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System\f6a9a002526806f3a5b745cf5c407cae\System.ni.dll
MOD - [2011/07/02 01:49:17 | 011,490,816 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
MOD - [2010/11/08 12:43:16 | 000,484,352 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
MOD - [2009/04/23 22:55:14 | 000,176,235 | ---- | M] () -- C:\WINDOW2\system32\Primomonnt.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/10/05 10:24:26 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/10/05 10:24:17 | 000,463,824 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE -- (AntiVirWebService)
SRV - [2011/10/05 10:24:15 | 000,342,480 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe -- (AntiVirMailService)
SRV - [2011/10/05 10:24:14 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/11/08 12:43:34 | 001,060,352 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe -- (WDFME)
SRV - [2010/11/08 12:43:16 | 000,484,352 | ---- | M] () [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe -- (WDSC)
SRV - [2010/11/08 12:40:14 | 000,237,568 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
SRV - [2008/09/25 17:53:32 | 000,181,680 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe -- (Speed Disk service)
SRV - [2008/09/25 17:53:16 | 000,095,600 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE -- (NProtectService)
SRV - [2008/08/01 11:31:11 | 000,238,968 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2008/08/01 11:31:01 | 003,220,856 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate)
SRV - [2008/01/29 19:09:02 | 000,394,704 | ---- | M] (Symantec, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)

========== Driver Services (SafeList) ==========

DRV - [2011/09/18 08:39:27 | 000,134,344 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOW2\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/09/15 23:55:04 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOW2\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011/09/15 23:55:03 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOW2\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOW2\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/12/13 23:57:18 | 000,003,584 | ---- | M] (Systems Internals) [Kernel | System | Running] -- C:\WINDOW2\iprot\d8a4fef9-85c1-448f-a6f9-2570fb195020\PhysMem.sys -- (d8a4fef9-85c1-448f-a6f9-2570fb195020)
DRV - [2009/08/18 22:36:30 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOW2\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/02/13 12:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOW2\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/09/25 17:53:36 | 000,095,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOW2\system32\drivers\SdDriver.SYS -- (SDdriver)
DRV - [2008/09/25 17:53:14 | 000,087,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOW2\system32\drivers\NPDRIVER.SYS -- (NPDriver)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOW2\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOW2\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2002/11/18 11:51:40 | 000,377,358 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\WINDOW2\system32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-299502267-115176313-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOW2\system32\blank.htm
IE - HKU\S-1-5-21-299502267-115176313-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: ""
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOW2\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOW2\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Baba\Application Data\Move Networks\plugins\npqmp071502000008.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Baba\Application Data\Move Networks\plugins\npqmp071502000008.dll (Move Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/02 18:35:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/14 23:34:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 7.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/08/17 23:34:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Documents and Settings\Baba\Application Data\Move Networks [2009/12/02 02:06:45 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 6 6.2.3\Extensions\\Components: C:\Netscape 6\Components
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 6 6.2.3\Extensions\\Plugins: C:\Netscape 6\Plugins

[2010/09/03 18:15:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Baba\Application Data\Mozilla\Extensions
[2010/09/03 18:15:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Baba\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/10/07 23:22:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Baba\Application Data\Mozilla\Firefox\Profiles\g7tscgnb.default\extensions
[2010/06/25 22:04:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Baba\Application Data\Mozilla\Firefox\Profiles\g7tscgnb.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/28 23:57:29 | 000,001,504 | ---- | M] () -- C:\Documents and Settings\Baba\Application Data\Mozilla\Firefox\Profiles\g7tscgnb.default\searchplugins\imdb.xml
[2011/03/23 21:03:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/24 12:47:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/24 12:46:17 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/10/02 18:35:35 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2004/11/12 19:36:22 | 000,005,120 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\mozilla firefox\plugins\NPAdbESD.dll
[2008/06/17 22:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2010/06/24 12:46:13 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2005/05/28 07:15:00 | 000,110,592 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npmozax.dll
[2007/09/05 09:56:00 | 000,352,256 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npsabffx.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/10/17 16:18:11 | 000,000,027 | ---- | M]) - C:\WINDOW2\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [C-Media Mixer] C:\WINDOW2\mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw))
O4 - HKLM..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks\osCheck.exe (Symantec Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOW2\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOW2\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOW2\System32\nwiz.exe ()
O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ US DOT VPN Client.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-299502267-115176313-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-299502267-115176313-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-299502267-115176313-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-299502267-115176313-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk ()
O9 - Extra 'Tools' menuitem : Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O15 - HKU\S-1-5-21-299502267-115176313-839522115-1004\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.micr...veX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.m...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://sra.dot.gov/...SetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{17B7A976-DB18-48C7-AD20-F583F7824731}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOW2\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOW2\system32\userinit.exe) -C:\WINDOW2\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOW2\doody1.bmp
O24 - Desktop BackupWallPaper: C:\WINDOW2\doody1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/30 17:16:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/08/02 07:48:02 | 000,001,688 | ---- | M] () - C:\AUTOEXEC.NT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-299502267-115176313-839522115-1004..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-299502267-115176313-839522115-1004\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/17 15:40:52 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/10/17 15:33:15 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOW2\SWREG.exe
[2011/10/17 15:33:15 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOW2\SWSC.exe
[2011/10/17 15:33:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOW2\SWXCACLS.exe
[2011/10/17 15:33:15 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOW2\NIRCMD.exe
[2011/10/17 15:32:46 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/10/17 15:32:33 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/10/17 15:32:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Baba\Start Menu\Programs\Administrative Tools
[2011/10/17 15:31:32 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2011/10/16 09:54:23 | 000,000,000 | ---D | C] -- C:\Danae Saklas
[2011/10/16 09:54:06 | 000,000,000 | ---D | C] -- C:\Danae
[2011/10/13 18:06:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Puran Defrag
[2011/10/13 18:06:12 | 000,000,000 | ---D | C] -- C:\Program Files\Puran Defrag
[2011/10/12 23:03:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Baba\Application Data\Avira
[2011/10/12 23:02:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Avira
[2011/10/12 23:01:19 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOW2\System32\drivers\ssmdrv.sys
[2011/10/12 23:01:08 | 000,134,344 | ---- | C] (Avira GmbH) -- C:\WINDOW2\System32\drivers\avipbb.sys
[2011/10/12 23:01:08 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\WINDOW2\System32\drivers\avkmgr.sys
[2011/10/12 23:01:07 | 000,074,640 | ---- | C] (Avira GmbH) -- C:\WINDOW2\System32\drivers\avgntflt.sys
[2011/10/12 22:59:32 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/10/12 01:41:18 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/10/07 23:30:54 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/10/07 23:22:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Baba\Desktop\GooredFix Backups
[2011/10/07 23:12:10 | 001,558,320 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Baba\Desktop\tdsskiller.exe
[2011/10/07 23:10:42 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Baba\Desktop\GooredFix.exe
[2011/10/06 09:41:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOW2\Local Settings
[2011/10/06 02:32:39 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Baba\Desktop\OTL.exe
[2011/10/01 12:23:41 | 000,000,000 | ---D | C] -- C:\Computer

========== Files - Modified Within 30 Days ==========

[2011/10/17 16:18:11 | 000,000,027 | ---- | M] () -- C:\WINDOW2\System32\drivers\etc\hosts
[2011/10/17 15:41:04 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/10/17 15:23:52 | 000,186,097 | ---- | M] () -- C:\WINDOW2\System32\nvapps.xml
[2011/10/17 15:23:36 | 000,013,646 | ---- | M] () -- C:\WINDOW2\System32\wpa.dbl
[2011/10/17 15:23:20 | 000,002,048 | --S- | M] () -- C:\WINDOW2\bootstat.dat
[2011/10/17 15:23:04 | 1610,145,792 | -HS- | M] () -- C:\hiberfil.sys
[2011/10/15 12:32:20 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/10/15 11:03:44 | 000,000,051 | ---- | M] () -- C:\NsScanforTest.ini
[2011/10/12 23:02:29 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOW2\Desktop\Avira Control Center.lnk
[2011/10/11 21:35:54 | 000,000,226 | ---- | M] () -- C:\WINDOW2\Prestopm.INI
[2011/10/07 23:15:06 | 000,004,730 | ---- | M] () -- C:\Documents and Settings\Baba\Desktop\Document.rtf
[2011/10/07 23:11:19 | 001,558,320 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Baba\Desktop\tdsskiller.exe
[2011/10/07 23:07:54 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Baba\Desktop\GooredFix.exe
[2011/10/07 22:48:59 | 001,045,398 | ---- | M] () -- C:\WINDOW2\dors1.bmp
[2011/10/07 22:45:59 | 001,045,466 | ---- | M] () -- C:\WINDOW2\dietrich2.bmp
[2011/10/07 22:42:35 | 001,045,558 | ---- | M] () -- C:\WINDOW2\dietrich1.bmp
[2011/10/07 22:12:13 | 001,045,558 | ---- | M] () -- C:\WINDOW2\doody2.bmp
[2011/10/07 22:10:53 | 001,045,558 | ---- | M] () -- C:\WINDOW2\doody1.bmp
[2011/10/06 02:32:42 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Baba\Desktop\OTL.exe
[2011/10/01 09:00:55 | 000,000,290 | ---- | M] () -- C:\WINDOW2\tasks\Norton SystemWorks One Button Checkup.job
[2011/09/28 11:30:25 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOW2\System32\FlashPlayerCPLApp.cpl
[2011/09/25 23:47:41 | 001,045,386 | ---- | M] () -- C:\WINDOW2\dickinson3.bmp
[2011/09/25 23:45:50 | 001,045,558 | ---- | M] () -- C:\WINDOW2\dickinson2.bmp
[2011/09/25 23:40:59 | 001,045,546 | ---- | M] () -- C:\WINDOW2\dickinson1.bmp
[2011/09/25 23:36:24 | 001,045,558 | ---- | M] () -- C:\WINDOW2\deschanel2.bmp
[2011/09/25 23:35:40 | 001,045,558 | ---- | M] () -- C:\WINDOW2\deschanel1.bmp
[2011/09/18 08:39:27 | 000,134,344 | ---- | M] (Avira GmbH) -- C:\WINDOW2\System32\drivers\avipbb.sys

========== Files Created - No Company Name ==========

[2011/10/17 15:41:03 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/10/17 15:40:58 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/10/17 15:33:15 | 000,256,000 | ---- | C] () -- C:\WINDOW2\PEV.exe
[2011/10/17 15:33:15 | 000,208,896 | ---- | C] () -- C:\WINDOW2\MBR.exe
[2011/10/17 15:33:15 | 000,098,816 | ---- | C] () -- C:\WINDOW2\sed.exe
[2011/10/17 15:33:15 | 000,080,412 | ---- | C] () -- C:\WINDOW2\grep.exe
[2011/10/17 15:33:15 | 000,068,096 | ---- | C] () -- C:\WINDOW2\zip.exe
[2011/10/12 23:02:29 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOW2\Desktop\Avira Control Center.lnk
[2011/10/07 23:15:06 | 000,004,730 | ---- | C] () -- C:\Documents and Settings\Baba\Desktop\Document.rtf
[2011/10/07 22:48:57 | 001,045,398 | ---- | C] () -- C:\WINDOW2\dors1.bmp
[2011/10/07 22:42:32 | 001,045,558 | ---- | C] () -- C:\WINDOW2\dietrich1.bmp
[2011/10/07 22:12:11 | 001,045,558 | ---- | C] () -- C:\WINDOW2\doody2.bmp
[2011/10/07 22:10:50 | 001,045,558 | ---- | C] () -- C:\WINDOW2\doody1.bmp
[2011/10/02 00:06:09 | 000,302,592 | ---- | C] () -- C:\gmer.exe
[2011/09/25 23:47:39 | 001,045,386 | ---- | C] () -- C:\WINDOW2\dickinson3.bmp
[2011/09/25 23:45:48 | 001,045,558 | ---- | C] () -- C:\WINDOW2\dickinson2.bmp
[2010/10/05 19:15:20 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Baba\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2009/12/13 19:01:29 | 000,000,066 | ---- | C] () -- C:\WINDOW2\GDINST.INI
[2009/10/01 23:33:34 | 000,000,226 | ---- | C] () -- C:\WINDOW2\Prestopm.INI
[2009/10/01 23:32:22 | 000,036,291 | ---- | C] () -- C:\WINDOW2\CSTBox.INI
[2009/08/20 00:28:34 | 000,000,635 | ---- | C] () -- C:\Documents and Settings\Baba\Application Data\PrimoPDFSet.xml
[2009/08/19 23:45:06 | 000,176,235 | ---- | C] () -- C:\WINDOW2\System32\Primomonnt.dll
[2009/08/13 18:23:41 | 000,075,776 | ---- | C] () -- C:\WINDOW2\cadkasdeinst01e.exe
[2009/07/14 04:35:33 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Baba\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/14 03:17:34 | 000,000,235 | ---- | C] () -- C:\WINDOW2\EXCEL4.INI
[2009/07/11 15:13:24 | 000,022,480 | ---- | C] () -- C:\WINDOW2\System32\PFMAPI16.DLL
[2009/07/11 15:13:24 | 000,020,992 | ---- | C] () -- C:\WINDOW2\System32\PFMAPI32.DLL
[2009/07/10 21:26:01 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Baba\Application Data\PFP120JPR.{PB
[2009/07/10 21:26:01 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Baba\Application Data\PFP120JCM.{PB
[2009/07/09 21:54:40 | 000,000,532 | ---- | C] () -- C:\WINDOW2\MAXLINK.INI
[2009/07/09 21:52:13 | 000,000,105 | ---- | C] () -- C:\WINDOW2\UMXADDIN.INI
[2009/07/09 21:52:12 | 000,040,960 | ---- | C] () -- C:\WINDOW2\System32\IPPCPUID.DLL
[2009/07/09 21:51:55 | 000,011,776 | ---- | C] () -- C:\WINDOW2\System32\pmsbfn32.dll
[2009/07/09 21:50:49 | 000,000,074 | ---- | C] () -- C:\WINDOW2\PMINI.ini
[2009/07/09 11:50:10 | 000,046,784 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOW2\Application Data\LuUninstall.LiveUpdate
[2009/07/08 01:14:23 | 000,024,501 | ---- | C] () -- C:\WINDOW2\mozver.dat
[2009/07/06 21:13:13 | 000,000,376 | ---- | C] () -- C:\WINDOW2\ODBC.INI
[2009/07/06 19:05:29 | 000,000,335 | ---- | C] () -- C:\WINDOW2\nsreg.dat
[2009/07/06 19:03:10 | 000,000,025 | ---- | C] () -- C:\WINDOW2\mixerdef.ini
[2009/07/06 18:56:15 | 000,002,048 | --S- | C] () -- C:\WINDOW2\bootstat.dat
[2009/07/06 18:43:58 | 000,021,640 | ---- | C] () -- C:\WINDOW2\System32\emptyregdb.dat
[2009/07/06 11:30:20 | 000,004,161 | ---- | C] () -- C:\WINDOW2\ODBCINST.INI
[2009/07/06 11:27:26 | 000,929,280 | ---- | C] () -- C:\WINDOW2\System32\FNTCACHE.DAT
[2009/07/06 10:34:13 | 000,039,104 | ---- | C] () -- C:\WINDOW2\cmijack.dat
[2009/07/06 10:34:13 | 000,022,178 | ---- | C] () -- C:\WINDOW2\cmaudio.dat
[2009/04/27 00:13:36 | 000,000,314 | ---- | C] () -- C:\WINDOW2\primopdf.ini
[2008/05/16 17:01:00 | 001,703,936 | ---- | C] () -- C:\WINDOW2\System32\nvwdmcpl.dll
[2008/05/16 17:01:00 | 001,630,208 | ---- | C] () -- C:\WINDOW2\System32\nwiz.exe
[2008/05/16 17:01:00 | 001,486,848 | ---- | C] () -- C:\WINDOW2\System32\nview.dll
[2008/05/16 17:01:00 | 001,339,392 | ---- | C] () -- C:\WINDOW2\System32\nvdspsch.exe
[2008/05/16 17:01:00 | 001,019,904 | ---- | C] () -- C:\WINDOW2\System32\nvwimg.dll
[2008/05/16 17:01:00 | 000,466,944 | ---- | C] () -- C:\WINDOW2\System32\nvshell.dll
[2008/05/16 17:01:00 | 000,442,368 | ---- | C] () -- C:\WINDOW2\System32\nvappbar.exe
[2008/05/16 17:01:00 | 000,425,984 | ---- | C] () -- C:\WINDOW2\System32\keystone.exe
[2008/05/16 17:01:00 | 000,286,720 | ---- | C] () -- C:\WINDOW2\System32\nvnt4cpl.dll
[2006/11/01 08:54:30 | 000,180,224 | ---- | C] () -- C:\WINDOW2\System32\xvidvfw.dll
[2006/11/01 08:52:38 | 000,765,952 | ---- | C] () -- C:\WINDOW2\System32\xvidcore.dll
[2006/02/28 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOW2\System32\oembios.bin
[2006/02/28 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOW2\System32\mlang.dat
[2006/02/28 08:00:00 | 000,432,622 | ---- | C] () -- C:\WINDOW2\System32\perfh009.dat
[2006/02/28 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOW2\System32\perfi009.dat
[2006/02/28 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOW2\System32\dssec.dat
[2006/02/28 08:00:00 | 000,067,578 | ---- | C] () -- C:\WINDOW2\System32\perfc009.dat
[2006/02/28 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOW2\System32\mib.bin
[2006/02/28 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOW2\System32\perfd009.dat
[2006/02/28 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOW2\System32\secupd.dat
[2006/02/28 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOW2\System32\oembios.dat
[2006/02/28 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOW2\System32\dcache.bin
[2006/02/28 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOW2\System32\noise.dat
[2004/10/26 18:39:04 | 003,375,104 | ---- | C] () -- C:\WINDOW2\System32\qt-mt331.dll

< End of report >

---------------------------------------

OTL Extras logfile created on: 10/17/2011 4:27:42 PM - Run 7
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Baba\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.04 Gb Available Physical Memory | 69.31% Memory free
2.11 Gb Paging File | 1.73 Gb Available in Paging File | 81.93% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOW2 | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 17.02 Gb Free Space | 22.83% Space Free | Partition Type: NTFS

Computer Name: JAMES-HOME | User Name: Baba | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-299502267-115176313-839522115-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htafile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\Baba\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServ.exe" = C:\Documents and Settings\Baba\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServ.exe:*:Enabled:Juniper Terminal Services Client -- (Juniper Networks)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07CEC3B0-83D0-422A-BE6D-63633C5063BB}" = TurboCAD Symbols
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20C53FA2-4307-4671-A93F-9463B29DFCF1}" = Symantec Technical Support Web Controls
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{2ADE2157-7A5E-122C-B51D-EB8A01B15943}" = DeepBurner v1.9.0.228
"{2EEF331B-6AC8-471A-84AE-6A9ED940EDC2}" = TurboCAD Deluxe v11.2
"{34EF3470-B8D8-44b6-B09B-7F5EB9AECCC8}" = Norton SystemWorks
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{39468292-5D68-4E93-9E09-5D9D5CA00E7A}" = FileOpen Client Installer
"{444B6A7B-0E26-4416-A43F-D1C9AAE6075D}" = Canon CanoScan Toolbox 4.8
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50CD421F-CAFD-46C4-BEFD-E1C46FE63062}" = Manual CanoScan 8400F
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{5BE42A03-E7B8-42A9-B1BB-FC48B03D58B8}" = Presto! PageManager 6.11
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}" = Norton Utilities
"{6C9736CA-121C-427E-A2AC-E2125B0D362D}" = 1st Pricing
"{71F6DF7D-B639-4FAD-BA93-E6DF267AA44D}" = DesignPro 5.4 Limited Edition
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{77364F85-6219-4CB8-AAA0-6D53368D683D}" = Connection Keep Alive
"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0
"{7EFB99A8-465B-4B2F-B97F-F9C687449081}" = WinBASIC 2.0
"{885744A4-1A01-44B0-858A-0AE6738CBCF7}" = PrimoPDF Redistribution Package
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{AC76BA86-7AD7-2448-0000-900000000003}" = Chinese Traditional Fonts Support For Adobe Reader 9
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CA31120D-2101-484D-9FF1-195DE96FE346}" = Norton Cleanup
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2261C4B-4D9B-4149-8472-31B7A2FEAB91}" = ArcSoft PhotoStudio 5.5
"{DC5F786F-0733-46AC-8160-972A6906A872}" = WD SmartWare
"{E24A0015-C73F-4B57-B8DF-5EB84D2E9685}" = Adobe Flash Player 10 ActiveX
"{E80F62FF-5D3C-4A19-8409-9721F2928206}" = LiveUpdate (Symantec Corporation)
"{EFCE5837-FC21-11D6-9D24-00010240CE95}" = Java 2 Runtime Environment, SE v1.4.1_02
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 2.0" = Adobe Photoshop Elements 2.0
"Avira AntiVir Desktop" = Avira Antivirus Premium 2012
"CAL" = Canon Camera Access Library
"CameraUserGuide-PSSD1200IS_IXUS95IS" = Canon PowerShot SD1200 IS_IXUS 95 IS Camera User Guide
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Corel WordPerfect Suite 8" = Corel WordPerfect Suite 8
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"FL 2001 Registration" = FL 2001 Registration
"Free PDF to Word Doc Converter_is1" = Free PDF to Word Doc Converter v1.1
"FreeZip" = FreeZip
"InstallShield_{71F6DF7D-B639-4FAD-BA93-E6DF267AA44D}" = DesignPro 5.4 Limited Edition
"Java Web Start" = Java Web Start
"jZip" = jZip
"LiveUpdate" = LiveUpdate 2.5 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox 7.0.1 (x86 en-US)" = Mozilla Firefox 7.0.1 (x86 en-US)
"Mozilla Thunderbird (7.0.1)" = Mozilla Thunderbird (7.0.1)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NVIDIA Drivers" = NVIDIA Drivers
"PCI Audio Driver" = PCI Audio Driver
"PDF Editor 2" = PDF Editor 2
"Personal Printing Guide" = Canon Personal Printing Guide
"PhotoStitch" = Canon Utilities PhotoStitch
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"PrimoPDF3.1" = PrimoPDF
"PsuedoLiveUpdate" = LiveUpdate (Symantec Corporation)
"Puran Defrag Free Edition_is1" = Puran Defrag Free Edition 7.3
"Quicken Family Lawyer 2001" = Quicken Family Lawyer 2001
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SoftwareStarterGuide-DCSD40_46" = Canon Digital Camera Solution Disk 40-46 Software Starter Guide
"SymSetup.{34EF3470-B8D8-44b6-B09B-7F5EB9AECCC8}" = Norton SystemWorks (Symantec Corporation)
"The Plain-Language Law Dictionary" = The Plain-Language Law Dictionary
"VisualFortran60" = Visual Fortran 6.6.a
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"X Codec Pack" = X Codec Pack
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-299502267-115176313-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.1.0.366
"Juniper_Networks_Cache_Cleaner 6.5.0" = Juniper Networks Cache Cleaner 6.5.0
"Juniper_Setup_Client" = Juniper Networks Setup Client
"Juniper_Term_Services" = Juniper Terminal Services Client
"Move Media Player" = Move Media Player
"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/19/2011 1:18:44 AM | Computer Name = JAMES-HOME | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 6.0.2.4262, faulting
module nspr4.dll, version 4.8.9.0, fault address 0x000092ac.

Error - 9/28/2011 5:02:50 PM | Computer Name = JAMES-HOME | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 6.0.2.4262, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/1/2011 11:01:16 AM | Computer Name = JAMES-HOME | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.2.29.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/2/2011 10:00:33 AM | Computer Name = JAMES-HOME | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15641, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/2/2011 10:01:39 AM | Computer Name = JAMES-HOME | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15641, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/5/2011 7:56:37 PM | Computer Name = JAMES-HOME | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 7.0.1.4288, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/7/2011 11:24:35 PM | Computer Name = JAMES-HOME | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: The process cannot access the file because it is being used by another
process.

Error - 10/15/2011 3:46:42 PM | Computer Name = JAMES-HOME | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 10/16/2011 10:53:45 PM | Computer Name = JAMES-HOME | Source = ESENT | ID = 490
Description = svchost (5756) An attempt to open the file "C:\WINDOW2\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 10/17/2011 4:03:43 PM | Computer Name = JAMES-HOME | Source = Application Error | ID = 1000
Description = Faulting application pev.exe, version 0.0.0.0, faulting module pev.exe,
version 0.0.0.0, fault address 0x0008d1c0.

[ System Events ]
Error - 10/17/2011 1:56:28 PM | Computer Name = JAMES-HOME | Source = Print | ID = 23
Description = Printer Corel Barista failed to initialize because a suitable Corel
Barista driver could not be found.

Error - 10/17/2011 1:57:51 PM | Computer Name = JAMES-HOME | Source = Service Control Manager | ID = 7022
Description = The WebClient service hung on starting.

Error - 10/17/2011 2:29:16 PM | Computer Name = JAMES-HOME | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NVSvc service.

Error - 10/17/2011 2:29:43 PM | Computer Name = JAMES-HOME | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NVSvc service.

Error - 10/17/2011 3:24:25 PM | Computer Name = JAMES-HOME | Source = Print | ID = 23
Description = Printer Corel Barista failed to initialize because a suitable Corel
Barista driver could not be found.

Error - 10/17/2011 3:24:47 PM | Computer Name = JAMES-HOME | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WD File Management Engine
service to connect.

Error - 10/17/2011 3:24:47 PM | Computer Name = JAMES-HOME | Source = Service Control Manager | ID = 7000
Description = The WD File Management Engine service failed to start due to the following
error: %%1053

Error - 10/17/2011 3:26:43 PM | Computer Name = JAMES-HOME | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NVSvc service.

Error - 10/17/2011 3:32:09 PM | Computer Name = JAMES-HOME | Source = Service Control Manager | ID = 7034
Description = The Speed Disk service service terminated unexpectedly. It has done
this 1 time(s).

Error - 10/17/2011 4:23:03 PM | Computer Name = JAMES-HOME | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NProtectService service.

< End of report >

#34
jsaklas

Posted 17 October 2011 - 03:18 PM

Member

Topic Starter
Member
333 posts

CompCav,

ALSO, I have my sound back - another Great Victory

#35
CompCav

Posted 17 October 2011 - 03:28 PM

Member 5k

Expert
12,454 posts

Please tell me how the computer is performing. Has sound been restored? Has the slowness been resolved?

#36
jsaklas

Posted 17 October 2011 - 08:54 PM

Member

Topic Starter
Member
333 posts

CompCav,

Yes, the sound has returned; the "wild" svchost.exe program has been tamed; all appears relatively normal. I'm going to reactivate AVIRA.

I have some questions:

1. Why are the WD programs (WDDMService.exe and WDSC.exe) back, as indicated in my Task Manager when we used msconfig to remove them from start-up.

2. Very recently I hooked up an old external hard drive. Do you think the viruses came from there, email, or internet sites?

3. You suggest I remove Norton Systemworks and you said you would recommend some free software that was even better; please do so.

LASTLY, THANKS FOR ALL YOUR TIME AND EFFORT

Edited by jsaklas, 17 October 2011 - 08:55 PM.

#37
CompCav

Posted 18 October 2011 - 12:43 PM

Member 5k

Expert
12,454 posts

Here are some answers to your questions and a post to continue the malware removal process!

1. Why are the WD programs (WDDMService.exe and WDSC.exe) back, as indicated in my Task Manager when we used msconfig to remove them from start-up.

You need to insure that when you do the selective startup that you make it permanent. Directions below.

2. Very recently I hooked up an old external hard drive. Do you think the viruses came from there, email, or internet sites?

It could be any or all of them. I will have you install a tool to prevent the transfer from external drives. Once it is installed thought you will need to scan any device you have for possible malware by using your resident Antivirus and Malware Bytes.

3. You suggest I remove Norton Systemworks and you said you would recommend some free software that was even better; please do so.

First you do not need registry cleaners, they do little good and can actually harm your system.

A good registry back up program is ERUNT. You now have it now, and I run it before any change I make to my computer so that if an error occurs I can quickly and easily undo it.

Hard drive integrity and health can be effectively managed with the following tools:

Check disk and Puran Defrag. Since Puran has the option to do both, I recommend you use it to maintain your disk. Your hard drive manufacturer also has programs to run to check the health of your drive. Many have a smart reader that will give you the heath of your hard drive at a glance.

HD tune is a good tool on our site that can also help you check your hard drive to catch issues early.

The emptying of temp files can be done effectively with ATF, another free program on our website.

These should meet all the needs you actually used in SystemWorks without being so invasive on your system and slowing your computer performance.

Now back to cleaning up your computer:

Step 1.

Flash Drive Disinfector

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

Step 2.

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 3.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

Tick the box next to YES, I accept the Terms of Use You should have it still installed for FireFox.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

Step 4.

Please Post:

mbam log
ESET log

How is the computer performing now?

Step 5.

Autorun manager Revo Uninstaller

Another excellent tool for your computer is a good uninstaller with extra tools.

Please download the free Revo Uninstaller.
Run the revosetup.exe to install Revo Uninstaller Free version.
Start Revo Uninstaller
Click Tools in the top menu bar.
Click Autorun Manager in the left window pane.
Uncheck the appropriate startup items for your WD*.exe
Close Revo Uninstaller.
Reboot your computer and WD startup items are gone!
Anytime you want them to autostart again just follow steps 3 through 5 and check the box next to the item for step 6.

#38
jsaklas

Posted 18 October 2011 - 04:17 PM

Member

Topic Starter
Member
333 posts

SEVERE PROBLEM

Last night all was well. I just booted up, XP loaded, I clicked on my Icon and got a black screen, no icon, but I did get the tray. Then I got 25 windows saying:

Windows Delayed Write Failed. Failed to savy all the components for the file \System32\0000390c This file is corrupted or unreadable. The error is caused by a PC Hardware Problem.

Then I got a System Restore Window. The tine logo sort of looks like MS, but I don't think it is legit.
The Window automatically started a scan; I could not stop it, but I can Pause it.
The window has 4 Choices: My Computer Related Problems; HDD Related Problems; RAM Memory Related Problems; and OS Registry Related Problems

I also get an pop-up error from the tray saying: Windows OS can't a free hard drive space. hard drive error

I also can't access the Task Manager, it is "Greyed Out" from the window I get when I right click on the tray.

BIG MESS - HELP

#39
jsaklas

Posted 18 October 2011 - 05:05 PM

Member

Topic Starter
Member
333 posts

CompCav,

New problem. Now when I click on the Start button, only about one third of the links show up.

#40
CompCav

Posted 18 October 2011 - 05:08 PM

Member 5k

Expert
12,454 posts

You are apparently having a severe hardware problem make sure you have everything you want backed up to an external drive. I will have more for you later.

CompCav

#41
CompCav

Posted 18 October 2011 - 06:31 PM

Member 5k

Expert
12,454 posts

You also may have a rogue Antivirus that looks very official and takes over your machine. Please leave the machine off until I can get a fix prepared.

CompCav

#42
jsaklas

Posted 18 October 2011 - 06:50 PM

Member

Topic Starter
Member
333 posts

CompCav,

I screwed up. THinking the problem may have been Malware, I ran Malwarebytes, Quick Scan. It found 18 infections. When I clicked on remove, the 25 error messages disappeared. Also the error message about HD problems disappeared as did the phony scan program that I had paused.

Malwarebytes asked that I reboot. I rebooted. The black screen disappeared XP loaded up and I got a blue screen. I changed to the desktop I was using.

HOWEVER, there were no quick link icons in the left hand portion of the tray. Only the Trash icon and My Computer icons were on the desktop. I clicked on the Start Button, as before I only go the bottom third of icons ( I use the Classical NT format, not the XP format) were there. I clicked on Programs so that I could get to a browser and ALL PROGRAMS except for one ARE GONE.

I logged off and relogged on through my wife's logon and although her Programs are also empty, her other icons are still there, so that's how I got to FIREFOX and that is how I am communicating with you now. BUT, I can access all the programs via her RUN button.

I don't think I have a HD problem, but I don't know for sure.

Lastly, I will stay on the computer to 10:00 PM EDT and will get back on at 11:00 PM.

js

Edited by jsaklas, 18 October 2011 - 06:51 PM.

#43
CompCav

Posted 18 October 2011 - 07:39 PM

Member 5k

Expert
12,454 posts

Step 1.

Download RogueKiller to your desktop.

Quit all running programs
For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
When prompted, type 2 and validate
The RKreport.txt shall be generated next to the executable.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Step 2.

Quit all running programs and run RogueKiller once again.

For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
When prompted, type 6 and validate
The RKreport.txt shall be generated next to the executable.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Step 3.

Run OTL Scan

Please reopen on your desktop.
Please check Scan All Users
Under Extra Registry select Use SafeList
Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
CREATERESTOREPOINT
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Post both logs

Step 4.

Post:

Both RKreport.txt logs
MBAM log
OTL.txt
Extras.txt

Step 5.

Durling your hard drive defrag you should have done a disk check. We need to review the results of the disk check.

Click Start > Control Panel > Performance and Maintenance > Administrative Tools > Application
Under source please find Winlogon Click on it and it will open up.
It should start by saying..

Checking File system on C:
The type of file system is NTFS.

A disk check has been scheduled.
Click the clipboard button in the right hand corner below the arrow buttons to copy it to your clipboard.
Go to the reply area for your post here online and right click in the box and select paste.
Go ahead and post that text file.

#44
CompCav

Posted 18 October 2011 - 07:41 PM

Member 5k

Expert
12,454 posts

After this please refrain from further use until I can get you a complete fix tomorrow. Somehow this machine is being reinfected and we need to stop the continued infection. Make sure Avira is running(the umbrella is open and check your firewall and make sure it is running as well before shutting down until tomorrow.

Thanks,

CompCav

#45
jsaklas

Posted 18 October 2011 - 09:36 PM

Member

Topic Starter
Member
333 posts

CompCav,

Your instructions did not say to run mbam, but you asked for the log. I had to choose one, so I chose to not run it. The other logs are below:

NOTE (1): NO Extras.lst was created by the OTL Quick Scan. Hence, no log.
NOTE (2): THere is NO Performance and Maintenance in my Control Panel. The IS a Administrative Tools, but it is empty. Hence, no log.

------------------------------

RogueKiller V6.1.3 [10/14/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Luli [Admin rights]
Mode: Remove -- Date : 10/18/2011 21:57:27

Bad processes: 1
[SUSP PATH] mixer.exe -- c:\window2\mixer.exe -> KILLED [TermProc]

Registry Entries: 4
[SUSP PATH] HKCU\[...]\Run : {7FB644AF-C1B3-F973-F69A-00CABFCC7614} ("C:\Documents and Settings\Luli\Application Data\Viur\huzao.exe") -> DELETED
[RANDOMNAME] HKLM\[...]\Run : NSWosCheck ("C:\Program Files\Norton SystemWorks\osCheck.exe") -> DELETED
[] HKLM\[...]\Run : () -> ACCESS DENIED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED ()

Particular Files / Folders:

Driver: [LOADED]

HOSTS File:
127.0.0.1 localhost

Finished : << RKreport[1].txt >>
RKreport[1].txt

--------------

RogueKiller V6.1.3 [10/14/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Luli [Admin rights]
Mode: Shortcuts HJfix -- Date : 10/18/2011 22:00:25

Bad processes: 0

Driver: [LOADED]

File attributes restored:
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 0 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 0 / Fail 0
Backup: [NOT FOUND]

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\CdRom1 -- 0x5 --> Skipped

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

----------------------------

OTL logfile created on: 10/10/2011 3:01:46 PM - Run 4
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.92 Gb Available Physical Memory | 61.58% Memory free
2.11 Gb Paging File | 1.65 Gb Available in Paging File | 78.30% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOW2 | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 15.46 Gb Free Space | 20.74% Space Free | Partition Type: NTFS
Drive F: | 37.26 Gb Total Space | 31.00 Gb Free Space | 83.19% Space Free | Partition Type: FAT32

Computer Name: JAMES-HOME | User Name: Baba | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/06 02:32:42 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Desktop\OTL.exe
PRC - [2011/10/02 18:35:35 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/07/02 02:18:55 | 000,428,200 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
PRC - [2011/07/02 02:18:55 | 000,340,136 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
PRC - [2011/07/02 02:18:55 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/04/27 17:31:44 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/11/23 19:40:14 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2010/11/23 19:40:07 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/11/08 12:43:34 | 001,060,352 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
PRC - [2010/11/08 12:43:16 | 000,484,352 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
PRC - [2010/11/08 12:40:52 | 003,986,944 | ---- | M] (Western Digital Technologies, Inc.) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
PRC - [2010/11/08 12:40:14 | 000,237,568 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
PRC - [2008/09/25 17:53:32 | 000,181,680 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe
PRC - [2008/09/25 17:53:16 | 000,095,600 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOW2\explorer.exe
PRC - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2003/05/08 08:00:58 | 000,049,152 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
PRC - [2002/10/15 14:00:20 | 001,818,624 | ---- | M] (C-Media Electronic Inc. (www.cmedia.com.tw)) -- C:\WINDOW2\mixer.exe

========== Modules (No Company Name) ==========

MOD - [2011/10/02 18:35:30 | 001,833,944 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/07/02 02:42:23 | 000,998,400 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System.Management\19280e723d215c0d6607d3884f453cdf\System.Management.ni.dll
MOD - [2011/07/02 02:33:33 | 017,403,904 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\23abc8e4b535b9cd9c5560266c655ac2\System.ServiceModel.ni.dll
MOD - [2011/07/02 02:00:06 | 000,141,312 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\fa21b6c9badcf916bb254b4b823c2463\System.Configuration.Install.ni.dll
MOD - [2011/07/02 02:00:04 | 000,212,992 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\0f3d321ebd65af974ff0ad424223276d\System.ServiceProcess.ni.dll
MOD - [2011/07/02 01:57:03 | 000,771,584 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\bdaf7904d223589a0f464de58d27e691\System.Runtime.Remoting.ni.dll
MOD - [2011/07/02 01:56:50 | 000,627,712 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\94aae9e592c0f104120572f9925fca12\System.EnterpriseServices.ni.dll
MOD - [2011/07/02 01:56:39 | 000,627,200 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System.Transactions\7c430c38d71d632c019ae37d5ef12c8e\System.Transactions.ni.dll
MOD - [2011/07/02 01:56:26 | 006,616,576 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System.Data\05d99241bd45cbd96a6053841790a4a2\System.Data.ni.dll
MOD - [2011/07/02 01:51:26 | 000,015,872 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\a96b02abbfcaae424cfb91a198a9e0e9\Microsoft.VisualC.ni.dll
MOD - [2011/07/02 01:49:56 | 005,450,752 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System.Xml\f354057a5b4fad4c399da28449ba0d92\System.Xml.ni.dll
MOD - [2011/07/02 01:49:45 | 000,971,264 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System.Configuration\48f8b951a598647dd309ca2031807a5d\System.Configuration.ni.dll
MOD - [2011/07/02 01:49:36 | 007,950,848 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\System\f6a9a002526806f3a5b745cf5c407cae\System.ni.dll
MOD - [2011/07/02 01:49:17 | 011,490,816 | ---- | M] () -- C:\WINDOW2\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
MOD - [2011/07/02 01:46:46 | 002,933,248 | ---- | M] () -- C:\WINDOW2\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2011/07/02 01:46:24 | 000,261,632 | ---- | M] () -- C:\WINDOW2\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2010/11/23 19:40:43 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2010/11/08 14:16:50 | 000,886,272 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\System.Data.SQLite.dll
MOD - [2010/11/08 12:43:34 | 001,060,352 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
MOD - [2010/11/08 12:43:16 | 000,484,352 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
MOD - [2009/04/23 22:55:14 | 000,176,235 | ---- | M] () -- C:\WINDOW2\system32\Primomonnt.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/07/02 02:18:55 | 000,428,200 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE -- (AntiVirWebService)
SRV - [2011/07/02 02:18:55 | 000,340,136 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe -- (AntiVirMailService)
SRV - [2011/07/02 02:18:55 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/27 17:31:44 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/11/08 12:43:34 | 001,060,352 | ---- | M] () [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe -- (WDFME)
SRV - [2010/11/08 12:43:16 | 000,484,352 | ---- | M] () [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe -- (WDSC)
SRV - [2010/11/08 12:40:14 | 000,237,568 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
SRV - [2008/09/25 17:53:32 | 000,181,680 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe -- (Speed Disk service)
SRV - [2008/09/25 17:53:16 | 000,095,600 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE -- (NProtectService)
SRV - [2008/08/01 11:31:11 | 000,238,968 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2008/08/01 11:31:01 | 003,220,856 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate)
SRV - [2008/01/29 19:09:02 | 000,394,704 | ---- | M] (Symantec, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)

========== Driver Services (SafeList) ==========

DRV - [2011/07/02 02:18:59 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOW2\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/07/02 02:18:59 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOW2\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/11/23 19:41:00 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOW2\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/11/23 19:40:06 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/12/13 23:57:18 | 000,003,584 | ---- | M] (Systems Internals) [Kernel | System | Running] -- C:\WINDOW2\iprot\d8a4fef9-85c1-448f-a6f9-2570fb195020\PhysMem.sys -- (d8a4fef9-85c1-448f-a6f9-2570fb195020)
DRV - [2009/08/18 22:36:30 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOW2\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/02/13 12:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOW2\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/09/25 17:53:36 | 000,095,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOW2\system32\drivers\SdDriver.SYS -- (SDdriver)
DRV - [2008/09/25 17:53:14 | 000,087,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOW2\system32\drivers\NPDRIVER.SYS -- (NPDriver)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOW2\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOW2\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2002/11/18 11:51:40 | 000,377,358 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\WINDOW2\system32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-299502267-115176313-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOW2\system32\blank.htm
IE - HKU\S-1-5-21-299502267-115176313-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
IE - HKU\S-1-5-21-299502267-115176313-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKU\S-1-5-21-299502267-115176313-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: ""
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOW2\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOW2\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Baba\Application Data\Move Networks\plugins\npqmp071502000008.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Baba\Application Data\Move Networks\plugins\npqmp071502000008.dll (Move Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/02 18:35:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/14 23:34:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 7.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/08/17 23:34:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Documents and Settings\Baba\Application Data\Move Networks [2009/12/02 02:06:45 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 6 6.2.3\Extensions\\Components: C:\Netscape 6\Components
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 6 6.2.3\Extensions\\Plugins: C:\Netscape 6\Plugins

[2010/09/03 18:15:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Baba\Application Data\Mozilla\Extensions
[2010/09/03 18:15:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Baba\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/10/07 23:22:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Baba\Application Data\Mozilla\Firefox\Profiles\g7tscgnb.default\extensions
[2010/06/25 22:04:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Baba\Application Data\Mozilla\Firefox\Profiles\g7tscgnb.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/28 23:57:29 | 000,001,504 | ---- | M] () -- C:\Documents and Settings\Baba\Application Data\Mozilla\Firefox\Profiles\g7tscgnb.default\searchplugins\imdb.xml
[2011/03/23 21:03:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/24 12:47:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/24 12:46:17 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/10/02 18:35:35 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2004/11/12 19:36:22 | 000,005,120 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\mozilla firefox\plugins\NPAdbESD.dll
[2008/06/17 22:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2010/06/24 12:46:13 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2005/05/28 07:15:00 | 000,110,592 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npmozax.dll
[2007/09/05 09:56:00 | 000,352,256 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npsabffx.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2006/02/28 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOW2\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [C-Media Mixer] C:\WINDOW2\mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw))
O4 - HKLM..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks\osCheck.exe (Symantec Corporation)
O4 - HKLM..\Run: [NswUiTray] C:\Program Files\Norton SystemWorks\NswUiTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOW2\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOW2\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOW2\System32\nwiz.exe ()
O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-299502267-115176313-839522115-1004..\Run: [{7FB644AF-C1B3-F973-93FD-BC72DAABCAAC}] "C:\Documents and Settings\Baba\Application Data\Xopix\qoro.exe" File not found
O4 - HKU\S-1-5-21-299502267-115176313-839522115-1004..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ US DOT VPN Client.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Startup\WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (Western Digital Technologies, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 2600 = C:\DOCUME~1\ALLUSE~1.WIN\LOCALS~1\Temp\174eff8a.com
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-299502267-115176313-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk ()
O9 - Extra 'Tools' menuitem : Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira GmbH)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira GmbH)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira GmbH)
O15 - HKU\S-1-5-21-299502267-115176313-839522115-1004\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.micr...veX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.m...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://sra.dot.gov/...SetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{17B7A976-DB18-48C7-AD20-F583F7824731}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOW2\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOW2\system32\userinit.exe) -C:\WINDOW2\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOW2\dietrich1.bmp
O24 - Desktop BackupWallPaper: C:\WINDOW2\dietrich1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/30 17:16:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/08/02 07:48:02 | 000,001,688 | ---- | M] () - C:\AUTOEXEC.NT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-299502267-115176313-839522115-1004..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-299502267-115176313-839522115-1004\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/07 23:30:54 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/10/07 23:22:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Baba\Desktop\GooredFix Backups
[2011/10/07 23:12:10 | 001,558,320 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Baba\Desktop\tdsskiller.exe
[2011/10/07 23:10:42 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Baba\Desktop\GooredFix.exe
[2011/10/06 09:41:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOW2\Local Settings
[2011/10/01 12:23:41 | 000,000,000 | ---D | C] -- C:\Computer
[2011/09/14 22:21:41 | 000,000,000 | ---D | C] -- C:\Car Stuff
[1 C:\Documents and Settings\Baba\*.tmp files -> C:\Documents and Settings\Baba\*.tmp -> ]
[1 C:\Documents and Settings\All Users.WINDOW2\Application Data\*.tmp files -> C:\Documents and Settings\All Users.WINDOW2\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/10 14:45:43 | 000,186,097 | ---- | M] () -- C:\WINDOW2\System32\nvapps.xml
[2011/10/10 14:42:32 | 000,013,646 | ---- | M] () -- C:\WINDOW2\System32\wpa.dbl
[2011/10/10 14:42:04 | 000,002,048 | --S- | M] () -- C:\WINDOW2\bootstat.dat
[2011/10/10 14:41:39 | 1610,145,792 | -HS- | M] () -- C:\hiberfil.sys
[2011/10/07 23:15:06 | 000,004,730 | ---- | M] () -- C:\Documents and Settings\Baba\Desktop\Document.rtf
[2011/10/07 23:11:19 | 001,558,320 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Baba\Desktop\tdsskiller.exe
[2011/10/07 23:07:54 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Baba\Desktop\GooredFix.exe
[2011/10/07 22:48:59 | 001,045,398 | ---- | M] () -- C:\WINDOW2\dors1.bmp
[2011/10/07 22:45:59 | 001,045,466 | ---- | M] () -- C:\WINDOW2\dietrich2.bmp
[2011/10/07 22:42:35 | 001,045,558 | ---- | M] () -- C:\WINDOW2\dietrich1.bmp
[2011/10/07 22:12:13 | 001,045,558 | ---- | M] () -- C:\WINDOW2\doody2.bmp
[2011/10/07 22:10:53 | 001,045,558 | ---- | M] () -- C:\WINDOW2\doody1.bmp
[2011/10/01 09:00:55 | 000,000,290 | ---- | M] () -- C:\WINDOW2\tasks\Norton SystemWorks One Button Checkup.job
[2011/10/01 04:00:02 | 000,000,388 | ---- | M] () -- C:\WINDOW2\tasks\Norton AntiVirus - Baba - Full System Scan.job
[2011/09/28 11:30:25 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOW2\System32\FlashPlayerCPLApp.cpl
[2011/09/26 13:59:05 | 000,000,213 | ---- | M] () -- C:\WINDOW2\Prestopm.INI
[2011/09/26 13:56:33 | 000,000,051 | ---- | M] () -- C:\NsScanforTest.ini
[2011/09/25 23:47:41 | 001,045,386 | ---- | M] () -- C:\WINDOW2\dickinson3.bmp
[2011/09/25 23:45:50 | 001,045,558 | ---- | M] () -- C:\WINDOW2\dickinson2.bmp
[2011/09/25 23:40:59 | 001,045,546 | ---- | M] () -- C:\WINDOW2\dickinson1.bmp
[2011/09/25 23:36:24 | 001,045,558 | ---- | M] () -- C:\WINDOW2\deschanel2.bmp
[2011/09/25 23:35:40 | 001,045,558 | ---- | M] () -- C:\WINDOW2\deschanel1.bmp
[2011/09/15 10:03:11 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Baba\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[1 C:\Documents and Settings\Baba\*.tmp files -> C:\Documents and Settings\Baba\*.tmp -> ]
[1 C:\Documents and Settings\All Users.WINDOW2\Application Data\*.tmp files -> C:\Documents and Settings\All Users.WINDOW2\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/07 23:15:06 | 000,004,730 | ---- | C] () -- C:\Documents and Settings\Baba\Desktop\Document.rtf
[2011/10/07 22:48:57 | 001,045,398 | ---- | C] () -- C:\WINDOW2\dors1.bmp
[2011/10/07 22:42:32 | 001,045,558 | ---- | C] () -- C:\WINDOW2\dietrich1.bmp
[2011/10/07 22:12:11 | 001,045,558 | ---- | C] () -- C:\WINDOW2\doody2.bmp
[2011/10/07 22:10:50 | 001,045,558 | ---- | C] () -- C:\WINDOW2\doody1.bmp
[2011/10/02 00:06:09 | 000,302,592 | ---- | C] () -- C:\gmer.exe
[2011/09/25 23:47:39 | 001,045,386 | ---- | C] () -- C:\WINDOW2\dickinson3.bmp
[2011/09/25 23:45:48 | 001,045,558 | ---- | C] () -- C:\WINDOW2\dickinson2.bmp
[2011/09/14 23:34:24 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOW2\Start Menu\Programs\Adobe Reader X.lnk
[2011/08/08 23:23:27 | 000,002,928 | ---- | C] () -- C:\Documents and Settings\Baba\Application Data\6E92.F8A
[2011/07/04 16:49:45 | 000,001,324 | ---- | C] () -- C:\WINDOW2\System32\d3d9caps.dat
[2010/10/05 19:15:20 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Baba\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2009/12/13 19:01:29 | 000,000,066 | ---- | C] () -- C:\WINDOW2\GDINST.INI
[2009/10/01 23:33:34 | 000,000,213 | ---- | C] () -- C:\WINDOW2\Prestopm.INI
[2009/10/01 23:32:22 | 000,036,291 | ---- | C] () -- C:\WINDOW2\CSTBox.INI
[2009/08/20 00:28:34 | 000,000,635 | ---- | C] () -- C:\Documents and Settings\Baba\Application Data\PrimoPDFSet.xml
[2009/08/19 23:45:06 | 000,176,235 | ---- | C] () -- C:\WINDOW2\System32\Primomonnt.dll
[2009/08/13 18:23:41 | 000,075,776 | ---- | C] () -- C:\WINDOW2\cadkasdeinst01e.exe
[2009/07/14 04:35:33 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Baba\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/14 03:17:34 | 000,000,235 | ---- | C] () -- C:\WINDOW2\EXCEL4.INI
[2009/07/11 15:13:24 | 000,022,480 | ---- | C] () -- C:\WINDOW2\System32\PFMAPI16.DLL
[2009/07/11 15:13:24 | 000,020,992 | ---- | C] () -- C:\WINDOW2\System32\PFMAPI32.DLL
[2009/07/10 21:26:01 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Baba\Application Data\PFP120JPR.{PB
[2009/07/10 21:26:01 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Baba\Application Data\PFP120JCM.{PB
[2009/07/09 21:54:40 | 000,000,532 | ---- | C] () -- C:\WINDOW2\MAXLINK.INI
[2009/07/09 21:52:13 | 000,000,105 | ---- | C] () -- C:\WINDOW2\UMXADDIN.INI
[2009/07/09 21:52:12 | 000,040,960 | ---- | C] () -- C:\WINDOW2\System32\IPPCPUID.DLL
[2009/07/09 21:51:55 | 000,011,776 | ---- | C] () -- C:\WINDOW2\System32\pmsbfn32.dll
[2009/07/09 21:50:49 | 000,000,074 | ---- | C] () -- C:\WINDOW2\PMINI.ini
[2009/07/09 11:50:10 | 000,046,784 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOW2\Application Data\LuUninstall.LiveUpdate
[2009/07/08 01:14:23 | 000,024,501 | ---- | C] () -- C:\WINDOW2\mozver.dat
[2009/07/06 21:13:13 | 000,000,376 | ---- | C] () -- C:\WINDOW2\ODBC.INI
[2009/07/06 19:05:29 | 000,000,335 | ---- | C] () -- C:\WINDOW2\nsreg.dat
[2009/07/06 19:03:10 | 000,000,025 | ---- | C] () -- C:\WINDOW2\mixerdef.ini
[2009/07/06 18:56:15 | 000,002,048 | --S- | C] () -- C:\WINDOW2\bootstat.dat
[2009/07/06 18:43:58 | 000,021,640 | ---- | C] () -- C:\WINDOW2\System32\emptyregdb.dat
[2009/07/06 11:30:20 | 000,004,161 | ---- | C] () -- C:\WINDOW2\ODBCINST.INI
[2009/07/06 11:27:26 | 000,929,280 | ---- | C] () -- C:\WINDOW2\System32\FNTCACHE.DAT
[2009/07/06 10:34:13 | 000,039,104 | ---- | C] () -- C:\WINDOW2\cmijack.dat
[2009/07/06 10:34:13 | 000,022,178 | ---- | C] () -- C:\WINDOW2\cmaudio.dat
[2009/04/27 00:13:36 | 000,000,314 | ---- | C] () -- C:\WINDOW2\primopdf.ini
[2008/05/16 17:01:00 | 001,703,936 | ---- | C] () -- C:\WINDOW2\System32\nvwdmcpl.dll
[2008/05/16 17:01:00 | 001,630,208 | ---- | C] () -- C:\WINDOW2\System32\nwiz.exe
[2008/05/16 17:01:00 | 001,486,848 | ---- | C] () -- C:\WINDOW2\System32\nview.dll
[2008/05/16 17:01:00 | 001,339,392 | ---- | C] () -- C:\WINDOW2\System32\nvdspsch.exe
[2008/05/16 17:01:00 | 001,019,904 | ---- | C] () -- C:\WINDOW2\System32\nvwimg.dll
[2008/05/16 17:01:00 | 000,466,944 | ---- | C] () -- C:\WINDOW2\System32\nvshell.dll
[2008/05/16 17:01:00 | 000,442,368 | ---- | C] () -- C:\WINDOW2\System32\nvappbar.exe
[2008/05/16 17:01:00 | 000,425,984 | ---- | C] () -- C:\WINDOW2\System32\keystone.exe
[2008/05/16 17:01:00 | 000,286,720 | ---- | C] () -- C:\WINDOW2\System32\nvnt4cpl.dll
[2006/11/01 08:54:30 | 000,180,224 | ---- | C] () -- C:\WINDOW2\System32\xvidvfw.dll
[2006/11/01 08:52:38 | 000,765,952 | ---- | C] () -- C:\WINDOW2\System32\xvidcore.dll
[2006/02/28 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOW2\System32\oembios.bin
[2006/02/28 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOW2\System32\mlang.dat
[2006/02/28 08:00:00 | 000,432,622 | ---- | C] () -- C:\WINDOW2\System32\perfh009.dat
[2006/02/28 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOW2\System32\perfi009.dat
[2006/02/28 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOW2\System32\dssec.dat
[2006/02/28 08:00:00 | 000,067,578 | ---- | C] () -- C:\WINDOW2\System32\perfc009.dat
[2006/02/28 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOW2\System32\mib.bin
[2006/02/28 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOW2\System32\perfd009.dat
[2006/02/28 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOW2\System32\secupd.dat
[2006/02/28 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOW2\System32\oembios.dat
[2006/02/28 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOW2\System32\dcache.bin
[2006/02/28 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOW2\System32\noise.dat
[2004/10/26 18:39:04 | 003,375,104 | ---- | C] () -- C:\WINDOW2\System32\qt-mt331.dll

< End of report >