80 replies to this topic

[bar457]

for: \ahuia.sys (empty file) = 0 bytes size received / Se ha recibido un archivo vacio for: \alrsvcy.sys = File alrsvcy.sys received on 2010.07.03 11:00:49 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 1/40 (2.5%) Loading server information... Your file is queued in position: 1. Estimated start time is between 40 and 57 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 5.0.0.31 2010.07.03 - AhnLab-V3 2010.07.03.00 2010.07.03 - AntiVir 8.2.4.2 2010.07.02 - Antiy-AVL 2.0.3.7 2010.07.02 - Authentium 5.2.0.5 2010.07.03 - Avast 4.8.1351.0 2010.07.02 - Avast5 5.0.332.0 2010.07.02 - AVG 9.0.0.836 2010.07.03 - BitDefender 7.2 2010.07.03 - CAT-QuickHeal 11.00 2010.06.30 - ClamAV 0.96.0.3-git 2010.07.03 - Comodo 5300 2010.07.03 - DrWeb 5.0.2.03300 2010.07.03 - eSafe 7.0.17.0 2010.06.30 - F-Prot 4.6.1.107 2010.07.02 - F-Secure 9.0.15370.0 2010.07.03 - Fortinet 4.1.133.0 2010.07.02 - GData 21 2010.07.03 - Ikarus T3.1.1.84.0 2010.07.03 - Jiangmin 13.0.900 2010.07.03 - Kaspersky 7.0.0.125 2010.07.03 - McAfee 5.400.0.1158 2010.07.03 - McAfee-GW-Edition 2010.1 2010.07.02 Heuristic.BehavesLike.HTML.Shellcode.N Microsoft 1.5902 2010.07.03 - NOD32 5248 2010.07.03 - Norman 6.05.10 2010.07.03 - nProtect 2010-07-03.02 2010.07.03 - Panda 10.0.2.7 2010.07.02 - PCTools 7.0.3.5 2010.07.02 - Prevx 3.0 2010.07.03 - Rising 22.54.04.04 2010.07.02 - Sophos 4.54.0 2010.07.03 - Sunbelt 6539 2010.07.03 - Symantec 20101.1.0.89 2010.07.03 - TheHacker 6.5.2.1.307 2010.07.01 - TrendMicro 9.120.0.1004 2010.07.03 - TrendMicro-HouseCall 9.120.0.1004 2010.07.03 - VBA32 3.12.12.5 2010.07.02 - ViRobot 2010.7.3.3920 2010.07.03 - VirusBuster 5.0.27.0 2010.07.02 - Additional information File size: 4625422 bytes MD5...: 3523018f32d6a0e353c829833e5d191a SHA1..: afb0b6f8b1f9e905c4e56bd7293b9a3b300de168 SHA256: 552f3411945885990e0e133d405310eb2ac1e56882c941fd25db2712016ad012 ssdeep: 49152:IU0/skqcW5p9Ght91dlwfpZsIqvBLwXXzoyh4KZodtIhWEX:IUvpqFd2SL 4zl4KadIX PEiD..: - PEInfo: - RDS...: NSRL Reference Data Set - pdfid.: - trid..: Unknown! packers (F-Prot): qp, ARJ, appended sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned rgds.......bar457

[IndiGenus]

AskBar.dll (Ask Toolbar) process can be removed to free up resources without compromising system performance. http://vil.nai.com/v...nt/v_146646.htm

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

To remove go into your Control Panel, then Add or Remove Programs. Uninstall Ask Toolbar.


1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\alrsvcy.sys
c:\windows\system32\ahuia.sys
c:\documents and settings\Administrator\Application Data\dhxiuw.dat
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ntuser_mssec.exe 
C:\ntuser_mssec.exe

Folder::
c:\documents and settings\Administrator\Application Data\Siukp
c:\documents and settings\Administrator\Application Data\Beif
c:\documents and settings\Administrator\Application Data\Ebopaw
c:\documents and settings\Administrator\Application Data\Horio

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• New DDS logs. Please post both logs.

[bar457]

Ok, ran ComboFix via dragging over script. It ran and automatically re-started computer but returned the 'Non-System error, replace and strike any key' that I had back before. So I tried to restart computer and it will not start but gives me the screen saying Windows did not start and gives me the choice of starting modes. I have tried choosing normal and it will not start, but recycles. Tried safe mode but this goes to a screeen with a list of : Multi(0) disk(0) rdisk.......... lines; and then just keeps going through the cycle of trying to restart and coming back to the 'did not start.......choice of modes screen. It is currently stuck in the re-cycling mode. Please advise.

[IndiGenus]

At the advanced options screen, where you would choose Safe Mode, etc... try choosing Last Known Good Configuration. Also, check to make sure there are no other drives or devices inserted such as floppy disk, CD/DVD, USB, camera, etc...

[bar457]

There are no other devices connected to the computer. It ignores choosing last good configuration and continues the recycling. I tried powering off the computer and powering back on, but it just goes straight into the recycling again. Have tried tapping F5 or F8 but it continues to recyle. I tried choosing the Recovery Console option and it accepts that, it then offers: 1. C:\Windows Which Windows installation would you like to log onto : ( to cancel, press ENTER)? : At this point I pressed ENTER as I did not know what to put in at the prompt. This takes it back into the recycling. bar457

[IndiGenus]

1. C:\Windows
Which Windows installation would you like to log onto :
( to cancel, press ENTER)? :


At this point I pressed ENTER as I did not know what to put in at the prompt.
This takes it back into the recycling.

That is what I would expect, as pressing enter will quit logging in.

Press F8 to get to the advanced options menu and select:

"Disable Automatic Restart"

Then reboot and see if you get a BSOD. If so then note down the error and post back here.

[bar457]

Ok, It says: STOP: C0000218 {Registry File Failure} The Registry cannot load the hive (File): \System Root\System32\Config\Software or its log or alternate. It is corrupt, absent, or not writable

[IndiGenus]

Hmmm? Were you having any troubles like this before you were infected? Or before we started the clean up?

I have a strong suspicion this may be a failing hard drive. Try this:

Boot into the recovery console again and press 1 this time. Enter your password if needed.

At the prompt type in:

chkdsk C: /R

It will hopefully go through and check the hard drive for errors, and repair them if possible. Try booting back into the system after that and let me know how you make out.

[bar457]

I have not had any problems with the system or strart up etc at all before, the computer has not been used a lot since new as it was a back up unit until I stared using it regularly as my main computer about 6 months ago. It is an HP Compaq nx8220 laptop so no cheap jobby. We seem to have corrupted the Windows registry by altering some system files, preventing it from loading. I ran the check disk ok but as before, when it reaches the Windows load up, it will not and goes to the doss mode selection page and then recycles. bar457

[IndiGenus]

We seem to have corrupted the Windows registry by altering some system files, preventing it from loading.

I don't see anything we did that would have done that. More likely is the fact that there was/is some serious malware on this machine that is rooted very deeply into the OS, and removal/cleaning can be very delicate.

I ran the check disk ok but as before, when it reaches the Windows load up, it will not and goes to the doss mode selection page and then recycles.

Did you happen to notice if there were bad sectors found? And fixed if so?


We can restore a registry backup that combofix created before running from the recovery console.

Boot back into the recovery console as you did before.

At the command prompt type in (note the only space should be between the cd and the erdnt):

cd erdnt\hiv-backup

It should now take you to that directory. If not then stop and let me know. Next, type in the following command:

batch erdnt.con

It should show the files being copied. After completion type in exit and the system will reboot. See if that helps and let me know.

[bar457]

Yes the check disk did say it had repaired one or more disk sections. Ok, that worked, straight back into Windows no problem (phew!) What now?

[IndiGenus]

Ok, that worked, straight back into Windows no problem (phew!)

Great, glad that got it.

What now?

Good question.... ... let's try something else for now. We'll run some other diagnostic tools before making any more changes.


Run OTL

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in
  

  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  /md5stop
  CREATERESTOREPOINT

  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

*****************************

Download This file. Note its name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "Yes" to begin the scan.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select the drive that Windows is installed on, typically C:\, and uncheck the rest.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.txt and copy/paste the contents in your next reply. If the file is too large to copy and paste you can upload it.
• Exit the program and re-enable all active protection when done.

[bar457]

Yes it is a shame, ComboFix seemed to work right up to the last step and appeared to have put my computer right in terms of visible usability, all programs seemed fine and quick. I was wondering whether the last two removed folders were a problem, one contained no files and the other returned a virus free detection from the uploaded scan. However I will run the proposed new dignostics. bar457

[bar457]

Ok, here are two of the reports, but struggling to post the third as it is too big for pasting or attachments, so I will try to split it into two seperate parts, Pt1 and Pt2

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-05 19:15:31
Windows 5.1.2600 Service Pack 3
Running: 49ibeq8b.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtdqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF78C5ABF]
init C:\WINDOWS\system32\DRIVERS\gtipci21.sys entry point in "init" section [0xF788AA80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\ctfmon.exe[192] ntdll.dll!NtClose + 6 7C90CFF4 4 Bytes [CC, A9, 0A, 00]
.text C:\WINDOWS\system32\ctfmon.exe[192] ntdll.dll!NtDeviceIoControlFile + 6 7C90D284 4 Bytes [D0, A9, 0A, 00]
.text C:\WINDOWS\system32\ctfmon.exe[192] ntdll.dll!NtQueryDirectoryFile + 6 7C90D774 4 Bytes [EC, AB, 0A, 00] {IN AL, DX ; STOSD ; OR AL, [EAX]}
.text C:\WINDOWS\system32\ctfmon.exe[192] ntdll.dll!NtResumeThread + 6 7C90DB44 4 Bytes [E4, AB, 0A, 00] {IN AL, 0xab; OR AL, [EAX]}
.text C:\WINDOWS\Explorer.EXE[464] ntdll.dll!NtClose + 6 7C90CFF4 4 Bytes [CC, A9, 95, 02]
.text C:\WINDOWS\Explorer.EXE[464] ntdll.dll!NtDeviceIoControlFile + 6 7C90D284 4 Bytes [D0, A9, 95, 02]
.text C:\WINDOWS\Explorer.EXE[464] ntdll.dll!NtQueryDirectoryFile + 6 7C90D774 4 Bytes [EC, AB, 95, 02]
.text C:\WINDOWS\Explorer.EXE[464] ntdll.dll!NtResumeThread + 6 7C90DB44 4 Bytes [E4, AB, 95, 02]
.text C:\Documents and Settings\Administrator\Desktop\49ibeq8b.exe[2132] ntdll.dll!NtClose + 6 7C90CFF4 4 Bytes [CC, A9, 16, 00]
.text C:\Documents and Settings\Administrator\Desktop\49ibeq8b.exe[2132] ntdll.dll!NtDeviceIoControlFile + 6 7C90D284 4 Bytes [D0, A9, 16, 00]
.text C:\Documents and Settings\Administrator\Desktop\49ibeq8b.exe[2132] ntdll.dll!NtQueryDirectoryFile + 6 7C90D774 4 Bytes [EC, AB, 16, 00]
.text C:\Documents and Settings\Administrator\Desktop\49ibeq8b.exe[2132] ntdll.dll!NtResumeThread + 6 7C90DB44 4 Bytes [E4, AB, 16, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@NoPopUpsOnBoot 1

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ntuser_mssec.exe 61440 bytes executable
File C:\ntuser_mssec.exe 56832 bytes executable

---- EOF - GMER 1.0.15 ----

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Error: Unable to interpret </md5start> in the current context!
Error: Unable to interpret <eventlog.dll> in the current context!
Error: Unable to interpret <scecli.dll> in the current context!
Error: Unable to interpret <netlogon.dll> in the current context!
Error: Unable to interpret <cngaudit.dll> in the current context!
Error: Unable to interpret <sceclt.dll> in the current context!
Error: Unable to interpret <ntelogon.dll> in the current context!
Error: Unable to interpret <logevent.dll> in the current context!
Error: Unable to interpret <iaStor.sys> in the current context!
Error: Unable to interpret <nvstor.sys> in the current context!
Error: Unable to interpret <atapi.sys> in the current context!
Error: Unable to interpret <IdeChnDr.sys> in the current context!
Error: Unable to interpret <viasraid.sys> in the current context!
Error: Unable to interpret <AGP440.sys> in the current context!
Error: Unable to interpret <vaxscsi.sys> in the current context!
Error: Unable to interpret <nvatabus.sys> in the current context!
Error: Unable to interpret <viamraid.sys> in the current context!
Error: Unable to interpret <nvata.sys> in the current context!
Error: Unable to interpret <nvgts.sys> in the current context!
Error: Unable to interpret <iastorv.sys> in the current context!
Error: Unable to interpret <ViPrt.sys> in the current context!
Error: Unable to interpret <eNetHook.dll> in the current context!
Error: Unable to interpret <ahcix86.sys> in the current context!
Error: Unable to interpret <KR10N.sys> in the current context!
Error: Unable to interpret </md5stop> in the current context!

OTL by OldTimer - Version 3.2.7.1 log created on 07052010_170714

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

[bar457]

Part 1 of OGL.txt report:


OTL logfile created on: 05/07/2010 16:48:42 - Run 1
OTL by OldTimer - Version 3.2.7.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 240.00 Mb Available Physical Memory | 47.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 7.19 Gb Free Space | 12.87% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NX8220
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/05 16:41:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/02/08 13:23:38 | 000,380,928 | ---- | M] (Spigot, Inc.) -- C:\Program Files\Application Updater\ApplicationUpdater.exe
PRC - [2010/01/12 19:13:48 | 001,490,944 | ---- | M] (Mortal Universe) -- C:\Program Files\POP Peeper\POPPeeper.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/03 17:50:00 | 001,603,152 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2005/03/17 12:10:32 | 000,536,576 | ---- | M] (Panicware, Inc.) -- C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
PRC - [2004/11/12 01:13:40 | 000,290,816 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
PRC - [2004/11/04 19:40:08 | 000,098,394 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2003/08/18 18:57:40 | 001,048,576 | ---- | M] (McAfee Security) -- C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
PRC - [2003/04/09 16:11:54 | 000,200,704 | ---- | M] (McAfee Security) -- C:\Program Files\McAfee.com\Personal Firewall\MpfAgent.exe
PRC - [2003/01/29 16:30:58 | 000,184,320 | ---- | M] (McAfee Corporation) -- C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe
PRC - [2002/09/20 23:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/07/05 16:41:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2005/03/10 17:33:48 | 000,053,248 | ---- | M] (Panicware, Inc.) -- C:\Program Files\Panicware\Pop-Up Stopper Free Edition\XAHook.dll
MOD - [2004/11/04 19:39:58 | 000,069,722 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (kavsvc)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/06/29 16:44:44 | 001,352,832 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/02/08 13:23:38 | 000,380,928 | ---- | M] (Spigot, Inc.) [Auto | Running] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/01/29 16:30:58 | 000,184,320 | ---- | M] (McAfee Corporation) [Auto | Running] -- C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe -- (MpfService)
SRV - [2002/09/20 23:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\klif.sys -- (TSP)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\PPPoEWin.SYS -- (PPPoEWin)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\klmc.sys -- (Klmc)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\klif.sys -- (Klif)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/06/15 16:42:58 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2006/08/28 14:23:06 | 000,090,768 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se26unic.sys -- (se26unic) Sony Ericsson Device 038 USB Ethernet Emulation SEMC38 (WDM)
DRV - [2006/08/28 14:23:00 | 000,086,560 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26obex.sys -- (SE26obex)
DRV - [2006/08/28 14:22:58 | 000,018,704 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se26nd5.sys -- (se26nd5) Sony Ericsson Device 038 USB Ethernet Emulation SEMC38 (NDIS)
DRV - [2006/08/28 14:22:56 | 000,088,688 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26mgmt.sys -- (SE26mgmt) Sony Ericsson Device 038 USB WMC Device Management Drivers (WDM)
DRV - [2006/08/28 14:22:52 | 000,097,184 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26mdm.sys -- (SE26mdm)
DRV - [2006/08/28 14:22:50 | 000,009,360 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26mdfl.sys -- (SE26mdfl)
DRV - [2006/08/28 14:22:46 | 000,061,600 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26bus.sys -- (SE26bus) Sony Ericsson Device 038 Driver driver (WDM)
DRV - [2005/05/27 16:13:12 | 000,128,295 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcd.sys -- (Nokia USB Phone Parent)
DRV - [2005/05/27 16:13:12 | 000,011,001 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdcm.sys -- (Nokia USB Modem)
DRV - [2005/05/27 16:13:12 | 000,007,288 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdc.sys -- (Nokia USB Generic)
DRV - [2005/05/26 10:51:33 | 000,028,160 | ---- | M] (W1zzard) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ATITool.sys -- (ATITool)
DRV - [2005/02/11 01:52:36 | 000,157,056 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2004/12/07 23:06:42 | 000,874,496 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/11/22 12:33:52 | 000,190,592 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/11/16 11:37:48 | 003,222,784 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2004/11/16 11:37:38 | 000,342,912 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/11/04 19:26:42 | 000,186,016 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2004/10/26 12:22:50 | 001,337,274 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2004/10/26 12:22:50 | 000,002,410 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys -- (FreshIO)
DRV - [2004/10/26 11:55:26 | 000,398,208 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2004/10/26 11:49:54 | 000,147,896 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2004/10/26 11:47:24 | 000,030,299 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2004/10/26 11:47:08 | 000,030,125 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwmodem.sys -- (btwmodem)
DRV - [2004/10/26 11:46:04 | 000,055,320 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2004/08/24 12:20:08 | 001,268,204 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/08/17 12:21:00 | 000,087,168 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/08/03 10:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/08/03 10:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/08/03 10:05:00 | 000,086,138 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/08/03 10:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/08/03 10:05:00 | 000,025,723 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/08/03 10:05:00 | 000,014,715 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/08/03 10:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/08/03 10:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/08/03 10:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/07/14 20:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 20:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/07/14 11:56:00 | 000,040,448 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/06/16 19:19:58 | 000,046,080 | ---- | M] (SMSC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2004/05/03 17:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2004/04/14 16:36:50 | 000,007,432 | ---- | M] (Hewlett-Packard Company) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2004/02/20 18:35:28 | 000,059,044 | R--- | M] (Hewlett-Packard) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\ClntMgmt.sys -- (ClntMgmt.sys)
DRV - [2003/06/06 20:46:16 | 000,005,220 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2003/01/10 22:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/12/06 10:21:22 | 000,055,936 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\MpFirewall.sys -- (MPFIREWL)
DRV - [2001/08/17 16:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 15:05:16 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OVCD.sys -- (QCDonner)
DRV - [1997/06/17 05:00:00 | 000,004,064 | ---- | M] (Adobe Systems Incorporated) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ATMHELPR.SYS -- (ATMhelpr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local.;*.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = sbserver:8080

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.google.co.uk"

FF - HKLM\software\mozilla\Mozilla Firefox 3.0b4\extensions\\Components: C:\Program Files\Mozilla Firefox 3 Beta 4\components [2008/04/22 09:55:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0b4\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3 Beta 4\plugins [2010/04/17 09:38:16 | 000,000,000 | ---D | M]

[2008/03/09 19:31:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/11/05 19:14:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sy0rkrb4.default\extensions
[2009/11/05 19:14:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sy0rkrb4.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2008/03/31 09:15:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2004/02/20 21:14:09 | 000,176,177 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/07/04 13:01:36 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: () - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\Program Files\FreshDevices\FreshDownload\fdcatch.dll (FreshDevices Corp.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (FreshDownload Bar) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\Program Files\FreshDevices\FreshDownload\fdiebar.dll (FreshDevices Corp.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [MPFExe] C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe (McAfee Security)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe ()
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O4 - HKCU..\Run: [{672FC0DA-DF94-82F2-401B-4D1794AC3C54}] C:\Documents and Settings\Administrator\Application Data\Yxfehe\xylyd.exe File not found
O4 - HKCU..\Run: [POP Peeper] C:\Program Files\POP Peeper\POPPeeper.exe (Mortal Universe)
O4 - HKCU..\Run: [PopUpStopperFreeEdition] C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe (Panicware, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: FreshDownload - {DDDD6D68-CF2E-4E7A-A8DF-43DF07C586F0} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (FreshDevices Corp.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://download.mac...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (Broadcom Corporation.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:1 (BBC - bbc.co.uk homepage - Home of the BBC on the Internet) - http://www.bbc.co.uk/
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (56027075282206720)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/05 16:41:01 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/04 12:41:39 | 000,000,000 | --SD | C] -- C:\ComboFix1
[2010/07/02 20:39:03 | 000,000,000 | ---D | C] -- C:\ComboFix Logs
[2010/07/01 15:20:10 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/01 15:10:51 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/01 15:10:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/01 15:10:50 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/01 15:10:50 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/01 15:08:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/01 14:57:18 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/28 16:05:30 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
[2010/06/15 16:43:48 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/15 16:37:23 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/06/15 16:36:33 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/05/07 13:36:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2010/05/04 16:50:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2010/04/22 18:12:25 | 000,000,000 | ---D | C] -- C:\Program Files\Eusing Free Registry Cleaner
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2098/12/24 17:26:24 | 002,224,297 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\IMG00110.JPG
[2098/12/24 17:14:48 | 001,938,121 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\IMG00108.JPG
[2010/07/05 16:42:41 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\49ibeq8b.exe
[2010/07/05 16:41:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/05 15:45:51 | 000,174,752 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
[2010/07/05 15:45:38 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/05 15:45:09 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/05 15:45:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/05 15:45:04 | 536,268,800 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/04 13:01:36 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/04 12:41:07 | 007,340,032 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/07/04 00:45:01 | 000,000,406 | -H-- | M] () -- C:\WINDOWS\tasks\{FA758EFE-AE36-425B-A409-37236371032C}_NX8220_Administrator.job
[2010/07/02 20:07:01 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/02 19:41:58 | 003,725,496 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix1.exe
[2010/07/02 16:43:08 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/02 14:34:04 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to My Computer (2).lnk
[2010/07/02 14:33:58 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to My Computer.lnk
[2010/07/02 00:21:13 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/01 15:53:09 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/07/01 15:20:20 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/29 11:50:51 | 000,018,944 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/28 16:29:56 | 000,359,929 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/06/28 16:05:38 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
[2010/06/15 16:43:16 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/15 16:42:58 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/15 16:37:19 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/06/10 11:01:04 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2010/06/10 11:00:41 | 000,385,164 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/10 11:00:41 | 000,054,682 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/10 11:00:40 | 000,443,254 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 10:37:08 | 000,449,192 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 10:25:20 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/10 10:17:03 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/10 09:30:13 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/05/06 17:06:13 | 000,001,353 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SCAN pst.lnk
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/23 11:28:18 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/04/22 18:12:28 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Eusing Free Registry Cleaner.lnk
[2010/04/22 13:46:02 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/14 17:53:17 | 001,319,585 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Goodmans GPS162R portable CD.PDF
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/05 16:42:36 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\49ibeq8b.exe
[2010/07/02 19:41:56 | 003,725,496 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix1.exe
[2010/07/02 14:34:04 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to My Computer (2).lnk
[2010/07/02 14:33:58 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to My Computer.lnk
[2010/07/01 15:20:19 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/07/01 15:20:12 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/01 15:10:51 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/01 15:10:51 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/01 15:10:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/01 15:10:50 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/01 15:10:50 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/28 16:29:53 | 000,359,929 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/06/15 17:11:07 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/15 16:37:19 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/05/06 17:06:13 | 000,001,353 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\SCAN pst.lnk
[2010/04/22 18:12:28 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Eusing Free Registry Cleaner.lnk
[2010/04/14 19:02:44 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/14 17:56:57 | 001,319,585 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Goodmans GPS162R portable CD.PDF
[2009/11/17 00:39:07 | 000,000,177 | ---- | C] () -- C:\WINDOWS\kpcms.ini
[2009/11/17 00:39:06 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2009/11/17 00:38:50 | 000,006,144 | ---- | C] () -- C:\WINDOWS\System32\ImgLibLead.dll
[2009/11/17 00:38:49 | 000,100,864 | ---- | C] () -- C:\WINDOWS\System32\Dc50ip32.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/01/23 00:10:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mngui.INI
[2007/10/07 01:25:05 | 000,001,279 | ---- | C] () -- C:\WINDOWS\SpecEmuWindow.ini
[2007/05/20 01:06:34 | 000,000,150 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/04/22 08:05:56 | 000,000,060 | ---- | C] () -- C:\WINDOWS\easkdiry.ini
[2007/02/01 10:08:56 | 000,000,006 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/11/14 21:37:02 | 000,000,019 | ---- | C] () -- C:\WINDOWS\SoundConverter.INI
[2005/11/06 00:13:55 | 000,000,020 | ---- | C] () -- C:\WINDOWS\TemplateWizard.INI
[2005/09/12 06:11:17 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/09/06 17:44:48 | 000,000,103 | ---- | C] () -- C:\WINDOWS\Licence.ini
[2005/09/06 17:33:49 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\usqlcs32.dll
[2005/09/06 17:33:49 | 000,072,704 | ---- | C] () -- C:\WINDOWS\System32\CCmove32.dll
[2005/09/06 17:33:49 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\CCCHNG32.dll
[2005/09/04 13:09:43 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\MpfApi.dll
[2005/09/04 13:09:42 | 000,055,936 | ---- | C] () -- C:\WINDOWS\System32\drivers\MpFirewall.sys
[2005/09/04 12:00:09 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2005/09/03 19:58:29 | 000,000,543 | ---- | C] () -- C:\WINDOWS\AppRun.ini
[2005/09/01 22:42:11 | 000,000,620 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/01 21:37:30 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/09/01 21:37:30 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/09/01 21:37:30 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/09/01 21:37:30 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/09/01 21:37:30 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/09/01 21:37:30 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/08/09 23:13:31 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/08/09 23:13:31 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/08/09 23:12:28 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/02/15 07:40:57 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/02/15 07:33:45 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/10/26 19:30:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/10/26 12:06:04 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2004/08/07 14:19:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 14:12:40 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/06/01 10:39:56 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2004/01/13 19:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/03/27 17:28:44 | 000,004,955 | ---- | C] () -- C:\WINDOWS\System32\DProg.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/15 23:29:04 | 000,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2001/11/23 18:18:00 | 000,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[2000/09/13 19:15:38 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\pagesync.dll
[1998/05/07 03:10:00 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll

========== LOP Check ==========

[2010/01/09 15:46:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Canon
[2006/04/11 08:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\DataLayer
[2006/11/24 17:37:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Flickr
[2009/11/05 19:13:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit
[2009/12/14 16:59:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit Software
[2009/11/05 19:03:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FreshDiagnose
[2005/09/07 22:14:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterVideo
[2005/10/26 22:44:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2005/11/11 16:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nokia
[2007/01/21 20:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nvu
[2005/11/14 21:48:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PC Suite
[2010/07/02 15:54:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\POP Peeper
[2010/02/16 20:07:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Search Settings
[2007/09/28 17:41:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Teleca
[2008/03/25 23:23:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2010/02/16 20:07:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\YouTube Downloader
[2009/12/12 22:13:12 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2007/03/20 12:48:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus for Windows Workstations
[2008/03/25 20:01:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2005/09/03 21:09:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/06/24 12:14:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/07/02 16:43:08 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/07/04 00:45:01 | 000,000,406 | -H-- | M] () -- C:\WINDOWS\Tasks\{FA758EFE-AE36-425B-A409-37236371032C}_NX8220_Administrator.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: AGP440.SYS >
[2004/08/04 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/11/11 22:57:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/11/11 22:57:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/11/11 22:57:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/11/11 22:57:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 07:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 01:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 09:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 09:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 09:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 68 bytes -> C:\WINDOWS\wmp11.log:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\twain_32.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\zipfldr.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\xpsp3res.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\xpsp2res.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\xpsp1res.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\xpob2res.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\xmlprovi.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\wzcsapi.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\wups2.dll:KAVICHS
Many more like it................

EDIT: Edit to remove redundant entries and reduce post size - IndiGenus

Edited by IndiGenus, 06 July 2010 - 08:14 AM.