WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Win32:Trojan-gen and Win32:Rootkit-gen malwares

Started by bar457 , Jun 28 2010 10:45 AM

Page 3 of 6
1
2
3
4
5

Please log in to reply

80 replies to this topic

#31 bar457

Authentic Member

Authentic Member
183 posts

Posted 05 July 2010 - 01:09 PM

Part 2 of OGL.txt report, hope you will get all this and it makes sense: @Alternate Data Stream - 36 bytes -> C:\WINDOWS\System32\dllcache\msdtclog.dll:KAVICHS @Alternate Data Stream - 36 bytes -> C:\WINDOWS\System32\dllcache\mscms.dll:KAVICHS @Alternate Data Stream - 36 bytes -> C:\WINDOWS\System32\dllcache\mscdexnt.exe:KAVICHS @Alternate Data Stream - 36 bytes -> C:\WINDOWS\System32\dllcache\mscat32.dll:KAVICHS < End of report > EDIT: Removed redundant entries to reduce post size - IndiGenus

Edited by IndiGenus, 06 July 2010 - 08:11 AM.

Advertisements

Register to Remove

#32 IndiGenus

Teacher Emeritus

Authentic Member
5,251 posts

Interests:Computer Security, Music, Sports

Posted 05 July 2010 - 04:40 PM

All of those ADS (Alternate Data Streams) you see attached to ALL those files are from when you had Kaspersky installed. They're harmless but what a pain huh?

I would like you to run the following tool from Kasperksy though...ironic, I know.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then

Logs will be closed if you haven't replied within 5 days

Proud Graduate of TC/WTT Classroom

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#33 bar457

Authentic Member

Authentic Member
183 posts

Posted 06 July 2010 - 06:12 AM

Ok, this is the result: TDSS rootkit removing tool, Kaspersky Lab, 2010 version 2.3.2.2 Jun 30 2010 17:23:49 Scanning Services ... Scanning Drivers ... Completed Results: Registry objects infected / cured / cured on reboot: 0 / 0 / 0 File objects infected / cured / cured on reboot: 0 / 0 / 0 Press any key to continue . . . >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.. So I have pressed a key and it has come out of the scan. bar457

#34 IndiGenus

Teacher Emeritus

Authentic Member
5,251 posts

Interests:Computer Security, Music, Sports

Posted 06 July 2010 - 10:59 AM

That's not it....

Download Bootkit remover to your desktop
This is a rar file if you do not have a program to open it then download and install Peazip

Extract Remover.exe to your desktop
Right click Remover.exe and select Run as Administrator (Vista) or Double click Remover.exe to run it (XP)
It will show a Black screen with some data on it
Right click on the screen and select > Select All
Press Control+C
Now open a notepad and press Control+V
Post the resultant log here please

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then

Logs will be closed if you haven't replied within 5 days

Proud Graduate of TC/WTT Classroom

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#35 bar457

Authentic Member

Authentic Member
183 posts

Posted 06 July 2010 - 11:40 AM

Here is the result: Bootkit Remover version 1.0.0.1 © 2009 eSage Lab www.esagelab.com \\.\C: -> \\.\PhysicalDrive0 MD5: 15288f155f9b90d37dac7f52fe7acd82 Size Device Name MBR Status -------------------------------------------- 55 GB \\.\PhysicalDrive0 Unknown boot code Unknown boot code has been found on some of your physical disks. To inspect the boot code manually, dump the master boot sector: remover.exe dump <device_name> [output_file] To disinfect the master boot sector, use the following command: remover.exe fix <device_name> Press any key to quit...

#36 IndiGenus

Teacher Emeritus

Authentic Member
5,251 posts

Interests:Computer Security, Music, Sports

Posted 06 July 2010 - 04:50 PM

Hmmmm.....that's interesting. Maybe we're getting somewhere. Let's get another "opinion" on this.

Download MBRCheck.exe to your desktop
Double click on MBRCheck.exe to run it

It will show a black screen with some data on it
Click on the black C:\ in the upper left hand corner of the black screen
Choose Edit > Select All > Press Enter to copy the data to your clip board
Press Enter again to close MBRCheck
Now open up notepad and paste the data in (press Control+V)

Post the results in your reply

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then

Logs will be closed if you haven't replied within 5 days

Proud Graduate of TC/WTT Classroom

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#37 bar457

Authentic Member

Authentic Member
183 posts

Posted 07 July 2010 - 07:11 AM

MBRCheck, version 1.0.0 © 2010, AD \\.\C: --> \\.\PhysicalDrive0 Size Device Name MBR Status -------------------------------------------- 55 GB \\.\PhysicalDrive0 Unknown MBR code Found non-standard or infected MBR. Enter 'Y' and hit ENTER for more options, or 'N' to exit: rgds bar457

#38 IndiGenus

Teacher Emeritus

Authentic Member
5,251 posts

Interests:Computer Security, Music, Sports

Posted 07 July 2010 - 07:48 AM

Well both tools are showing either non-standard or infected MBR. Since it's not a Dell, which are known to have non-standard MBR's, I am pretty sure it is infected.

Let's boot back into the recovery console as you did earlier. At the prompt type in fixmbr. You will be presented with a scary warning from MS, go ahead and type Y to continue with the fix. Once done type exit and boot back out to Windows. Now please run the last 2 tools I had you run, both the Esage tool, and the MBRCheck. Post the logs and let me know how it's running.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then

Logs will be closed if you haven't replied within 5 days

Proud Graduate of TC/WTT Classroom

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#39 bar457

Authentic Member

Authentic Member
183 posts

Posted 07 July 2010 - 05:40 PM

Delay is because I was worried about a crash and losing vital data, so have backed up a lot more of my files just in case. However all completed and logs attached : Bootkit Remover version 1.0.0.1 © 2009 eSage Lab www.esagelab.com \\.\C: -> \\.\PhysicalDrive0 MD5: 6def5ffcbcdbdb4082f1015625e597bd Size Device Name MBR Status -------------------------------------------- 55 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found) Press any key to quit... >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> MBRCheck, version 1.0.0 © 2010, AD \\.\C: --> \\.\PhysicalDrive0 Size Device Name MBR Status -------------------------------------------- 55 GB \\.\PhysicalDrive0 Windows XP MBR code detected Done! Press ENTER to exit... >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No problems so far, so will check how it goes. Some activities are still a bit slow, not as quick as after running the ComboFix first time ! bar457

#40 IndiGenus

Teacher Emeritus

Authentic Member
5,251 posts

Interests:Computer Security, Music, Sports

Posted 07 July 2010 - 07:14 PM

Nice!

Looks like the MBR was definitely infected which was probably interfering with our fixes and hiding Malware. We should be in better shape to get this finished off. Before we do anything else though let's get another scan with OTL. Also run GMER and post both of those logs.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then

Logs will be closed if you haven't replied within 5 days

Proud Graduate of TC/WTT Classroom

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

Advertisements

Register to Remove

#41 bar457

Authentic Member

Authentic Member
183 posts

Posted 08 July 2010 - 10:54 AM

here are the results:
Shouldn't all of those Kasperski ADS's have come out on uninstall, it's a pain having all those in there, maybe I should ask them for a removal tool !

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-08 17:14:39
Windows 5.1.2600 Service Pack 3
Running: i6pndm98.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtdqpow.sys

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF7859ABF]
init C:\WINDOWS\system32\DRIVERS\gtipci21.sys entry point in "init" section [0xF781EA80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[252] ntdll.dll!NtClose + 6 7C90CFF4 4 Bytes [CC, A9, BB, 02]
.text C:\WINDOWS\Explorer.EXE[252] ntdll.dll!NtDeviceIoControlFile + 6 7C90D284 4 Bytes [D0, A9, BB, 02]
.text C:\WINDOWS\Explorer.EXE[252] ntdll.dll!NtQueryDirectoryFile + 6 7C90D774 4 Bytes [EC, AB, BB, 02]
.text C:\WINDOWS\Explorer.EXE[252] ntdll.dll!NtResumeThread + 6 7C90DB44 4 Bytes [E4, AB, BB, 02]
.text C:\i6pndm98.exe[580] ntdll.dll!NtClose + 6 7C90CFF4 4 Bytes [CC, A9, 16, 00]
.text C:\i6pndm98.exe[580] ntdll.dll!NtDeviceIoControlFile + 6 7C90D284 4 Bytes [D0, A9, 16, 00]
.text C:\i6pndm98.exe[580] ntdll.dll!NtQueryDirectoryFile + 6 7C90D774 4 Bytes [EC, AB, 16, 00]
.text C:\i6pndm98.exe[580] ntdll.dll!NtResumeThread + 6 7C90DB44 4 Bytes [E4, AB, 16, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@NoPopUpsOnBoot 1

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ntuser_mssec.exe 61440 bytes executable
File C:\ntuser_mssec.exe 56832 bytes executable

---- EOF - GMER 1.0.15 ----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.

OTL logfile created on: 08/07/2010 17:23:48 - Run 2
OTL by OldTimer - Version 3.2.7.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 164.00 Mb Available Physical Memory | 32.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 6.42 Gb Free Space | 11.49% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NX8220
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/05 16:41:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/02/08 13:23:38 | 000,380,928 | ---- | M] (Spigot, Inc.) -- C:\Program Files\Application Updater\ApplicationUpdater.exe
PRC - [2010/01/12 19:13:48 | 001,490,944 | ---- | M] (Mortal Universe) -- C:\Program Files\POP Peeper\POPPeeper.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/03 17:50:00 | 001,603,152 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2005/03/17 12:10:32 | 000,536,576 | ---- | M] (Panicware, Inc.) -- C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
PRC - [2004/11/12 01:13:40 | 000,290,816 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
PRC - [2004/11/04 19:40:08 | 000,098,394 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2003/08/18 18:57:40 | 001,048,576 | ---- | M] (McAfee Security) -- C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
PRC - [2003/04/09 16:11:54 | 000,200,704 | ---- | M] (McAfee Security) -- C:\Program Files\McAfee.com\Personal Firewall\MpfAgent.exe
PRC - [2003/01/29 16:30:58 | 000,184,320 | ---- | M] (McAfee Corporation) -- C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe
PRC - [2002/09/20 23:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (SafeList) ==========

MOD - [2010/07/05 16:41:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2005/03/10 17:33:48 | 000,053,248 | ---- | M] (Panicware, Inc.) -- C:\Program Files\Panicware\Pop-Up Stopper Free Edition\XAHook.dll
MOD - [2004/11/04 19:39:58 | 000,069,722 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (kavsvc)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/06/29 16:44:44 | 001,352,832 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/02/08 13:23:38 | 000,380,928 | ---- | M] (Spigot, Inc.) [Auto | Running] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/01/29 16:30:58 | 000,184,320 | ---- | M] (McAfee Corporation) [Auto | Running] -- C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe -- (MpfService)
SRV - [2002/09/20 23:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\klif.sys -- (TSP)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\PPPoEWin.SYS -- (PPPoEWin)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\klmc.sys -- (Klmc)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\klif.sys -- (Klif)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/06/15 16:42:58 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2006/08/28 14:23:06 | 000,090,768 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se26unic.sys -- (se26unic) Sony Ericsson Device 038 USB Ethernet Emulation SEMC38 (WDM)
DRV - [2006/08/28 14:23:00 | 000,086,560 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26obex.sys -- (SE26obex)
DRV - [2006/08/28 14:22:58 | 000,018,704 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se26nd5.sys -- (se26nd5) Sony Ericsson Device 038 USB Ethernet Emulation SEMC38 (NDIS)
DRV - [2006/08/28 14:22:56 | 000,088,688 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26mgmt.sys -- (SE26mgmt) Sony Ericsson Device 038 USB WMC Device Management Drivers (WDM)
DRV - [2006/08/28 14:22:52 | 000,097,184 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26mdm.sys -- (SE26mdm)
DRV - [2006/08/28 14:22:50 | 000,009,360 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26mdfl.sys -- (SE26mdfl)
DRV - [2006/08/28 14:22:46 | 000,061,600 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE26bus.sys -- (SE26bus) Sony Ericsson Device 038 Driver driver (WDM)
DRV - [2005/05/27 16:13:12 | 000,128,295 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcd.sys -- (Nokia USB Phone Parent)
DRV - [2005/05/27 16:13:12 | 000,011,001 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdcm.sys -- (Nokia USB Modem)
DRV - [2005/05/27 16:13:12 | 000,007,288 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdc.sys -- (Nokia USB Generic)
DRV - [2005/05/26 10:51:33 | 000,028,160 | ---- | M] (W1zzard) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ATITool.sys -- (ATITool)
DRV - [2005/02/11 01:52:36 | 000,157,056 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2004/12/07 23:06:42 | 000,874,496 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/11/22 12:33:52 | 000,190,592 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/11/16 11:37:48 | 003,222,784 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2004/11/16 11:37:38 | 000,342,912 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/11/04 19:26:42 | 000,186,016 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2004/10/26 12:22:50 | 001,337,274 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2004/10/26 12:22:50 | 000,002,410 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys -- (FreshIO)
DRV - [2004/10/26 11:55:26 | 000,398,208 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2004/10/26 11:49:54 | 000,147,896 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2004/10/26 11:47:24 | 000,030,299 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2004/10/26 11:47:08 | 000,030,125 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwmodem.sys -- (btwmodem)
DRV - [2004/10/26 11:46:04 | 000,055,320 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2004/08/24 12:20:08 | 001,268,204 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/08/17 12:21:00 | 000,087,168 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/08/03 10:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/08/03 10:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/08/03 10:05:00 | 000,086,138 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/08/03 10:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/08/03 10:05:00 | 000,025,723 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/08/03 10:05:00 | 000,014,715 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/08/03 10:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/08/03 10:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/08/03 10:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/07/14 20:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 20:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/07/14 11:56:00 | 000,040,448 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/06/16 19:19:58 | 000,046,080 | ---- | M] (SMSC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2004/05/03 17:26:16 | 000,080,384 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2004/04/14 16:36:50 | 000,007,432 | ---- | M] (Hewlett-Packard Company) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2004/02/20 18:35:28 | 000,059,044 | R--- | M] (Hewlett-Packard) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\ClntMgmt.sys -- (ClntMgmt.sys)
DRV - [2003/06/06 20:46:16 | 000,005,220 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2003/01/10 22:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/12/06 10:21:22 | 000,055,936 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\MpFirewall.sys -- (MPFIREWL)
DRV - [2001/08/17 16:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 15:05:16 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OVCD.sys -- (QCDonner)
DRV - [1997/06/17 05:00:00 | 000,004,064 | ---- | M] (Adobe Systems Incorporated) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ATMHELPR.SYS -- (ATMhelpr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local.;*.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = sbserver:8080

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.google.co.uk"

FF - HKLM\software\mozilla\Mozilla Firefox 3.0b4\extensions\\Components: C:\Program Files\Mozilla Firefox 3 Beta 4\components [2008/04/22 09:55:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0b4\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3 Beta 4\plugins [2010/04/17 09:38:16 | 000,000,000 | ---D | M]

[2008/03/09 19:31:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/11/05 19:14:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sy0rkrb4.default\extensions
[2009/11/05 19:14:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sy0rkrb4.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2008/03/31 09:15:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2004/02/20 21:14:09 | 000,176,177 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/07/04 13:01:36 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: () - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\Program Files\FreshDevices\FreshDownload\fdcatch.dll (FreshDevices Corp.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (FreshDownload Bar) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\Program Files\FreshDevices\FreshDownload\fdiebar.dll (FreshDevices Corp.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [MPFExe] C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe (McAfee Security)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe ()
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O4 - HKCU..\Run: [{672FC0DA-DF94-82F2-401B-4D1794AC3C54}] C:\Documents and Settings\Administrator\Application Data\Yxfehe\xylyd.exe File not found
O4 - HKCU..\Run: [POP Peeper] C:\Program Files\POP Peeper\POPPeeper.exe (Mortal Universe)
O4 - HKCU..\Run: [PopUpStopperFreeEdition] C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe (Panicware, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: FreshDownload - {DDDD6D68-CF2E-4E7A-A8DF-43DF07C586F0} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (FreshDevices Corp.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://download.mac...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (Broadcom Corporation.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:1 (BBC - bbc.co.uk homepage - Home of the BBC on the Internet) - http://www.bbc.co.uk/
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (56027075282206720)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/08 13:56:43 | 000,000,000 | ---D | C] -- C:\New Folder
[2010/07/07 21:00:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/07/07 21:00:20 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip
[2010/07/07 20:45:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Copy of My Documents
[2010/07/07 20:33:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Barry
[2010/07/07 20:30:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\My Documents
[2010/07/06 18:30:27 | 000,499,712 | ---- | C] (eSage Lab) -- C:\Documents and Settings\Administrator\Desktop\remover.exe
[2010/07/06 18:27:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\PeaZip
[2010/07/06 18:25:31 | 000,000,000 | ---D | C] -- C:\Program Files\PeaZip
[2010/07/06 12:57:34 | 000,000,000 | --SD | C] -- C:\ComboFix1
[2010/07/06 12:54:37 | 001,013,584 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/07/05 19:55:13 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/07/05 17:07:14 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/07/05 16:41:01 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/02 20:39:03 | 000,000,000 | ---D | C] -- C:\ComboFix Logs
[2010/07/01 15:20:10 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/01 15:10:51 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/01 15:10:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/01 15:10:50 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/01 15:10:50 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/01 15:08:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/01 14:57:18 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/15 16:43:48 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/15 16:37:23 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/06/15 16:36:33 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/05/07 13:36:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2010/05/04 16:50:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2010/04/22 18:12:25 | 000,000,000 | ---D | C] -- C:\Program Files\Eusing Free Registry Cleaner
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2098/12/24 17:26:24 | 002,224,297 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\IMG00110.JPG
[2098/12/24 17:14:48 | 001,938,121 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\IMG00108.JPG
[2010/07/08 13:58:32 | 000,293,376 | ---- | M] () -- C:\i6pndm98.exe
[2010/07/08 00:45:00 | 000,000,406 | -H-- | M] () -- C:\WINDOWS\tasks\{FA758EFE-AE36-425B-A409-37236371032C}_NX8220_Administrator.job
[2010/07/07 23:31:45 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/07 23:31:41 | 000,174,752 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
[2010/07/07 23:31:03 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/07 23:31:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/07 23:30:58 | 536,268,800 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/07 23:25:48 | 007,340,032 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/07/07 23:25:48 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/07/07 23:24:54 | 000,525,312 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Contacts copy folder 7.7.10.pst
[2010/07/07 23:24:27 | 000,271,360 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Mailbox administrator copy folder 7.7.10.pst
[2010/07/07 21:20:17 | 471,377,329 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\My Docs copy zipped 7.7.10.zipx
[2010/07/07 21:01:21 | 000,001,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2010/07/07 14:04:06 | 000,050,688 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
[2010/07/06 18:25:35 | 000,000,606 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\PeaZip.lnk
[2010/07/06 16:47:19 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/05 16:41:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/04 13:01:36 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/02 20:07:01 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/02 19:41:58 | 003,725,496 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix1.exe
[2010/07/02 14:34:04 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to My Computer (2).lnk
[2010/07/02 00:21:13 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/01 15:20:20 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/30 17:25:08 | 001,013,584 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/06/29 11:50:51 | 000,018,944 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/28 16:29:56 | 000,359,929 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/06/15 16:43:16 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/15 16:42:58 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/15 16:37:19 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/06/10 11:01:04 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2010/06/10 11:00:41 | 000,385,164 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/10 11:00:41 | 000,054,682 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/10 11:00:40 | 000,443,254 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 10:37:08 | 000,449,192 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 10:25:20 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/10 10:17:03 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/10 09:30:13 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/05/06 17:06:13 | 000,001,353 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SCAN pst.lnk
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/23 11:28:18 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/04/22 18:12:28 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Eusing Free Registry Cleaner.lnk
[2010/04/22 13:46:02 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/14 17:53:17 | 001,319,585 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Goodmans GPS162R portable CD.PDF
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/08 13:58:30 | 000,293,376 | ---- | C] () -- C:\i6pndm98.exe
[2010/07/07 21:20:17 | 471,377,329 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\My Docs copy zipped 7.7.10.zipx
[2010/07/07 21:01:21 | 000,001,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2010/07/07 20:19:30 | 000,176,594 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Administrator.wab~
[2010/07/07 18:54:26 | 000,271,360 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Mailbox administrator copy folder 7.7.10.pst
[2010/07/07 18:48:48 | 000,525,312 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Contacts copy folder 7.7.10.pst
[2010/07/07 14:04:06 | 000,050,688 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
[2010/07/06 18:25:35 | 000,000,606 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\PeaZip.lnk
[2010/07/02 19:41:56 | 003,725,496 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix1.exe
[2010/07/02 14:34:04 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to My Computer (2).lnk
[2010/07/01 15:20:19 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/07/01 15:20:12 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/01 15:10:51 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/01 15:10:51 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/01 15:10:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/01 15:10:50 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/01 15:10:50 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/28 16:29:53 | 000,359,929 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/06/15 17:11:07 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/15 16:37:19 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/05/06 17:06:13 | 000,001,353 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\SCAN pst.lnk
[2010/04/22 18:12:28 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Eusing Free Registry Cleaner.lnk
[2010/04/14 19:02:44 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/14 17:56:57 | 001,319,585 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Goodmans GPS162R portable CD.PDF
[2009/11/17 00:39:07 | 000,000,177 | ---- | C] () -- C:\WINDOWS\kpcms.ini
[2009/11/17 00:39:06 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2009/11/17 00:38:50 | 000,006,144 | ---- | C] () -- C:\WINDOWS\System32\ImgLibLead.dll
[2009/11/17 00:38:49 | 000,100,864 | ---- | C] () -- C:\WINDOWS\System32\Dc50ip32.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/01/23 00:10:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mngui.INI
[2007/10/07 01:25:05 | 000,001,279 | ---- | C] () -- C:\WINDOWS\SpecEmuWindow.ini
[2007/05/20 01:06:34 | 000,000,150 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/04/22 08:05:56 | 000,000,060 | ---- | C] () -- C:\WINDOWS\easkdiry.ini
[2007/02/01 10:08:56 | 000,000,006 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/11/14 21:37:02 | 000,000,019 | ---- | C] () -- C:\WINDOWS\SoundConverter.INI
[2005/11/06 00:13:55 | 000,000,020 | ---- | C] () -- C:\WINDOWS\TemplateWizard.INI
[2005/09/12 06:11:17 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/09/06 17:44:48 | 000,000,103 | ---- | C] () -- C:\WINDOWS\Licence.ini
[2005/09/06 17:33:49 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\usqlcs32.dll
[2005/09/06 17:33:49 | 000,072,704 | ---- | C] () -- C:\WINDOWS\System32\CCmove32.dll
[2005/09/06 17:33:49 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\CCCHNG32.dll
[2005/09/04 13:09:43 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\MpfApi.dll
[2005/09/04 13:09:42 | 000,055,936 | ---- | C] () -- C:\WINDOWS\System32\drivers\MpFirewall.sys
[2005/09/04 12:00:09 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2005/09/03 19:58:29 | 000,000,543 | ---- | C] () -- C:\WINDOWS\AppRun.ini
[2005/09/01 22:42:11 | 000,000,620 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/01 21:37:30 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/09/01 21:37:30 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/09/01 21:37:30 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/09/01 21:37:30 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/09/01 21:37:30 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/09/01 21:37:30 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/08/09 23:13:31 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/08/09 23:13:31 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/08/09 23:12:28 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/02/15 07:40:57 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/02/15 07:33:45 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/10/26 19:30:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/10/26 12:06:04 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2004/08/07 14:19:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 14:12:40 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/06/01 10:39:56 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2004/01/13 19:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/03/27 17:28:44 | 000,004,955 | ---- | C] () -- C:\WINDOWS\System32\DProg.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/15 23:29:04 | 000,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2001/11/23 18:18:00 | 000,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[2000/09/13 19:15:38 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\pagesync.dll
[1998/05/07 03:10:00 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll

========== LOP Check ==========

[2008/09/04 00:41:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Agyvak
[2010/01/09 15:46:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Canon
[2006/04/11 08:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\DataLayer
[2006/11/24 17:37:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Flickr
[2009/11/05 19:13:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit
[2009/12/14 16:59:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit Software
[2009/11/05 19:03:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FreshDiagnose
[2005/09/07 22:14:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterVideo
[2005/10/26 22:44:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2005/11/11 16:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nokia
[2007/01/21 20:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nvu
[2010/07/06 12:36:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Ozxi
[2005/11/14 21:48:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PC Suite
[2010/07/06 18:37:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PeaZip
[2010/07/06 19:25:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\POP Peeper
[2010/02/16 20:07:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Search Settings
[2007/09/28 17:41:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Teleca
[2008/03/25 23:23:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2010/02/16 20:07:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\YouTube Downloader
[2009/12/12 22:13:12 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2007/03/20 12:48:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus for Windows Workstations
[2008/03/25 20:01:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2005/09/03 21:09:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/07/07 21:02:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/06/24 12:14:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/07/06 16:47:19 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/07/08 00:45:00 | 000,000,406 | -H-- | M] () -- C:\WINDOWS\Tasks\{FA758EFE-AE36-425B-A409-37236371032C}_NX8220_Administrator.job

========== Purity Check ==========

========== Custom Scans ==========

< MD5 for: AGP440.SYS >
[2004/08/04 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/11/11 22:57:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/11/11 22:57:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/11/11 22:57:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/11/11 22:57:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 07:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 01:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 09:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 09:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 09:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 68 bytes -> C:\WINDOWS\wmp11.log:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\twain_32.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\zipfldr.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\xpsp3res.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\xpsp2res.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\xpsp1res.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\xpob2res.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\xmlprovi.dll:KAVICHS
@Alternate Data Stream - 68 bytes -> C:\WINDOWS\System32\wzcsapi.dll:KAVICHS

Edit to remove redundant entries
Indi

Edited by IndiGenus, 08 July 2010 - 11:06 AM.

#42 bar457

Authentic Member

Authentic Member
183 posts

Posted 08 July 2010 - 10:56 AM

EDIT TO REMOVE REDUNDANT ENTRIES: dave @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk:KAVICHS @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Desktop\Foxit Reader.lnk:KAVICHS @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Desktop\Acrobat.com.lnk:KAVICHS @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk:KAVICHS @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\Administrator\Desktop\FreshDownload.lnk:KAVICHS @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\Administrator\Desktop\FreshDiagnose.lnk:KAVICHS @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\Administrator\Desktop\CleanUp.lnk:KAVICHS < End of report >

Edited by IndiGenus, 08 July 2010 - 11:05 AM.

#43 bar457

Authentic Member

Authentic Member
183 posts

Posted 08 July 2010 - 11:02 AM

By the way the OTL report is only as one file, there is no Extras.txt Also in the lower part of the scan screen, the following is showing if it means anything:- ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys /md5stop rgds bar457

#44 IndiGenus

Teacher Emeritus

Authentic Member
5,251 posts

Interests:Computer Security, Music, Sports

Posted 08 July 2010 - 11:07 AM

I'll look into the Kaspersky file streams. I think I read there is something you need to check off when uninstalling to remove those. Can you see these files? C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ntuser_mssec.exe C:\ntuser_mssec.exe

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then

Logs will be closed if you haven't replied within 5 days

Proud Graduate of TC/WTT Classroom

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#45 bar457

Authentic Member

Authentic Member
183 posts

Posted 08 July 2010 - 11:48 AM

No neither The first \startup folder is empty The second I don't have

Body Background

skin color theme