[Linda50]

I am trying to fix a desktop computer for a coworker. I don't know much about it other than it's running Windows XP and it won't boot in any mode, including safe mode with a command prompt. The message in the topic title occurs each time. I found another topic on here with identical symptoms so I made a boot CD with OTLPE and did a scan, including the part with atapi.sys in it. I am attaching the otl.txt from that activity.

I believe that the computer got one of those antivirus malware programs, but I don't know what the owner did to fix it, and quite honestly I don't think she does either. I'm sure there was some registry editing and some msconfig, but she doesn't keep track of what she changes or keep a backup.

Thanks in advance. This is a fantastic site.

Attached Files

•  OTL.Txt   36.97KB   343 downloads

[Advertisements]

Hello Linda50!

Welcome to the site! My nickname is heir and I'll be helping clean up your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

• To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Virus, Spyware and Trojan Removal..
• Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
• When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
• Make sure you reply to this thread using the Add Reply button:

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.

Let's see if we can bring it back to life then.

Step 1.
OTLPE-fix:

Start OTLPE as you did previously from CD
Copy the attached Fix.txt to a USB

 Fix.txt   97bytes   438 downloads

• Insert your USB drive with fix.txt on it
• Start OTLPE
• Drag and drop fix.txt into the Custom scans and fixes box
• If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done to normal mode if possible

Step 2.
Things I would like to see in your reply:

• The content of the fix-log from OTLPE in step 1.
• Information on if you were able to boot into normal mode.

[heir]

Hello Linda50!

Welcome to the site! My nickname is heir and I'll be helping clean up your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

• To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Virus, Spyware and Trojan Removal..
• Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
• When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
• Make sure you reply to this thread using the Add Reply button:

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.

Let's see if we can bring it back to life then.

Step 1.
OTLPE-fix:

Start OTLPE as you did previously from CD
Copy the attached Fix.txt to a USB

 Fix.txt   97bytes   438 downloads

• Insert your USB drive with fix.txt on it
• Start OTLPE
• Drag and drop fix.txt into the Custom scans and fixes box
• If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done to normal mode if possible

Step 2.
Things I would like to see in your reply:

• The content of the fix-log from OTLPE in step 1.
• Information on if you were able to boot into normal mode.

[Linda50]

The following lines were in the log from running the fix. I am not permitted to upload the log file.

========== FILES ==========
File C:\WINDOWS\system32\drivers\atapi.sys successfully replaced with C:\WINDOWS\system32\dllcache\atapi.sys

OTLPE by OldTimer - Version 3.1.30.3 log created on 02282010_230054


I have not done anything else yet except reboot, and the computer does indeed boot to windows normally, so the fix was effective. Tomorrow afternoon, I will check back on this site and read your response, but I suspect that I need to go through the malware removal steps now that I can actually copy stuff to the desktop.

Thanks for your quick help.

[heir]

I suspect that I need to go through the malware removal steps now that I can actually copy stuff to the desktop.

That's correct.

Please follow this guide a come back here with logs from MBAM, OTL and GMER.

[Linda50]

OK,I have attached three files here. GMER did not find anything and the log file is empty. It would not upload. IE is not working well on the computer, but Firefox seems to be fine. I ran a virus scan using Antivirus Soft Platinum, which was installed and which I updated prior to running the scan. That scan found nothing. All I have left to do is delete the files I added,unless there is something in one of the log files that worries you. Thank you very much for the help.

 Fix.txt   97bytes   193 downloads  OTL1.Txt   38.71KB   209 downloads  mbam_log_2010_03_01__00_04_05_.txt   2.01KB   221 downloads

OTL logfile created on: 3/1/2010 12:29:58 AM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Administrator.DFC5123AF4\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 297.00 Mb Available Physical Memory | 59.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 25.84 Gb Free Space | 69.35% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 3.74 Gb Total Space | 3.73 Gb Free Space | 99.89% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DFC5123AF4
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/01 00:27:52 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\OTL.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [1997/07/11 00:00:00 | 000,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE


========== Modules (SafeList) ==========

MOD - [2010/03/01 00:27:52 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2010/02/12 06:17:07 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/14 16:21:24 | 000,155,648 | ---- | M] (Dassault Systèmes SolidWorks Corp.) -- C:\Program Files\Mozilla Firefox\plugins\npEModelPlugin.dll
[2010/01/13 14:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll
[2009/12/07 13:00:16 | 000,003,700 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fast.png
[2009/12/07 13:00:17 | 000,001,961 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fast.xml

O1 HOSTS File: ([2010/02/01 19:39:53 | 000,377,755 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 13022 more lines...
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.205.192.61 68.116.46.115 71.9.127.107
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/10/05 22:35:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 04:26:23 | 000,000,309 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/02/16 09:43:58 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/03/01 00:27:48 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\OTL.exe
[2010/02/28 23:36:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Malwarebytes
[2010/02/28 23:36:38 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/28 23:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/28 23:36:36 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/28 23:36:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/28 23:23:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/28 23:22:49 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/02/28 23:19:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\U3
[2010/02/28 23:04:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\My Documents\My Pictures
[2010/02/28 23:04:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\My Documents\My Music
[2010/02/28 23:04:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Identities
[2010/02/28 23:03:43 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Microsoft
[2010/02/28 23:03:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data
[2010/02/28 23:03:43 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Favorites
[2010/02/28 23:03:43 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Cookies
[2010/02/28 23:03:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Local Settings\Application Data\Microsoft
[2010/02/28 23:03:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop
[2010/02/28 23:03:42 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\SendTo
[2010/02/28 23:03:42 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Recent
[2010/02/28 23:03:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\My Documents
[2010/02/28 23:03:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\PrintHood
[2010/02/28 23:03:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\NetHood
[2010/02/28 23:03:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Local Settings
[2010/02/28 23:03:41 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Start Menu
[2010/02/28 23:03:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Templates
[2010/02/28 20:00:54 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/02/01 20:20:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/01 20:18:52 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/02/01 20:18:52 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/02/01 20:18:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/11/14 11:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/11/14 11:00:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

========== Files - Modified Within 14 Days ==========

[2010/03/01 00:27:52 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\OTL.exe
[2010/03/01 00:08:37 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\gmer.exe
[2010/03/01 00:05:17 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/01 00:05:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/01 00:05:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/01 00:04:38 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\NTUSER.DAT
[2010/03/01 00:04:38 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\ntuser.ini
[2010/03/01 00:04:36 | 003,754,576 | -H-- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Local Settings\Application Data\IconCache.db
[2010/02/28 23:36:41 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/28 23:22:50 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\NTREGOPT.lnk
[2010/02/28 23:22:50 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\ERUNT.lnk
[2010/02/28 23:06:05 | 000,441,432 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/02/28 23:06:05 | 000,071,176 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/02/28 23:05:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/28 23:04:23 | 000,000,862 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/28 23:03:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/28 23:03:10 | 000,090,296 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/28 18:49:37 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/02/28 18:49:36 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM

========== Files Created - No Company Name ==========

[2010/02/28 23:36:41 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/28 23:22:50 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\NTREGOPT.lnk
[2010/02/28 23:22:49 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\ERUNT.lnk
[2010/02/28 23:03:47 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator.DFC5123AF4\ntuser.ini
[2010/02/28 23:03:41 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator.DFC5123AF4\NTUSER.DAT
[2009/10/31 15:50:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2009/09/17 12:24:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2009/09/17 11:32:12 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/09/17 11:28:00 | 000,000,060 | ---- | C] () -- C:\WINDOWS\EPNX510.ini
[2009/02/19 07:15:38 | 000,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/19 07:15:38 | 000,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[1997/07/11 00:00:00 | 000,031,232 | ---- | C] () -- C:\WINDOWS\System32\XLREC.DLL
[1997/07/11 00:00:00 | 000,025,600 | ---- | C] () -- C:\WINDOWS\System32\RECNCL.DLL
[1997/07/11 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1997/07/11 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/07/11 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2009/03/06 10:51:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2009/11/30 12:08:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/09/17 11:34:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2004/10/06 04:23:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GameHouse
[2004/10/23 20:35:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2004/10/27 07:14:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Winferno
[2010/02/09 21:13:03 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 04:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/02/17 05:54:04 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/02/17 05:54:04 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 04:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/02/17 05:54:04 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/02/17 05:54:04 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 04:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 04:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/04/25 07:28:14 | 000,871,040 | ---- | M] (Intel Corporation) MD5=D593517879E65167DF35F6015814AC59 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2005/05/17 14:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys
[2005/05/17 14:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\drivers\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 04:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/01/05 02:00:20 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2010/01/05 02:00:21 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/02/16 09:48:27 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/02/16 09:48:27 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/02/16 09:48:27 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:331AD5E9
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1AD67EE4
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:55020C86
< End of report >



Malwarebytes' Anti-Malware 1.44
Database version: 3808
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/1/2010 12:04:05 AM
mbam-log-2010-03-01 (00-04-05).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 173511
Time elapsed: 25 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\user\My Documents\Downloads\CursorManiaSetup2.3.50.57.SA.HP.ZCfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\My Documents\Downloads\MyWebFaceSetup2.3.50.57.GRfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\My Documents\Downloads\SmileyCentralSetup2.3.50.57.SA.HP.ZSfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89B000C5-B97B-4DE4-828A-90ADF0F6C4AC}\RP1\A0000038.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89B000C5-B97B-4DE4-828A-90ADF0F6C4AC}\RP1\A0000039.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D44D1631-7575-4C65-A1B8-F2CF71FA228B}\RP142\A0050993.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D44D1631-7575-4C65-A1B8-F2CF71FA228B}\RP139\A0050760.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00004f90.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

Edited by heir, 01 March 2010 - 08:34 AM.
Pasted the logs

[Linda50]

Oops, late night last night and I see that one of the files I attached was the one you sent me. Here's the right one.

 Extras.Txt   17.18KB   193 downloads

OTL Extras logfile created on: 3/1/2010 12:29:58 AM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Administrator.DFC5123AF4\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 297.00 Mb Available Physical Memory | 59.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 25.84 Gb Free Space | 69.35% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 3.74 Gb Total Space | 3.73 Gb Free Space | 99.89% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DFC5123AF4
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ERUNT_is1" = ERUNT 1.1j
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/29/2009 12:38:10 PM | Computer Name = DFC5123AF4 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 1/1/2010 1:35:56 PM | Computer Name = DFC5123AF4 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 1/1/2010 1:36:34 PM | Computer Name = DFC5123AF4 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 1/5/2010 1:00:36 PM | Computer Name = DFC5123AF4 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 1/30/2010 3:08:48 PM | Computer Name = DFC5123AF4 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 1/30/2010 3:12:35 PM | Computer Name = DFC5123AF4 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 2/1/2010 1:02:41 PM | Computer Name = DFC5123AF4 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 3/1/2010 3:06:02 AM | Computer Name = DFC5123AF4 | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 2550, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 3/1/2010 3:06:02 AM | Computer Name = DFC5123AF4 | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 3/1/2010 3:06:05 AM | Computer Name = DFC5123AF4 | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 2550, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

[ System Events ]
Error - 2/1/2010 1:11:50 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 1:19:26 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 3:58:50 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 6:59:16 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 8:38:50 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 10:11:18 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 10:29:04 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 10:30:47 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd


< End of report >

Edited by heir, 01 March 2010 - 08:35 AM.
Pasted the log

[heir]

Please don't attach logs if I don't specifically ask you to as the work at my end becomes harder then.

Those logs looks very short.
Have you edited and removed lines from the logs?
If so don't and repost the complete logs.

Antivirus Soft Platinum is a fake AV don't use it or trust any messages from it.
We're going to get it of the computer in a moment.

Were you able to update MBAM correctly?
If not let me know if any error messages was presented.

EDITED: added

GMER did not find anything and the log file is empty

That was strange.
Please rerun GMER and post the log

Edited by heir, 01 March 2010 - 08:45 AM.
adding

[Linda50]

I updated MBAM and it seemed like it worked. I did not edit the log files at all, just copied them here. When GMER finished, there was a blank screen and when I saved it, it made a blank file. I can see that the computer also has AVG installed, but it isn't starting. I will redo the malware removal routine this afternoon and paste in the results this time. Thanks again.

[heir]

I updated MBAM and it seemed like it worked

OK.

I did not edit the log files at all, just copied them here

Thanks and sorry about that, the tool has been updated and the logs looks as they should

I will redo the malware removal routine this afternoon and paste in the results this time

No don't do that.

Do this:

Download ComboFix from one of these locations:

Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. Here is a howto for some of the applications.
  They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Linda50]

OK. Combofix.exe installed the Windows Recovery Console then provided the log as follows:


ComboFix 10-03-01.01 - Administrator 03/01/2010 20:54:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.280 [GMT -8:00]
Running from: c:\documents and settings\Administrator.DFC5123AF4\Desktop\ComboFix.exe
AV: Antivirus Soft *On-access scanning enabled* (Updated) {B316C67E-09F1-44c7-85E0-94F6DA8A4AA1}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-117609710-507921405-725345543-1003

.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 04:44 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-03-02 04:44 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-03-01 09:04 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-03-01 09:00 . 2010-03-01 09:00 -------- d-----w- c:\documents and settings\Administrator.DFC5123AF4\Local Settings\Application Data\Mozilla
2010-03-01 08:58 . 2010-03-01 08:58 -------- d-----w- c:\documents and settings\Administrator.DFC5123AF4\Local Settings\Application Data\Identities
2010-03-01 08:48 . 2010-03-01 08:48 12328 ----a-w- c:\documents and settings\Administrator.DFC5123AF4\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-01 07:36 . 2010-03-01 07:36 -------- d-----w- c:\documents and settings\Administrator.DFC5123AF4\Application Data\Malwarebytes
2010-03-01 07:36 . 2010-03-01 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 07:19 . 2010-03-01 07:19 -------- d-----w- c:\documents and settings\Administrator.DFC5123AF4\Application Data\U3
2010-03-01 04:00 . 2010-03-01 04:00 -------- d-----w- C:\_OTL
2010-02-09 04:38 . 2009-09-05 01:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-02-09 04:37 . 2006-09-29 00:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-02-09 04:37 . 2010-02-09 04:37 -------- d-----w- c:\windows\Logs
2010-02-09 04:37 . 2010-02-09 04:37 -------- d-----w- c:\program files\Winamp Detect
2010-02-09 04:37 . 2010-02-09 04:50 -------- d-----w- c:\documents and settings\user\Application Data\Winamp
2010-02-09 03:57 . 2010-02-10 22:04 -------- d-----w- c:\documents and settings\user\Application Data\LimeWire
2010-02-09 03:56 . 2010-02-09 04:29 -------- d-----w- c:\program files\LimeWire
2010-02-09 00:11 . 2010-02-11 00:15 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\WeatherBug
2010-02-08 22:22 . 2010-02-08 22:22 -------- d-----w- c:\program files\AskBarDis
2010-02-08 22:22 . 2010-02-08 22:22 -------- d-----w- c:\documents and settings\user\Application Data\WeatherBug
2010-02-02 22:06 . 2010-02-02 22:09 -------- d-----w- c:\program files\Antivirus Soft Platinum
2010-02-02 22:06 . 2010-02-02 22:09 -------- d-----w- C:\avlog
2010-02-02 01:26 . 2010-02-02 22:10 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\ovyidt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 02:49 . 2004-08-04 12:00 574976 -cs-a-w- c:\windows\system32\drivers\ntfs.sys
2010-03-01 02:49 . 2004-08-04 12:00 2145280 --s-a-w- c:\windows\system32\ntoskrnl.exe
2010-02-09 04:38 . 2009-12-13 17:45 -------- d-----w- c:\program files\Winamp
2010-02-04 15:15 . 2009-11-14 19:00 -------- d-----w- c:\program files\Google
2010-02-02 04:20 . 2009-02-18 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-02 02:34 . 2009-02-18 05:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-01 17:09 . 2009-02-18 05:09 -------- d-----w- c:\program files\Lavasoft
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2009-02-17 02:03 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 02:51 . 2009-12-14 02:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-14 02:50 . 2009-12-14 02:50 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-14 02:49 . 2009-12-14 02:43 79488 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-14 19:00]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-14 19:00]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 20:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1940)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-03-01 20:59:06
ComboFix-quarantined-files.txt 2010-03-02 04:59

Pre-Run: 27,619,581,952 bytes free
Post-Run: 27,601,215,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DE882C4D5950B4DF087A48EF0534D9D0

[heir]

MBAM should remove Antivirus Soft.

Step 1.
Full MBAM-scan:

• Launch Malwarebytes' Anti-Malware
• Update Malwarebytes' Anti-Malware
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 2.
OTL-scan:

• Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Standard Output.
• Under Processes select All
• Under Modules select All
• Under Services select All
• Under Drivers select All
• Under Standard Registry select All
• Under Extra Registry select All
• Under the Custom Scan box paste this in
  
  

  netsvcs
  msconfig
  activex
  drivers32
  %SYSTEMDRIVE%\*.exe
  %ALLUSERSPROFILE%\Application Data\*.
  %ALLUSERSPROFILE%\Application Data\*.exe /s
  %APPDATA%\*.
  %APPDATA%\*.exe /s
  %systemroot%\*. /mp /s
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  mv61xx.sys
  /md5stop
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Step 2.
Things I would like to see in your reply:

• The content of the report from MBAM in step 1.
• The content of OTL.txt and Extras.txt from step 2.

[Linda50]

Antivirus Soft is still on the desktop and the .exe file is still on C:\Program Files. In addition, I found out that the owner of the computer actually PAID for the software, so I advised that he should call his credit card company. I also suggested that he should never buy anything that is advertised on a pop-up ad. Nothing in the Task Manager makes me believe that the antivirus soft program is actually running at this time. The last time I booted, it was running and I set it not to start on boot using the tools menu. Windows Explorer works better, but I cannot add to the favorites menu.

MBAM Log:

Malwarebytes' Anti-Malware 1.44
Database version: 3813
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/2/2010 6:56:55 AM
mbam-log-2010-03-02 (06-56-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 175104
Time elapsed: 30 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTL.txt:

OTL logfile created on: 3/2/2010 4:15:29 PM - Run 2
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Administrator.DFC5123AF4\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 322.00 Mb Available Physical Memory | 64.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 25.69 Gb Free Space | 68.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DFC5123AF4
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (All) ==========

PRC - [2010/03/02 16:12:53 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\OTL.exe
PRC - [2009/02/06 03:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\services.exe
PRC - [2008/04/13 16:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winlogon.exe
PRC - [2008/04/13 16:12:36 | 000,057,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spoolsv.exe
PRC - [2008/04/13 16:12:36 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\smss.exe
PRC - [2008/04/13 16:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\svchost.exe [RPCSS]
PRC - [2008/04/13 16:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\svchost.exe [NETWORKSERVICE]
PRC - [2008/04/13 16:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\svchost.exe [NETSVCS]
PRC - [2008/04/13 16:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\svchost.exe [LOCALSERVICE]
PRC - [2008/04/13 16:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\svchost.exe [DCOMLAUNCH]
PRC - [2008/04/13 16:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2008/04/13 16:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lsass.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 16:12:15 | 000,006,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\csrss.exe
PRC - [2008/04/13 16:12:12 | 000,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\alg.exe
PRC - [1997/07/11 00:00:00 | 000,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE


========== Modules (All) ==========

MOD - [2010/03/02 16:12:53 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\OTL.exe
MOD - [2009/12/08 01:23:28 | 000,474,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\shlwapi.dll
MOD - [2009/06/25 00:25:26 | 000,056,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\secur32.dll
MOD - [2009/04/15 06:51:25 | 000,585,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rpcrt4.dll
MOD - [2009/03/21 06:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\kernel32.dll
MOD - [2009/02/09 04:10:48 | 000,714,752 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntdll.dll
MOD - [2009/02/09 04:10:48 | 000,617,472 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\advapi32.dll
MOD - [2008/10/23 04:36:14 | 000,286,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\gdi32.dll
MOD - [2008/06/17 11:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\shell32.dll
MOD - [2008/04/14 05:42:06 | 000,985,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\setupapi.dll
MOD - [2008/04/13 16:12:51 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 16:12:45 | 000,146,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\winspool.drv
MOD - [2008/04/13 16:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\user32.dll
MOD - [2008/04/13 16:12:08 | 000,218,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\uxtheme.dll
MOD - [2008/04/13 16:12:08 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\version.dll
MOD - [2008/04/13 16:12:07 | 000,067,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\srclient.dll
MOD - [2008/04/13 16:12:03 | 000,023,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\psapi.dll
MOD - [2008/04/13 16:12:02 | 001,287,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ole32.dll
MOD - [2008/04/13 16:12:02 | 000,551,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\oleaut32.dll
MOD - [2008/04/13 16:12:02 | 000,084,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\olepro32.dll
MOD - [2008/04/13 16:12:01 | 000,343,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcrt.dll
MOD - [2008/04/13 16:11:53 | 000,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2008/04/13 16:11:51 | 000,276,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\comdlg32.dll


========== Win32 Services (All) ==========

SRV - [2009/06/09 22:14:49 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)
SRV - [2009/02/09 04:10:48 | 000,617,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\advapi32.dll -- (Wmi)
SRV - [2009/02/09 04:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs) Remote Procedure Call (RPC)
SRV - [2009/02/09 04:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (DcomLaunch)
SRV - [2009/02/06 03:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2009/02/06 03:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
SRV - [2008/07/07 12:26:58 | 000,253,952 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\es.dll -- (EventSystem)
SRV - [2008/06/20 09:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\mswsock.dll -- (Nla) Network Location Awareness (NLA)
SRV - [2008/04/13 16:12:40 | 000,126,464 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\wbem\wmiapsrv.exe -- (WmiApSrv)
SRV - [2008/04/13 16:12:38 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2008/04/13 16:12:38 | 000,073,216 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tlntsvr.exe -- (TlntSvr)
SRV - [2008/04/13 16:12:38 | 000,018,432 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ups.exe -- (UPS)
SRV - [2008/04/13 16:12:36 | 000,057,856 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2008/04/13 16:12:35 | 000,089,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\smlogsvc.exe -- (SysmonLog)
SRV - [2008/04/13 16:12:34 | 000,141,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sessmgr.exe -- (RDSessMgr)
SRV - [2008/04/13 16:12:33 | 000,095,744 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\scardsvr.exe -- (SCardSvr)
SRV - [2008/04/13 16:12:29 | 000,111,104 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\netdde.exe -- (NetDDEdsdm)
SRV - [2008/04/13 16:12:29 | 000,111,104 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\netdde.exe -- (NetDDE)
SRV - [2008/04/13 16:12:28 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2008/04/13 16:12:27 | 000,006,144 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\msdtc.exe -- (MSDTC)
SRV - [2008/04/13 16:12:25 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\mnmsrvc.exe -- (mnmsrvc)
SRV - [2008/04/13 16:12:24 | 000,075,264 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\locator.exe -- (RpcLocator) Remote Procedure Call (RPC)
SRV - [2008/04/13 16:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
SRV - [2008/04/13 16:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2008/04/13 16:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2008/04/13 16:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (NtLmSsp)
SRV - [2008/04/13 16:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2008/04/13 16:12:22 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2008/04/13 16:12:17 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand | Stopped] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2008/04/13 16:12:17 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2008/04/13 16:12:17 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (COMSysApp)
SRV - [2008/04/13 16:12:14 | 000,033,280 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\clipsrv.exe -- (ClipSrv)
SRV - [2008/04/13 16:12:14 | 000,005,632 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\cisvc.exe -- (CiSvc)
SRV - [2008/04/13 16:12:12 | 000,044,544 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\alg.exe -- (ALG)
SRV - [2008/04/13 16:12:11 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2008/04/13 16:12:11 | 000,129,024 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\xmlprov.dll -- (xmlprov)
SRV - [2008/04/13 16:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2008/04/13 16:12:10 | 000,080,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wscsvc.dll -- (wscsvc)
SRV - [2008/04/13 16:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
SRV - [2008/04/13 16:12:08 | 000,333,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc) Windows Image Acquisition (WIA)
SRV - [2008/04/13 16:12:08 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\upnphost.dll -- (upnphost)
SRV - [2008/04/13 16:12:08 | 000,175,104 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\w32time.dll -- (W32Time)
SRV - [2008/04/13 16:12:08 | 000,068,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\webclnt.dll -- (WebClient)
SRV - [2008/04/13 16:12:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - [2008/04/13 16:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2008/04/13 16:12:07 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2008/04/13 16:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/04/13 16:12:07 | 000,096,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver)
SRV - [2008/04/13 16:12:07 | 000,090,112 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\trkwks.dll -- (TrkWks)
SRV - [2008/04/13 16:12:07 | 000,071,680 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\ssdpsrv.dll -- (SSDPSRV)
SRV - [2008/04/13 16:12:05 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2008/04/13 16:12:05 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2008/04/13 16:12:05 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2008/04/13 16:12:05 | 000,135,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2008/04/13 16:12:05 | 000,039,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\sens.dll -- (SENS)
SRV - [2008/04/13 16:12:05 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/13 16:12:04 | 000,059,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\regsvc.dll -- (RemoteRegistry)
SRV - [2008/04/13 16:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2008/04/13 16:12:03 | 000,186,368 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2008/04/13 16:12:03 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2008/04/13 16:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2008/04/13 16:12:02 | 000,038,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2008/04/13 16:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/04/13 16:11:59 | 000,033,792 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\msgsvc.dll -- (Messenger)
SRV - [2008/04/13 16:11:57 | 000,053,248 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\mprdim.dll -- (RemoteAccess)
SRV - [2008/04/13 16:11:56 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2008/04/13 16:11:55 | 000,331,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess) Windows Firewall/Internet Connection Sharing (ICS)
SRV - [2008/04/13 16:11:54 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\hidserv.dll -- (HidServ)
SRV - [2008/04/13 16:11:53 | 000,023,040 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ersvc.dll -- (ERSvc)
SRV - [2008/04/13 16:11:52 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2008/04/13 16:11:52 | 000,023,552 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2008/04/13 16:11:51 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2008/04/13 16:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2008/04/13 16:11:50 | 000,077,824 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2008/04/13 16:11:50 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
SRV - [2008/04/13 16:11:49 | 000,167,936 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\appmgmts.dll -- (AppMgmt)
SRV - [2008/04/13 16:11:49 | 000,017,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\alrsvc.dll -- (Alerter)
SRV - [2006/10/18 21:47:16 | 000,027,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\mspmsnsv.dll -- (WmdmPmSN)
SRV - [2004/08/04 04:00:00 | 000,132,608 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsvp.exe -- (RSVP)


========== Driver Services (All) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ViaIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ultra)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Simbad)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (i2omp)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (hpn)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (dac960nt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (cd20xrnt)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Abiosdsk)
DRV - [2010/02/28 18:49:35 | 000,574,976 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\ntfs.sys -- (Ntfs)
DRV - [2009/12/31 08:50:03 | 000,353,792 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\srv.sys -- (Srv)
DRV - [2009/12/04 10:22:22 | 000,455,424 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\mrxsmb.sys -- (MRxSmb)
DRV - [2009/10/20 08:20:16 | 000,265,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\http.sys -- (HTTP)
DRV - [2009/06/24 03:18:41 | 000,092,928 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ksecdd.sys -- (KSecDD)
DRV - [2008/08/14 02:04:36 | 000,138,496 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\afd.sys -- (AFD)
DRV - [2008/06/20 03:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip.sys -- (Tcpip)
DRV - [2008/04/13 16:13:22 | 000,139,656 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rdpwd.sys -- (RDPWD)
DRV - [2008/04/13 16:13:21 | 000,021,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tdtcp.sys -- (TDTCP)
DRV - [2008/04/13 16:13:20 | 000,040,840 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\termdd.sys -- (TermDD)
DRV - [2008/04/13 16:13:20 | 000,012,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tdpipe.sys -- (TDPIPE)
DRV - [2008/04/13 11:28:39 | 000,175,744 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\rdbss.sys -- (Rdbss)
DRV - [2008/04/13 11:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\netbt.sys -- (NetBT)
DRV - [2008/04/13 11:20:42 | 000,091,520 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndiswan.sys -- (NdisWan)
DRV - [2008/04/13 11:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ndis.sys -- (NDIS)
DRV - [2008/04/13 11:19:48 | 000,048,384 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\raspptp.sys -- (PptpMiniport) WAN Miniport (PPTP)
DRV - [2008/04/13 11:19:43 | 000,051,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rasl2tp.sys -- (Rasl2tp) WAN Miniport (L2TP)
DRV - [2008/04/13 11:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ipsec.sys -- (IPSec)
DRV - [2008/04/13 11:18:00 | 000,052,480 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\i8042prt.sys -- (i8042prt)
DRV - [2008/04/13 11:17:18 | 000,083,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wdmaud.sys -- (wdmaud)
DRV - [2008/04/13 11:17:05 | 000,105,344 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\mup.sys -- (Mup)
DRV - [2008/04/13 11:15:55 | 000,060,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sysaudio.sys -- (sysaudio)
DRV - [2008/04/13 11:15:45 | 000,064,512 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\serial.sys -- (Serial)
DRV - [2008/04/13 11:14:29 | 000,143,744 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\fastfat.sys -- (Fastfat)
DRV - [2008/04/13 11:14:21 | 000,063,744 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cdfs.sys -- (Cdfs)
DRV - [2008/04/13 11:00:19 | 000,030,080 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\modem.sys -- (Modem)
DRV - [2008/04/13 10:57:32 | 000,041,472 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\raspppoe.sys -- (RasPppoe)
DRV - [2008/04/13 10:57:29 | 000,040,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndproxy.sys -- (NDProxy)
DRV - [2008/04/13 10:57:27 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\asyncmac.sys -- (AsyncMac)
DRV - [2008/04/13 10:57:27 | 000,010,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndistapi.sys -- (NdisTapi)
DRV - [2008/04/13 10:57:21 | 000,034,560 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanarp.sys -- (Wanarp)
DRV - [2008/04/13 10:57:15 | 000,152,832 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipnat.sys -- (IpNat)
DRV - [2008/04/13 10:57:07 | 000,020,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ipinip.sys -- (IpInIp)
DRV - [2008/04/13 10:56:38 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psched.sys -- (PSched)
DRV - [2008/04/13 10:56:32 | 000,035,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msgpc.sys -- (Gpc)
DRV - [2008/04/13 10:56:02 | 000,034,688 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\netbios.sys -- (NetBIOS)
DRV - [2008/04/13 10:55:58 | 000,014,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndisuio.sys -- (Ndisuio)
DRV - [2008/04/13 10:54:28 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irenum.sys -- (IRENUM)
DRV - [2008/04/13 10:53:34 | 000,036,608 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ip6fw.sys -- (Ip6Fw)
DRV - [2008/04/13 10:51:25 | 000,059,904 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atmarpc.sys -- (Atmarpc)
DRV - [2008/04/13 10:45:39 | 000,032,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbccgp.sys -- (usbccgp)
DRV - [2008/04/13 10:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbstor.sys -- (USBSTOR)
DRV - [2008/04/13 10:45:37 | 000,059,520 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbhub.sys -- (usbhub)
DRV - [2008/04/13 10:45:35 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbehci.sys -- (usbehci)
DRV - [2008/04/13 10:45:35 | 000,020,608 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbuhci.sys -- (usbuhci)
DRV - [2008/04/13 10:45:27 | 000,010,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hidusb.sys -- (hidusb)
DRV - [2008/04/13 10:45:13 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\drmkaud.sys -- (drmkaud)
DRV - [2008/04/13 10:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 10:45:09 | 000,172,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\kmixer.sys -- (kmixer)
DRV - [2008/04/13 10:45:09 | 000,056,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swmidi.sys -- (swmidi)
DRV - [2008/04/13 10:45:07 | 000,006,272 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\splitter.sys -- (splitter)
DRV - [2008/04/13 10:45:01 | 000,052,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dmusic.sys -- (DMusic)
DRV - [2008/04/13 10:44:48 | 000,799,744 | ---- | M] (Microsoft Corp., Veritas Software) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2008/04/13 10:44:46 | 000,153,344 | ---- | M] (Microsoft Corp., Veritas Software) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\dmio.sys -- (dmio)
DRV - [2008/04/13 10:44:40 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vga.sys -- (VgaSave)
DRV - [2008/04/13 10:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\volsnap.sys -- (VolSnap)
DRV - [2008/04/13 10:40:58 | 000,042,112 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\imapi.sys -- (Imapi)
DRV - [2008/04/13 10:40:49 | 000,019,712 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\partmgr.sys -- (PartMgr)
DRV - [2008/04/13 10:40:48 | 000,011,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\sfloppy.sys -- (Sfloppy)
DRV - [2008/04/13 10:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\disk.sys -- (Disk)
DRV - [2008/04/13 10:40:46 | 000,062,976 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrom.sys -- (Cdrom)
DRV - [2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\atapi.sys -- (atapi)
DRV - [2008/04/13 10:40:29 | 000,005,504 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\intelide.sys -- (IntelIde)
DRV - [2008/04/13 10:40:27 | 000,057,600 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\redbook.sys -- (redbook)
DRV - [2008/04/13 10:40:25 | 000,027,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fdc.sys -- (Fdc)
DRV - [2008/04/13 10:40:25 | 000,020,480 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\flpydisk.sys -- (Flpydisk)
DRV - [2008/04/13 10:40:12 | 000,015,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\serenum.sys -- (serenum)
DRV - [2008/04/13 10:40:10 | 000,080,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\parport.sys -- (Parport)
DRV - [2008/04/13 10:39:53 | 000,004,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\swenum.sys -- (swenum)
DRV - [2008/04/13 10:39:52 | 000,007,552 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mskssrv.sys -- (MSKSSRV)
DRV - [2008/04/13 10:39:51 | 000,004,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mspqm.sys -- (MSPQM)
DRV - [2008/04/13 10:39:50 | 000,005,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mspclock.sys -- (MSPCLOCK)
DRV - [2008/04/13 10:39:48 | 000,014,592 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid)
DRV - [2008/04/13 10:39:47 | 000,024,576 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kbdclass.sys -- (Kbdclass)
DRV - [2008/04/13 10:39:47 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mouclass.sys -- (Mouclass)
DRV - [2008/04/13 10:39:46 | 000,384,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\update.sys -- (Update)
DRV - [2008/04/13 10:39:46 | 000,042,368 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mountmgr.sys -- (MountMgr)
DRV - [2008/04/13 10:36:52 | 000,073,472 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sr.sys -- (sr)
DRV - [2008/04/13 10:36:46 | 000,015,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mssmbios.sys -- (mssmbios)
DRV - [2008/04/13 10:36:44 | 000,068,224 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\pci.sys -- (PCI)
DRV - [2008/04/13 10:36:43 | 000,120,192 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\pcmcia.sys -- (Pcmcia)
DRV - [2008/04/13 10:36:41 | 000,037,248 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\isapnp.sys -- (isapnp)
DRV - [2008/04/13 10:36:35 | 000,187,776 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ACPI.sys -- (ACPI)
DRV - [2008/04/13 10:33:28 | 000,044,544 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fips.sys -- (Fips)
DRV - [2008/04/13 10:32:59 | 000,129,792 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\fltMgr.sys -- (FltMgr)
DRV - [2008/04/13 10:32:51 | 000,196,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rdpdr.sys -- (rdpdr)
DRV - [2008/04/13 10:32:44 | 000,180,608 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mrxdav.sys -- (MRxDAV)
DRV - [2008/04/13 10:32:39 | 000,030,848 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\npfs.sys -- (Npfs)
DRV - [2008/04/13 10:32:39 | 000,019,072 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\msfs.sys -- (Msfs)
DRV - [2008/04/13 10:32:36 | 000,066,048 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\udfs.sys -- (Udfs)
DRV - [2008/04/13 10:31:32 | 000,036,352 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\intelppm.sys -- (intelppm)
DRV - [2008/04/13 08:39:23 | 000,142,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aec.sys -- (aec)
DRV - [2008/04/13 08:39:15 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2006/05/10 15:00:16 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/03/21 17:48:30 | 000,039,904 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\cercsr6.sys -- (cercsr6)
DRV - [2004/08/04 04:00:00 | 000,125,056 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftdisk.sys -- (Ftdisk)
DRV - [2004/08/04 04:00:00 | 000,032,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ipfltdrv.sys -- (IpFilterDriver)
DRV - [2004/08/04 04:00:00 | 000,032,512 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwlnkfwd.sys -- (NwlnkFwd)
DRV - [2004/08/04 04:00:00 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\cdaudio.sys -- (Cdaudio)
DRV - [2004/08/04 04:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 04:00:00 | 000,016,512 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\raspti.sys -- (Raspti)
DRV - [2004/08/04 04:00:00 | 000,013,952 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cbidf2k.sys -- (cbidf2k)
DRV - [2004/08/04 04:00:00 | 000,012,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwlnkflt.sys -- (NwlnkFlt)
DRV - [2004/08/04 04:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mouhid.sys -- (mouhid)
DRV - [2004/08/04 04:00:00 | 000,011,648 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\acpiec.sys -- (ACPIEC)
DRV - [2004/08/04 04:00:00 | 000,008,832 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\rasacd.sys -- (RasAcd)
DRV - [2004/08/04 04:00:00 | 000,006,784 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\parvdm.sys -- (ParVdm)
DRV - [2004/08/04 04:00:00 | 000,005,888 | ---- | M] (Microsoft Corp., Veritas Software.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\dmload.sys -- (dmload)
DRV - [2004/08/04 04:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\rdpcdd.sys -- (RDPCDD)
DRV - [2004/08/04 04:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mnmdd.sys -- (mnmdd)
DRV - [2004/08/04 04:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\beep.sys -- (Beep)
DRV - [2004/08/04 04:00:00 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\null.sys -- (Null)
DRV - [2001/08/17 13:51:52 | 000,003,328 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\pciide.sys -- (PCIIde)
DRV - [2001/08/17 05:59:44 | 000,003,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\audstub.sys -- (audstub)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.7


[2010/03/01 01:00:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Mozilla\Extensions
[2010/03/01 01:00:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/03/01 01:00:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Mozilla\Firefox\Profiles\3vae4nkh.default\extensions
[2010/02/12 06:17:07 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/05 17:54:59 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/12/14 05:51:27 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
[2010/01/05 17:54:53 | 000,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/01/05 17:54:54 | 000,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/12/13 18:51:01 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2009/10/14 16:21:24 | 000,155,648 | ---- | M] (Dassault Systèmes SolidWorks Corp.) -- C:\Program Files\Mozilla Firefox\plugins\npEModelPlugin.dll
[2010/01/05 17:54:55 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2008/10/14 20:33:30 | 000,095,600 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2010/01/13 14:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll
[2009/07/15 10:10:00 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/07/15 10:10:00 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/07/31 20:40:52 | 000,001,498 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml
[2009/07/15 10:10:00 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/07/15 10:10:00 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/12/07 13:00:16 | 000,003,700 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fast.png
[2009/12/07 13:00:17 | 000,001,961 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fast.xml
[2009/07/15 10:10:00 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/07/15 10:10:00 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml

O1 HOSTS File: ([2010/02/01 19:39:53 | 000,377,755 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 13022 more lines...
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.205.192.61 68.116.46.115 71.9.127.107
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/10/05 22:35:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/02/16 09:43:58 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 30 Days ==========

[2010/03/02 16:12:50 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\OTL.exe
[2010/03/02 16:12:19 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\TFC.exe
[2010/03/01 21:26:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/01 21:26:49 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/01 21:26:49 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/01 21:25:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/01 21:23:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/03/01 20:59:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/03/01 20:53:49 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/01 20:53:03 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/01 20:53:03 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/01 20:53:03 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/01 20:53:03 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/01 20:50:20 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/01 20:47:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\My Documents\Downloads
[2010/03/01 20:44:08 | 000,060,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\USBAUDIO.sys
[2010/03/01 20:44:08 | 000,060,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbaudio.sys
[2010/03/01 01:04:15 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\My Documents\My Videos
[2010/03/01 01:00:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Local Settings\Application Data\Mozilla
[2010/03/01 01:00:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Mozilla
[2010/03/01 00:58:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Local Settings\Application Data\Identities
[2010/02/28 23:36:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Malwarebytes
[2010/02/28 23:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/28 23:23:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/28 23:19:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\U3
[2010/02/28 23:04:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\My Documents\My Pictures
[2010/02/28 23:04:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\My Documents\My Music
[2010/02/28 23:04:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Identities
[2010/02/28 23:03:43 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Microsoft
[2010/02/28 23:03:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data
[2010/02/28 23:03:43 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Favorites
[2010/02/28 23:03:43 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Cookies
[2010/02/28 23:03:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Local Settings\Application Data\Microsoft
[2010/02/28 23:03:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop
[2010/02/28 23:03:42 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\SendTo
[2010/02/28 23:03:42 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Recent
[2010/02/28 23:03:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\My Documents
[2010/02/28 23:03:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\PrintHood
[2010/02/28 23:03:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\NetHood
[2010/02/28 23:03:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Local Settings
[2010/02/28 23:03:41 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Start Menu
[2010/02/28 23:03:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.DFC5123AF4\Templates
[2010/02/28 20:00:54 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/02/08 20:38:03 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll
[2010/02/08 20:37:55 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_31.dll
[2010/02/08 20:37:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2010/02/08 20:37:29 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp Detect
[2010/02/08 19:56:49 | 000,000,000 | ---D | C] -- C:\Program Files\LimeWire
[2010/02/08 14:22:53 | 000,000,000 | ---D | C] -- C:\Program Files\AskBarDis
[2010/02/02 14:06:32 | 000,000,000 | ---D | C] -- C:\avlog
[2010/02/02 14:06:32 | 000,000,000 | ---D | C] -- C:\Program Files\Antivirus Soft Platinum
[2010/02/01 20:20:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/01 20:18:52 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/02/01 20:18:52 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/02/01 20:18:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/11/14 11:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/11/14 11:00:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

========== Files - Modified Within 30 Days ==========

[2010/03/02 16:12:53 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\OTL.exe
[2010/03/02 16:12:45 | 001,048,576 | -H-- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\NTUSER.DAT
[2010/03/02 16:12:20 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\TFC.exe
[2010/03/02 16:11:39 | 000,000,140 | ---- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\New Internet Shortcut.url
[2010/03/02 16:05:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/02 11:05:00 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/02 06:12:52 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/02 06:12:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/01 22:01:03 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\ntuser.ini
[2010/03/01 22:01:00 | 002,695,448 | -H-- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Local Settings\Application Data\IconCache.db
[2010/03/01 21:27:40 | 000,000,705 | ---- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\Shortcut to firefox.exe.lnk
[2010/03/01 20:57:48 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/01 20:53:54 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/03/01 20:48:05 | 003,875,750 | R--- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\ComboFix.exe
[2010/03/01 00:54:32 | 000,000,028 | ---- | M] () -- C:\WINDOWS\Administrator.acl
[2010/03/01 00:48:08 | 000,012,328 | ---- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/01 00:08:37 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\gmer.exe
[2010/02/28 23:06:05 | 000,441,432 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/02/28 23:06:05 | 000,071,176 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/02/28 23:04:23 | 000,000,862 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/28 23:03:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/28 23:03:10 | 000,090,296 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/28 18:49:37 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/02/28 18:49:36 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/02/28 18:49:33 | 000,134,400 | --S- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\HAL.DLL
[2010/02/28 18:49:32 | 002,145,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntoskrnl.exe
[2010/02/12 16:45:21 | 000,004,717 | -H-- | M] () -- C:\ffastun.ffa
[2010/02/12 16:45:19 | 000,114,688 | -H-- | M] () -- C:\ffastun.ffo
[2010/02/12 16:45:00 | 000,278,528 | -H-- | M] () -- C:\ffastun.ffl
[2010/02/12 16:44:59 | 000,749,568 | -H-- | M] () -- C:\ffastun0.ffx
[2010/02/10 07:26:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/08 20:38:07 | 000,000,654 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Winamp.lnk
[2010/02/04 07:16:32 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/02/02 14:09:23 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Antivirus Soft Platinum.lnk
[2010/02/01 19:45:27 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/02/01 19:39:53 | 000,377,755 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

========== Files Created - No Company Name ==========

[2010/03/02 16:11:29 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\New Internet Shortcut.url
[2010/03/01 21:27:40 | 000,000,705 | ---- | C] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\Shortcut to firefox.exe.lnk
[2010/03/01 20:53:54 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/03/01 20:53:51 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/01 20:53:03 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/01 20:53:03 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/01 20:53:03 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/01 20:53:03 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/01 20:53:03 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/01 20:47:53 | 003,875,750 | R--- | C] () -- C:\Documents and Settings\Administrator.DFC5123AF4\Desktop\ComboFix.exe
[2010/03/01 00:54:32 | 000,000,028 | ---- | C] () -- C:\WINDOWS\Administrator.acl
[2010/02/28 23:03:47 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator.DFC5123AF4\ntuser.ini
[2010/02/28 23:03:41 | 001,048,576 | -H-- | C] () -- C:\Documents and Settings\Administrator.DFC5123AF4\NTUSER.DAT
[2010/02/08 20:38:07 | 000,000,654 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Winamp.lnk
[2010/02/04 07:16:32 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/02/02 14:09:23 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Antivirus Soft Platinum.lnk
[2010/02/01 19:45:31 | 000,000,761 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
[2010/02/01 19:45:31 | 000,000,736 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
[2009/10/31 15:50:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2009/09/17 12:24:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2009/09/17 11:32:12 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/09/17 11:28:00 | 000,000,060 | ---- | C] () -- C:\WINDOWS\EPNX510.ini
[2009/02/19 07:15:38 | 000,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/19 07:15:38 | 000,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[1997/07/11 00:00:00 | 000,031,232 | ---- | C] () -- C:\WINDOWS\System32\XLREC.DLL
[1997/07/11 00:00:00 | 000,025,600 | ---- | C] () -- C:\WINDOWS\System32\RECNCL.DLL
[1997/07/11 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1997/07/11 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/07/11 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %ALLUSERSPROFILE%\Application Data\*. >
[2009/03/06 10:51:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2009/08/06 07:38:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/11/30 12:08:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/02/01 20:20:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/02/16 20:26:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2009/09/17 11:34:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2004/10/06 04:23:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GameHouse
[2009/02/17 21:09:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/02/28 23:36:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/29 08:38:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/12/29 08:10:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
[2010/02/01 18:40:21 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/10/23 13:58:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive
[2009/02/17 22:08:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2004/10/23 20:35:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/02/17 05:38:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2004/10/27 07:14:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Winferno

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2007/01/10 19:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
[2007/12/16 19:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE

< %APPDATA%\*. >
[2010/02/28 23:04:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Identities
[2010/02/28 23:36:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Malwarebytes
[2010/03/01 00:58:43 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Microsoft
[2010/03/01 01:00:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\Mozilla
[2010/02/28 23:19:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DFC5123AF4\Application Data\U3

< %APPDATA%\*.exe /s >

< %systemroot%\*. /mp /s >


< MD5 for: AGP440.SYS >
[2004/08/04 04:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/02/17 05:54:04 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/02/17 05:54:04 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 04:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/02/17 05:54:04 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/02/17 05:54:04 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 04:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 04:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/04/25 07:28:14 | 000,871,040 | ---- | M] (Intel Corporation) MD5=D593517879E65167DF35F6015814AC59 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2005/05/17 14:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys
[2005/05/17 14:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\drivers\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 04:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/02/16 09:48:27 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/02/16 09:48:27 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/02/16 09:48:27 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:331AD5E9
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1AD67EE4
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:55020C86
< End of report >


Extras.txt:

OTL Extras logfile created on: 3/2/2010 4:15:29 PM - Run 2
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Administrator.DFC5123AF4\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 322.00 Mb Available Physical Memory | 64.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 25.69 Gb Free Space | 68.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DFC5123AF4
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\System32\ieframe.dll (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/1/2010 1:35:56 PM | Computer Name = DFC5123AF4 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 1/1/2010 1:36:34 PM | Computer Name = DFC5123AF4 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 1/5/2010 1:00:36 PM | Computer Name = DFC5123AF4 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 1/30/2010 3:08:48 PM | Computer Name = DFC5123AF4 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 1/30/2010 3:12:35 PM | Computer Name = DFC5123AF4 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 2/1/2010 1:02:41 PM | Computer Name = DFC5123AF4 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 3/1/2010 3:06:02 AM | Computer Name = DFC5123AF4 | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 2550, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 3/1/2010 3:06:02 AM | Computer Name = DFC5123AF4 | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 3/1/2010 3:06:05 AM | Computer Name = DFC5123AF4 | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 2550, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 3/1/2010 4:36:34 AM | Computer Name = DFC5123AF4 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16981, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/1/2010 1:11:50 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 1:19:26 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 3:58:50 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 6:59:16 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 8:38:50 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 10:11:18 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 10:29:04 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 2/1/2010 10:30:47 PM | Computer Name = DFC5123AF4 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd


< End of report >

Edited by heir, 03 March 2010 - 12:24 AM.
Removed 2 copies of OTL.txt

[heir]

Strange that Extras.txt only lists MBAM in the uninstall list.

Is Antivirus Soft Platinum listed in add/remove programs in the control panel?

Could you please find this file and post its content.

C:\Qoobox\Add-Remove Programs.txt

Edited by heir, 03 March 2010 - 01:02 AM.
added question

[Linda50]

This is very strange. The only thing in add/remove programs is MBAM. The file you asked me to find is empty. Its size is 0KB. There are programs installed on the computer. Some of them work. There's an old copy of Microsoft Word, Firefox, all the Adobe free stuff, AVG, Adaware, ... I found them in C:\program files and started a couple of them. Running in Task Manager are OSA.EXE, msmsgs.exe, iexplore.exe, spoolsv.exe, explorer.exe, svchost.exe, alg.exe, 4 more svchost.exe, lsass.exe, services.exe, winlogon.exe, csrss.exe, smss.exe, taskmgr.exe, System, and System Idle Process. Yesterday when I tried to use Task Manager to end something, it hung. The computer also takes a very long time to shut down.

[heir]

Looks as the part of the registry that holds the information for add/remove programs in the control panel has been damaged.
And as there i s no backup of it...
Can you access th installed programs from the start menu?


Let's remove the fake AV and do an Online Scan.

Step 1.
OTL-fix:

Run OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  [2010/02/02 14:06:32 | 000,000,000 | ---D | C] -- C:\Program Files\Antivirus Soft Platinum
  [2010/02/02 14:06:32 | 000,000,000 | ---D | C] -- C:\avlog
  [2010/02/02 14:09:23 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Antivirus Soft Platinum.lnk
  :Reg
  [-HKEY_CURRENT_USER\Software\avsoft]
  [-HKEY_LOCAL_MACHINE\Software\avsoft]
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post the OTL fixlog

Step 2.
JavarRa:

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Step 3.
Kaspersky Online Scan:

Please do an online scan with Kaspersky Online Scanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Step 4.
Things I would like to see in your reply:

• The content of the fixlog from OTL in step 1.
• The content of the report from Kaspersky in step 3.