hijack wont start, spybot won't install.. i'm in big trouble, don't i?

[brucealutus]

I got a couple of "friends" in my wonderings. I eliminated a couple with the little PC doctor (some rootkits). Regular antivirus scans don't show anything (online with kaspersky and trend micro). Now i tried installing spybot. I download the exe file but it doesn't connect to the server.

Following instructions in another tread i installed ERUNT and HIJACK this.. But now HIJACK this won't start.. Any advice? (i mean other that the gross "format dude" )

Bruce

 

[peku006]

Hello and welcome to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

• I f you don't know or understand something please don't hesitate to ask
• Please DO NOT run any other tools or scans whilst I am helping you.
• It is important that you reply to this thread. Do not start a new topic.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• Absence of symptoms does not mean that everything is clear.

Step 1

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

Step 2

Please download gmer.zip from Gmer and save it to your desktop.

1. Right click on gmer.zip and select Extract All....
2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
3. Click on the Browse button. Click on Desktop. Then click OK.
4. Click Next. It will start extracting.
5. Once done, check (tick) the Show extracted files box and click Finish.

Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.

• When done, you may receive another notice. Click OK.
• Click on Save ... to save a log.
• Copy and paste in Gmer.txt and click Save.
• Close Gmer.

If you receive no notice, click on the Scan button.

• It will start scanning again.
• When done, click on Save ... to save a log.
• Copy and paste in Gmer.txt and click Save.
• Close Gmer.

Note: Do not run any programs while Gmer is running.

In your next reply, please post:

1. DDS.txt
2. Attach.txt
3. Gmer.txt

Thanks peku006

 

[brucealutus]

can't connect to security servers

i got a couple of nasty rootkits; i believe now i eliminated most of them, after I used hostsman and renamed the exe files for a couple of antimalware programs. i did run a couple of scans now and everythings seems clean, except for one thing:

i still can't connect to any security website. for instance i can download the spybot installation file but then it doesn't log to the server during the installation so I can't install it. same with trend micro, bitdefender etc.

I attached the hijack notepad. I really appreciate any advice.

Thanks,
Bruce

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:56 AM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-643 Xtreme N ExpressCard Notebook Adapter\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WebUpdateSvc4.exe
C:\WINDOWS\TEMP\KB909D.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackRenamed.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\bcmwltry.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKCU\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://reutersus.webex.com/client/T26L/training/ieatgpc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link DWA-643 Xtreme N ExpressCard Notebook Adapter\acs.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager dmserverNtmsSvc (dmserverNtmsSvc) - Unknown owner - C:\WINDOWS\system32\alrsvcq.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Web Update Wizard Service V4 by PowerProgrammer (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8250 bytes

 

[peku006]

Hi Bruce

1 - Download and Run Malwarebytes' Anti-Malware

1. Please download Malwarebytes' Anti-Malware and save it to a convenient location.
2. Double click on mbam-setup.exe to install it.
3. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
   • Update Malwarebytes' Anti-Malware
     Launch Malwarebytes' Anti-Malware
4. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
5. Select the Scanner tab. Click on Perform full scan, then click on Scan.
6. Leave the default options as it is and click on Start Scan.
7. When done, you will be prompted. Click OK, then click on Show Results.
8. Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.
   
   
   
   
   
9. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

2 - download and run RSIT

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

3 - Status Check
Please reply with

1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log

Thanks peku006

 

[brucealutus]

Hi peku

Thanks for helping me.

1.I already installed Malwarebytes. However it won't update. I don't have access to a mirror, under the Update tab it is only one button: "Check for Updates". I clicked it and it doesn't connect. I renamed the exe file and scanned with it, but it won't find any problem. Same with Superantispyware.

I did also run a scan with Superantispyware in Safe Mode. Clean again.
I also run a scan from an external drive with ClamWinPortable. Clean again.

Shall i rescan and attache Malwarebytes logs (un-updated)?

2.Do you still need me to run DDS and GMER (sorry, i didn't see your post last night, before i posted the Hijack log).

3.Please see attached the RSIT files.

Thank you for your help. Now that I saw your reply i will follow your new indications step by step.

 

[brucealutus]

oops

hi again peku,

i did run one more scan with the un-updated malwarebytes after my post. to my surprise.. it found a bunch of staff. yesterday i did run superspyware and it was clean. trojan downloader maybe?

after cleaning still can't log to spybot server.

anyway, please see attached the malwarebytes log and the rsit log, after cleaning with malwarebytes.

thanks,
Bruce

 

[peku006]

Hi Bruce

looks good........

All logs should be copy/pasted into topic and not attached......

1 - Clean temp files

• Download and Run ATF Cleaner
  Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.
  
  Under Main choose:
  • 
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.
  if you use Firefox:
  • 
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  if you use Opera:
  • 
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  
  Click Exit on the Main menu to close the program

2 - Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Kaspersky online scanner report
2. a fresh HijackThis log

Thanks peku006

 

[brucealutus]

hi

Hi peku,

I cleaned with ATF, then scanned with Kaspersky, then run the rsit hijack. Kaspersky didn't find anything, but still Spybot won't connect to the server. Please see below the logs.

Thanks,
Bruce

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, May 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, May 26, 2009 17:16:36
Records in database: 2251937
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 60993
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:44:42

No malware has been detected. The scan area is clean.

The selected area was scanned.




*******************************************
*******************************************
*******************************************

Logfile of random's system information tool 1.06 (written by random/random)
Run by Sorin at 2009-05-26 15:06:53
Microsoft Windows XP Professional Service Pack 3
System drive C: has 5 GB (13%) free of 38 GB
Total RAM: 2039 MB (65% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{A08EB93D-5AC4-46BB-A03E-C1E654899581}.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{CC261B67-F22A-41AD-AF8F-D97758EAE6AA}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-08-12 1437696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll [2008-10-04 652784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-07 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-07 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-07 148888]
"OfficeScanNT Monitor"=C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe [2009-05-15 718120]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2006-06-06 118784]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2006-06-06 77824]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2006-06-06 94208]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [2007-05-10 405504]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2006-11-01 1392640]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-02-01 1103240]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Yahoo! Pager"=C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-12 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe [2008-08-12 21741864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-07-07 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysldtray]
C:\windows\ld08.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Connection Manager.lnk]
C:\PROGRA~1\D-Link\D-LINK~1\WIRELE~1.EXE [2006-12-06 13357056]

C:\Documents and Settings\Sorin\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2006-06-06 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
WgaLogon.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\Program Files\SAS\SAS 9.1\sas.exe"="C:\Program Files\SAS\SAS 9.1\sas.exe:*:Enabled:SAS 9.1 for Windows"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\Program Files\FiSTiNG4FUN\Commview for Wifi\CommViewWiFi\WEPdecoder.exe"="C:\Program Files\FiSTiNG4FUN\Commview for Wifi\CommViewWiFi\WEPdecoder.exe:*:Enabled:WEP key recovery"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32384982-8f10-11dd-8c7c-001422aa1205}]
shell\AutoRun\command - E:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{624ecfa7-4ae5-11dd-8bd2-948bd94157b5}]
shell\AutoRun\command - E:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-05-25 16:20:49 ----D---- C:\Documents and Settings\Sorin\Application Data\Move Networks
2009-05-24 11:46:54 ----DC---- C:\rsit
2009-05-22 23:11:15 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-22 23:11:04 ----D---- C:\Program Files\SUPERAntiSpyware
2009-05-22 23:11:04 ----D---- C:\Documents and Settings\Sorin\Application Data\SUPERAntiSpyware.com
2009-05-22 22:51:56 ----D---- C:\Documents and Settings\Sorin\Application Data\abelhadigital.com
2009-05-22 22:51:56 ----D---- C:\Documents and Settings\All Users\Application Data\abelhadigital.com
2009-05-22 22:51:30 ----D---- C:\Program Files\HostsMan
2009-05-22 19:23:44 ----D---- C:\WINDOWS\ERDNT
2009-05-22 19:23:01 ----D---- C:\Program Files\ERUNT
2009-05-22 01:28:02 ----D---- C:\WINDOWS\Minidump
2009-05-21 19:31:45 ----RSH---- C:\WINDOWS\system32\alrsvcq.exe
2009-05-11 18:56:15 ----SHD---- C:\WINDOWS\CSC
2009-05-11 18:40:27 ----D---- C:\Documents and Settings\Sorin\Application Data\Malwarebytes
2009-05-11 18:40:17 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-11 18:40:17 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-11 18:29:04 ----DC---- C:\malware
2009-05-11 18:00:20 ----DC---- C:\sasreg
2009-05-11 17:25:43 ----D---- C:\Documents and Settings\All Users\Application Data\SAS
2009-05-11 17:09:45 ----N---- C:\WINDOWS\system32\oc30.dll
2009-05-11 17:09:43 ----N---- C:\WINDOWS\system32\sasperf.dll
2009-05-11 16:58:02 ----D---- C:\Program Files\SAS
2009-05-06 03:05:43 ----D---- C:\WINDOWS\system32\KB905474

======List of files/folders modified in the last 1 months======

2009-05-26 15:06:55 ----D---- C:\WINDOWS\Prefetch
2009-05-26 14:20:45 ----A---- C:\WINDOWS\cfgall.ini
2009-05-26 11:49:55 ----D---- C:\Program Files\Spyware Doctor
2009-05-26 11:49:44 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-05-26 11:49:42 ----D---- C:\WINDOWS\Temp
2009-05-26 11:46:20 ----D---- C:\Program Files\Mozilla Firefox
2009-05-26 11:35:19 ----D---- C:\WINDOWS
2009-05-26 11:33:29 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-26 11:24:03 ----AD---- C:\WINDOWS\system32
2009-05-26 02:07:03 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-25 21:17:44 ----SD---- C:\WINDOWS\Tasks
2009-05-25 21:16:08 ----SHD---- C:\WINDOWS\Installer
2009-05-25 21:13:44 ----D---- C:\Documents and Settings
2009-05-25 01:23:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-25 01:23:51 ----D---- C:\WINDOWS\system32\drivers
2009-05-25 01:21:28 ----D---- C:\WINDOWS\Debug
2009-05-24 12:35:12 ----D---- C:\Documents and Settings\Sorin\Application Data\U3
2009-05-24 00:31:05 ----HD---- C:\WINDOWS\inf
2009-05-24 00:08:04 ----D---- C:\Program Files\CCleaner
2009-05-23 19:46:31 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-05-23 19:46:31 ----D---- C:\WINDOWS\BDOSCAN8
2009-05-23 19:16:07 ----AHC---- C:\boot.ini
2009-05-23 19:16:07 ----A---- C:\WINDOWS\win.ini
2009-05-23 19:16:07 ----A---- C:\WINDOWS\system.ini
2009-05-22 23:11:04 ----RD---- C:\Program Files
2009-05-22 23:09:01 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-05-22 19:19:03 ----D---- C:\Program Files\Trend Micro
2009-05-21 17:22:10 ----AC---- C:\tmuninst.ini
2009-05-20 17:07:17 ----A---- C:\WINDOWS\pdf2word.INI
2009-05-13 20:53:53 ----D---- C:\Documents and Settings\Sorin\Application Data\Skype
2009-05-13 16:03:44 ----D---- C:\Documents and Settings\Sorin\Application Data\skypePM
2009-05-12 18:27:52 ----D---- C:\WINDOWS\pss
2009-05-11 19:17:47 ----SD---- C:\Documents and Settings\Sorin\Application Data\Microsoft
2009-05-11 19:14:59 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-05-11 19:14:57 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-11 19:03:40 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-11 18:07:14 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-07 03:16:29 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [2009-03-20 110992]
R1 cmdHlp;COMODO Firewall Pro Helper Driver; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [2009-03-20 24336]
R1 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2007-12-10 66952]
R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2007-12-10 81288]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2009-05-15 76688]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 TmFilter;Trend Micro Filter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys []
R2 TmPreFilter;Trend Micro PreFilter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys []
R2 VSApiNt;Trend Micro VSAPI NT; \??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys []
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2006-10-12 604928]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2005-08-05 45312]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys [2005-12-01 936960]
R3 HSXHWAZL;HSXHWAZL; C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys [2005-12-01 192512]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2006-06-06 1168860]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-10 1222840]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2005-12-01 669696]
R3 WSIMD;wsimd Service; C:\WINDOWS\system32\DRIVERS\wsimd.sys [2006-10-31 55840]
S3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5416.sys [2007-12-24 1313536]
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2003-05-01 5220]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 pgfilter;pgfilter; \??\C:\Program Files\PeerGuardian2\pgfilter.sys []
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACS;Atheros Configuration Service; C:\Program Files\D-Link\D-Link DWA-643 Xtreme N ExpressCard Notebook Adapter\acs.exe [2006-11-03 360532]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-07 152984]
R2 ntrtscan;OfficeScanNT RealTime Scan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [2009-05-15 963880]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe [2005-04-29 69632]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-02-01 747912]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-02-01 948616]
R2 tmlisten;OfficeScan NT Listener; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [2009-05-15 996648]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer; C:\WINDOWS\system32\WebUpdateSvc4.exe [2007-04-04 229856]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2006-11-01 20480]
S2 cmdAgent;COMODO Internet Security Helper Service; C:\Program Files\COMODO\Firewall\cmdagent.exe [2009-03-20 700152]
S2 dmserverNtmsSvc;Logical Disk Manager dmserverNtmsSvc; C:\WINDOWS\system32\alrsvcq.exe [2009-05-21 50688]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 TmProxy;OfficeScan NT Proxy Service; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [2008-08-07 652552]
S4 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-30 183280]

-----------------EOF-----------------

 

[peku006]

Hi Bruce

I'm afraid I have unpleasant news for you. There is evidence of several infections on your computer. One or more is a Password Stealer. It allows outsiders to monitor your Internet activity and private information. It then sends the stolen data to a hacker site.

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

• Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
• If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being: Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
• Take any other steps you think appropriate for an attempted identity theft.

I am sorry to be the bearer of bad news, but it is best that you know the full impact of this infection

Please read this for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

 

[brucealutus]

thanks peku. importantly now:what do I have to do to clean? can I clean or I have to format?

Bruce

 

[peku006]

Hi Bruce

your choice......We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

 

[brucealutus]

shall we give cleanup a try? what do i have to do?

 

[peku006]

Hi Bruce
we can start with this

Please download OTScanIt2 from Geeks to Go by OldTimer. Alternate download site.
Save it to your desktop.

1. Double click on OTScanIt2.exe to run it.
2. Click on Extract. Once done, when prompted. Click OK and click Close.
   This is a self-extracting file...It will create a folder named OTScanIt2 on your desktop.
3. Double click on the OTScanIt2 folder to open... then double click on OTScanIt2.exe to run it.
4. Under Rookit Search, select Yes.
5. Click on Run Scan at the top left hand corner. It may take a few minutes...be patient, let it run.
6. When done, Notepad will open with the log file "OTScanIt.Txt" contents.

Please post the contents of the OTScanIt.Txt Notepad file in your next reply.

Thanks peku006

 

[brucealutus]

thanks peku, please see below OTSscanIt log:

OTScanIt2 logfile created on: 5/27/2009 12:51:08 PM - Run 1
OTScanIt2 by OldTimer - Version 1.0.14.0     Folder = C:\Documents and Settings\Sorin\Desktop\OTScanIt2
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.99 Gb Total Physical Memory | 1.45 Gb Available Physical Memory | 72.87% Memory free
3.84 Gb Paging File | 3.33 Gb Available in Paging File | 86.72% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 4.57 Gb Free Space | 12.26% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: HOME-E60FFE2AE3
Current User Name: Sorin
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
 
[Processes - Safe List]
acs.exe -> %ProgramFiles%\D-Link\D-Link DWA-643 Xtreme N ExpressCard Notebook Adapter\acs.exe -> [2006/11/03 17:43:50 | 00,360,532 | ---- | M] (Atheros)
bcmwltry.exe -> %SystemRoot%\System32\bcmwltry.exe -> [2006/11/01 15:48:10 | 01,253,376 | ---- | M] (Dell Inc.)
cmdagent.exe -> %ProgramFiles%\COMODO\Firewall\cmdagent.exe -> [2009/03/20 11:34:46 | 00,700,152 | ---- | M] ()
cntaosmgr.exe -> %ProgramFiles%\Trend Micro\OfficeScan Client\CNTAoSMgr.exe -> [2008/08/07 07:51:10 | 00,435,576 | ---- | M] (Trend Micro Inc.)
explorer.exe -> %SystemRoot%\Explorer.EXE -> [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation)
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> [2009/04/28 12:40:20 | 00,307,704 | ---- | M] (Mozilla Corporation)
hkcmd.exe -> %SystemRoot%\system32\hkcmd.exe -> [2006/06/06 20:06:44 | 00,077,824 | ---- | M] (Intel Corporation)
hpzipm12.exe -> %SystemRoot%\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe -> [2005/04/29 20:44:06 | 00,069,632 | ---- | M] (HP)
igfxpers.exe -> %SystemRoot%\system32\igfxpers.exe -> [2006/06/06 20:10:40 | 00,118,784 | ---- | M] (Intel Corporation)
jqs.exe -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/04/07 21:04:43 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
jusched.exe -> %ProgramFiles%\Java\jre6\bin\jusched.exe -> [2009/04/07 21:04:43 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.)
ntrtscan.exe -> %ProgramFiles%\Trend Micro\OfficeScan Client\ntrtscan.exe -> [2009/05/15 07:23:20 | 00,963,880 | ---- | M] (Trend Micro Inc.)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/04/11 16:32:52 | 00,494,080 | ---- | M] (OldTimer Tools)
pccntmon.exe -> %ProgramFiles%\Trend Micro\OfficeScan Client\pccntmon.exe -> [2009/05/15 07:23:20 | 00,718,120 | ---- | M] (Trend Micro Inc.)
pctsauxs.exe -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> [2008/02/01 15:55:54 | 00,747,912 | ---- | M] (PC Tools)
pctssvc.exe -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> [2008/02/01 15:55:56 | 00,948,616 | ---- | M] (PC Tools)
pctstray.exe -> %ProgramFiles%\Spyware Doctor\pctsTray.exe -> [2008/02/01 15:55:56 | 01,103,240 | ---- | M] (PC Tools)
tmlisten.exe -> %ProgramFiles%\Trend Micro\OfficeScan Client\tmlisten.exe -> [2009/05/15 07:23:20 | 00,996,648 | ---- | M] (Trend Micro Inc.)
wcf731.exe -> %SystemRoot%\TEMP\WCF731.EXE -> [2009/05/15 07:23:22 | 00,296,224 | ---- | M] (Trend Micro Inc.)
wdfmgr.exe -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
webupdatesvc4.exe -> %SystemRoot%\system32\WebUpdateSvc4.exe -> [2007/04/04 10:27:34 | 00,229,856 | ---- | M] (Data Perceptions / PowerProgrammer)
wltray.exe -> %SystemRoot%\system32\WLTRAY.exe -> [2006/11/01 15:48:12 | 01,392,640 | ---- | M] (Dell Inc.)
wltrysvc.exe -> %SystemRoot%\System32\WLTRYSVC.EXE -> [2006/11/01 15:48:12 | 00,020,480 | ---- | M] ()
 
[Win32 Services - Safe List]
(ACS) Atheros Configuration Service [Win32_Own | Auto | Running] -> %ProgramFiles%\D-Link\D-Link DWA-643 Xtreme N ExpressCard Notebook Adapter\acs.exe -> [2006/11/03 17:43:50 | 00,360,532 | ---- | M] (Atheros)
(cmdAgent) COMODO Internet Security Helper Service [Win32_Own | Auto | Running] -> %ProgramFiles%\COMODO\Firewall\cmdagent.exe -> [2009/03/20 11:34:46 | 00,700,152 | ---- | M] ()
(dmserverNtmsSvc) Logical Disk Manager dmserverNtmsSvc [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\alrsvcq.exe -> [2009/05/21 19:31:44 | 00,050,688 | RHS- | M] ()
(gusvc) Google Software Updater [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2009/03/30 23:41:18 | 00,183,280 | ---- | M] (Google)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation)
(JavaQuickStarterService) Java Quick Starter [Win32_Own | Auto | Running] -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/04/07 21:04:43 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
(ntrtscan) OfficeScanNT RealTime Scan [Win32_Own | Auto | Running] -> %ProgramFiles%\Trend Micro\OfficeScan Client\ntrtscan.exe -> [2009/05/15 07:23:20 | 00,963,880 | ---- | M] (Trend Micro Inc.)
(ose) Office Source Engine [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Microsoft Shared\Source Engine\OSE.EXE -> [2003/07/28 15:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation)
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Running] -> %SystemRoot%\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe -> [2005/04/29 20:44:06 | 00,069,632 | ---- | M] (HP)
(sdAuxService) PC Tools Auxiliary Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> [2008/02/01 15:55:54 | 00,747,912 | ---- | M] (PC Tools)
(sdCoreService) PC Tools Security Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> [2008/02/01 15:55:56 | 00,948,616 | ---- | M] (PC Tools)
(tmlisten) OfficeScan NT Listener [Win32_Own | Auto | Running] -> %ProgramFiles%\Trend Micro\OfficeScan Client\tmlisten.exe -> [2009/05/15 07:23:20 | 00,996,648 | ---- | M] (Trend Micro Inc.)
(TmProxy) OfficeScan NT Proxy Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Trend Micro\OfficeScan Client\TmProxy.exe -> [2008/08/07 07:51:04 | 00,652,552 | ---- | M] (Trend Micro Inc.)
(UMWdf) Windows User Mode Driver Framework [Win32_Own | Auto | Running] -> %SystemRoot%\system32\wdfmgr.exe -> [2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
(WebUpdate4) Web Update Wizard Service V4 by PowerProgrammer [Win32_Own | Auto | Running] -> %SystemRoot%\system32\WebUpdateSvc4.exe -> [2007/04/04 10:27:34 | 00,229,856 | ---- | M] (Data Perceptions / PowerProgrammer)
(wltrysvc) Dell Wireless WLAN Tray Service [Win32_Own | Auto | Running] -> %SystemRoot%\System32\WLTRYSVC.EXE -> [2006/11/01 15:48:12 | 00,020,480 | ---- | M] ()
 
[Driver Services - Safe List]
(AR5416) Atheros AR5008 Wireless Network Adapter Service [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\ar5416.sys -> [2007/12/24 17:46:22 | 01,313,536 | ---- | M] (TamoSoft)
(BCM43XX) Dell Wireless WLAN Card Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\bcmwl5.sys -> [2006/10/12 18:28:42 | 00,604,928 | ---- | M] (Broadcom Corporation)
(bcm4sbxp) Broadcom 440x 10/100 Integrated Controller XP Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\bcm4sbxp.sys -> [2005/08/05 14:32:16 | 00,045,312 | ---- | M] (Broadcom Corporation)
(cmdGuard) COMODO Firewall Pro Sandbox Driver [File_System | System | Running] -> %SystemRoot%\System32\DRIVERS\cmdguard.sys -> [2009/03/20 11:35:27 | 00,110,992 | ---- | M] (COMODO)
(cmdHlp) COMODO Firewall Pro Helper Driver [Kernel | System | Running] -> %SystemRoot%\System32\DRIVERS\cmdhlp.sys -> [2009/03/20 11:37:34 | 00,024,336 | ---- | M] (COMODO)
(CVirtA) Cisco Systems VPN Adapter [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\CVirtA.sys -> [2003/05/01 14:26:34 | 00,005,220 | ---- | M] (Cisco Systems, Inc.)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HDAudBus.sys -> [2008/04/13 12:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HSF_DPV) HSF_DPV [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSX_DPV.sys -> [2005/12/01 04:40:56 | 00,936,960 | ---- | M] (Conexant Systems, Inc.)
(HSXHWAZL) HSXHWAZL [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSXHWAZL.sys -> [2005/12/01 04:40:12 | 00,192,512 | ---- | M] (Conexant Systems, Inc.)
(ialm) ialm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ialmnt5.sys -> [2006/06/06 20:32:54 | 01,168,860 | ---- | M] (Intel Corporation)
(IKFileSec) File Security Driver [File_System | Boot | Running] -> %SystemRoot%\system32\drivers\ikfilesec.sys -> [2008/02/01 15:55:52 | 00,042,376 | ---- | M] (PCTools Research Pty Ltd.)
(IKSysFlt) System Filter Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\iksysflt.sys -> [2007/12/10 17:53:28 | 00,066,952 | ---- | M] (PCTools Research Pty Ltd.)
(IKSysSec) System Security Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\iksyssec.sys -> [2007/12/10 17:53:28 | 00,081,288 | ---- | M] (PCTools Research Pty Ltd.)
(Inspect) COMODO Firewall Pro Firewall Driver [Kernel | Boot | Running] -> %SystemRoot%\System32\DRIVERS\inspect.sys -> [2009/03/20 11:37:33 | 00,080,400 | ---- | M] (COMODO)
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\mdmxsdk.sys -> [2005/10/05 02:57:08 | 00,012,544 | ---- | M] (Conexant)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ptilink.sys -> [2004/08/04 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\PxHelp20.sys -> [2008/06/10 20:07:16 | 00,043,528 | ---- | M] (Sonic Solutions)
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASDIFSV.SYS -> [2009/05/14 14:22:00 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
(SASENUM) SASENUM [Kernel | On_Demand | Stopped] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS -> [2009/05/14 14:22:02 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.sys -> [2009/05/14 14:22:00 | 00,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\secdrv.sys -> [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(STHDA) SigmaTel High Definition Audio CODEC [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\sthda.sys -> [2007/05/10 13:24:34 | 01,222,840 | ---- | M] (SigmaTel, Inc.)
(tmcomm) tmcomm [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\tmcomm.sys -> [2009/05/15 07:23:24 | 00,142,992 | ---- | M] (Trend Micro Inc.)
(TmFilter) Trend Micro Filter [Kernel | Auto | Running] -> %ProgramFiles%\Trend Micro\OfficeScan Client\TmXPFlt.sys -> [2009/03/27 19:16:26 | 00,225,296 | ---- | M] (Trend Micro Inc.)
(TmPreFilter) Trend Micro PreFilter [Kernel | Auto | Running] -> %ProgramFiles%\Trend Micro\OfficeScan Client\TmPreFlt.sys -> [2009/03/27 19:16:22 | 00,036,368 | ---- | M] (Trend Micro Inc.)
(tmtdi) Trend Micro TDI Driver [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\tmtdi.sys -> [2009/05/15 07:23:14 | 00,076,688 | ---- | M] (Trend Micro Inc.)
(usbaudio) USB Audio Driver (WDM) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\usbaudio.sys -> [2008/04/13 15:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation)
(VSApiNt) Trend Micro VSAPI NT [Kernel | Auto | Running] -> %ProgramFiles%\Trend Micro\OfficeScan Client\VSApiNt.sys -> [2009/03/27 18:56:52 | 01,220,088 | ---- | M] (Trend Micro Inc.)
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HSX_CNXT.sys -> [2005/12/01 04:40:08 | 00,669,696 | ---- | M] (Conexant Systems, Inc.)
(WSIMD) wsimd Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\wsimd.sys -> [2006/10/31 19:29:16 | 00,055,840 | ---- | M] (Atheros Communications, Inc.)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> Reg Error: Invalid data type. -> 
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons -> 
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"Default_Page_URL" -> http://www.yahoo.com/?fr=fp-yie8 -> 
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\"SearchDefaultBranded" -> Reg Error: Invalid data type. -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://mail.yahoo.com/ -> 
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Sorin\Application Data\Mozilla\FireFox\Profiles\y0yyjjoj.default\prefs.js -> 
browser.startup.homepage -> "https://login.yahoo.com/config/mail?.intl=us" ->
extensions.enabledItems -> jqs@sun.com:1.0 ->
extensions.enabledItems -> moveplayer@movenetworks.com:1.0.0.071303000006 ->
extensions.enabledItems -> {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10 ->
< FireFox Settings [User.js] > -> C:\Documents and Settings\Sorin\Application Data\Mozilla\FireFox\Profiles\y0yyjjoj.default\user.js -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\extensions ->  -> 
HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com -> %ProgramFiles%\JAVA\JRE6\LIB\DEPLOY\JQS\FF [C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF] -> [2009/04/07 21:04:45 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components -> %ProgramFiles%\MOZILLA FIREFOX\COMPONENTS [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2009/05/10 03:33:06 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins -> %ProgramFiles%\MOZILLA FIREFOX\PLUGINS [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2009/04/28 12:40:26 | 00,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
 -> C:\Documents and Settings\Sorin\Application Data\mozilla\Extensions -> [2009/04/22 14:04:38 | 00,000,000 | ---D | M]
 -> C:\Documents and Settings\Sorin\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} -> [2009/04/22 14:04:38 | 00,000,000 | ---D | M]
 -> C:\Documents and Settings\Sorin\Application Data\mozilla\Firefox\Profiles\y0yyjjoj.default\extensions -> [2009/05/25 16:20:20 | 00,096,823 | ---- | M] ()
 -> C:\Documents and Settings\Sorin\Application Data\mozilla\Firefox\Profiles\y0yyjjoj.default\extensions\moveplayer@movenetworks.com -> [2009/05/25 16:20:20 | 00,096,823 | ---- | M] ()
< FireFox Extensions [Program Folders] > -> 
 -> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions -> [2009/04/28 12:40:24 | 09,756,664 | ---- | M] (Mozilla Foundation)
 -> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} -> [2009/04/28 12:40:24 | 09,756,664 | ---- | M] (Mozilla Foundation)
< FireFox Components [Program Folders] > -> 
C:\PROGRAM FILES\MOZILLA FIREFOX\components\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\components -> [2009/05/10 03:33:06 | 00,000,000 | ---D | M]
browserdirprovider.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\components\browserdirprovider.dll -> [2009/04/28 12:40:20 | 00,023,032 | ---- | M] (Mozilla Foundation)
brwsrcmp.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\components\brwsrcmp.dll -> [2009/04/28 12:40:20 | 00,134,648 | ---- | M] (Mozilla Foundation)
< FireFox Plugins [Program Folders] > -> 
C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins -> [2009/04/28 12:40:26 | 00,000,000 | ---D | M]
npnul32.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npnul32.dll -> [2009/04/28 12:40:22 | 00,065,528 | ---- | M] (mozilla.org)
< FireFox SearchPlugins [Program Folders] > -> 
C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins -> [2009/04/22 14:04:29 | 00,000,000 | ---D | M]
amazondotcom.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\amazondotcom.xml -> [2009/04/09 01:51:14 | 00,001,394 | ---- | M] ()
answers.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\answers.xml -> [2009/04/09 01:51:14 | 00,002,193 | ---- | M] ()
creativecommons.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\creativecommons.xml -> [2009/04/09 01:51:14 | 00,001,534 | ---- | M] ()
eBay.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\eBay.xml -> [2009/04/09 01:51:14 | 00,002,343 | ---- | M] ()
google.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\google.xml -> [2009/04/09 01:51:14 | 00,001,706 | ---- | M] ()
wikipedia.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\wikipedia.xml -> [2009/04/09 01:51:14 | 00,001,178 | ---- | M] ()
yahoo.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\yahoo.xml -> [2009/04/09 01:51:14 | 00,000,792 | ---- | M] ()
< HOSTS File > (687 bytes and 19 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
Reset Hosts
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/10/23 02:08:42 | 00,062,080 | ---- | M] (Adobe Systems Incorporated)
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} [HKLM] -> %ProgramFiles%\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [Skype add-on (mastermind)] -> [2008/08/12 17:13:00 | 01,437,696 | ---- | M] (Skype Technologies S.A.)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll [Google Toolbar Notifier BHO] -> [2008/10/04 00:24:34 | 00,652,784 | ---- | M] (Google Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> %ProgramFiles%\Java\jre6\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2009/04/07 21:04:43 | 00,035,840 | ---- | M] (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} [HKLM] -> %ProgramFiles%\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [JQSIEStartDetectorImpl Class] -> [2009/04/07 21:04:45 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"Broadcom Wireless Manager UI" -> %SystemRoot%\system32\WLTRAY.exe [C:\WINDOWS\system32\WLTRAY.exe] -> [2006/11/01 15:48:12 | 01,392,640 | ---- | M] (Dell Inc.)
"igfxhkcmd" -> %SystemRoot%\system32\hkcmd.exe [C:\WINDOWS\system32\hkcmd.exe] -> [2006/06/06 20:06:44 | 00,077,824 | ---- | M] (Intel Corporation)
"igfxpers" -> %SystemRoot%\system32\igfxpers.exe [C:\WINDOWS\system32\igfxpers.exe] -> [2006/06/06 20:10:40 | 00,118,784 | ---- | M] (Intel Corporation)
"igfxtray" -> %SystemRoot%\system32\igfxtray.exe [C:\WINDOWS\system32\igfxtray.exe] -> [2006/06/06 20:09:58 | 00,094,208 | ---- | M] (Intel Corporation)
"ISTray" -> %ProgramFiles%\Spyware Doctor\pctsTray.exe ["C:\Program Files\Spyware Doctor\pctsTray.exe"] -> [2008/02/01 15:55:56 | 01,103,240 | ---- | M] (PC Tools)
"OfficeScanNT Monitor" -> %ProgramFiles%\Trend Micro\OfficeScan Client\pccntmon.exe ["C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow] -> [2009/05/15 07:23:20 | 00,718,120 | ---- | M] (Trend Micro Inc.)
"SigmatelSysTrayApp" -> %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe [%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe] -> [2007/05/10 13:22:32 | 00,405,504 | ---- | M] (SigmaTel, Inc.)
"SunJavaUpdateSched" -> %ProgramFiles%\Java\jre6\bin\jusched.exe ["C:\Program Files\Java\jre6\bin\jusched.exe"] -> [2009/04/07 21:04:43 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.)
< RunOnceEx [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx -> 
"Flags" -> Reg Error: Invalid data type. [Reg Error: Invalid data type.] -> File not found
"Title" ->  [UnHackMe Rootkit Check] -> File not found
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"Yahoo! Pager" -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe ["C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet] -> [2007/08/30 20:43:18 | 04,670,704 | ---- | M] (Yahoo! Inc.)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< Sorin Startup Folder > -> C:\Documents and Settings\Sorin\Start Menu\Programs\Startup -> 
%UserProfile%\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> %ProgramFiles%\ERUNT\AUTOBACK.EXE -> [2005/10/20 12:04:08 | 00,038,912 | ---- | M] ()
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" ->  [1] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" ->  [0] -> File not found
\\"legalnoticecaption" ->  [] -> File not found
\\"legalnoticetext" ->  [] -> File not found
\\"shutdownwithoutlogon" ->  [1] -> File not found
\\"undockwithoutlogon" ->  [1] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"DisableRegistryTools" ->  [0] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel -> %ProgramFiles%\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2007/05/31 16:41:06 | 10,352,472 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{77BF5300-1474-4EC7-9980-D32B190E9B07}:{77BF5300-1474-4EC7-9980-D32B190E9B07} [HKLM] -> %ProgramFiles%\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [Button: Skype] -> [2008/08/12 17:13:00 | 01,437,696 | ---- | M] (Skype Technologies S.A.)
{85d1f590-48f4-11d9-9669-0800200c9a66}:Exec [HKLM] -> %SystemRoot%\bdoscandel.exe [Menu: Uninstall BitDefender Online Scanner v8] -> [2008/01/09 15:01:48 | 00,053,248 | ---- | M] ()
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Button: Research] -> [2007/04/19 17:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5191 domain(s) found. -> 
49 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5190 domain(s) found. -> 
48 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{215B8138-A3CF-44C5-803F-8226143CFC0A} [HKLM] -> http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab [Trend Micro ActiveX Scan Agent 6.6] -> 
{31435657-9980-0010-8000-00AA00389B71} [HKLM] -> http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab [Reg Error: Key error.] -> 
{41564D57-9980-0010-8000-00AA00389B71} [HKLM] -> http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab [Reg Error: Key error.] -> 
{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} [HKLM] -> http://www.eset.eu/buxus/docs/OnlineScanner.cab [OnlineScanner Control] -> 
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} [HKLM] -> http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab [BDSCANONLINE Control] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab [Java Plug-in 1.6.0_13] -> 
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab [Reg Error: Key error.] -> 
{BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} [HKLM] -> http://ax.emsisoft.com/asquared.cab [a-squared Scanner] -> 
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] -> 
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab [Java Plug-in 1.6.0_13] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab [Java Plug-in 1.6.0_13] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] -> 
{E06E2E99-0AA1-11D4-ABA6-0060082AA75C} [HKLM] -> https://reutersus.webex.com/client/T26L/training/ieatgpc.cab [GpcContainer Class] -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{BF81DFE8-1F24-4D62-B5D9-3B45022D13D9} ->    (Dell Wireless 1370 WLAN Mini-PCI Card) -> 
{CDA56691-2BE2-43C3-B9A7-417424E2483F} ->    (Broadcom 440x 10/100 Integrated Controller) -> 
{DEF3C572-456F-4F4F-AD03-22E52D50D0F1} ->    ([CommView] D-Link DWA-643 Xtreme N Notebook ExpressCard Adapter) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> %SystemRoot%\Explorer.exe -> [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> [2008/12/22 12:05:34 | 00,356,352 | ---- | M] (SUPERAntiSpyware.com)
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> [2006/06/06 20:05:50 | 00,139,264 | ---- | M] (Intel Corporation)
WgaLogon ->  -> File not found
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> [2008/05/13 10:13:36 | 00,077,824 | ---- | M] (SuperAdBlocker.com)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/13 20:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/13 20:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\FiSTiNG4FUN\Commview for Wifi\CommViewWiFi\WEPdecoder.exe" -> C:\Program Files\FiSTiNG4FUN\Commview for Wifi\CommViewWiFi\WEPdecoder.exe [C:\Program Files\FiSTiNG4FUN\Commview for Wifi\CommViewWiFi\WEPdecoder.exe:*:Enabled:WEP key recovery] -> [2008/06/20 20:19:56 | 00,495,616 | ---- | M] (TamoSoft)
"C:\Program Files\SAS\SAS 9.1\sas.exe" -> C:\Program Files\SAS\SAS 9.1\sas.exe [C:\Program Files\SAS\SAS 9.1\sas.exe:*:Enabled:SAS 9.1 for Windows] -> [2006/01/25 21:42:42 | 00,072,064 | ---- | M] ()
"C:\Program Files\Skype\Phone\Skype.exe" -> C:\Program Files\Skype\Phone\Skype.exe [C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype] -> [2008/08/12 17:13:00 | 21,741,864 | R--- | M] (Skype Technologies S.A.)
"C:\Program Files\SopCast\adv\SopAdver.exe" -> C:\Program Files\SopCast\adv\SopAdver.exe [C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver] -> [2007/03/07 06:27:12 | 00,567,384 | ---- | M] (www.sopcast.com)
"C:\Program Files\SopCast\SopCast.exe" -> C:\Program Files\SopCast\SopCast.exe [C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application] -> [2007/11/26 03:34:38 | 01,888,256 | ---- | M] (www.sopcast.com)
"C:\Program Files\Vuze\Azureus.exe" -> C:\Program Files\Vuze\Azureus.exe [C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus] -> [2007/12/03 23:28:42 | 00,254,976 | ---- | M] (Azureus Inc)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -> C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger] -> [2007/08/30 20:43:18 | 04,670,704 | ---- | M] (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" -> C:\Program Files\Yahoo!\Messenger\YServer.exe [C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server] -> [2007/08/30 20:43:18 | 00,091,376 | ---- | M] (Yahoo! Inc.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
"AlternateShell" -> cmd.exe -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2008/04/13 14:40:46 | 00,062,976 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [2008/07/05 18:47:39 | 00,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
\E
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell
\E\Shell\\"" ->  [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun
\E\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun\command
\E\Shell\AutoRun\command\\"" -> E:\LaunchU3.exe [E:\LaunchU3.exe -a] -> File not found
\{32384982-8f10-11dd-8c7c-001422aa1205}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{32384982-8f10-11dd-8c7c-001422aa1205}\Shell\AutoRun\command
\{32384982-8f10-11dd-8c7c-001422aa1205}\Shell\AutoRun\command\\"" -> E:\WD_Windows_Tools\Setup.exe [E:\WD_Windows_Tools\Setup.exe] -> File not found
\{624ecfa7-4ae5-11dd-8bd2-948bd94157b5}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{624ecfa7-4ae5-11dd-8bd2-948bd94157b5}\Shell
\{624ecfa7-4ae5-11dd-8bd2-948bd94157b5}\Shell\\"" ->  [AutoRun] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{624ecfa7-4ae5-11dd-8bd2-948bd94157b5}\Shell\AutoRun
\{624ecfa7-4ae5-11dd-8bd2-948bd94157b5}\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{624ecfa7-4ae5-11dd-8bd2-948bd94157b5}\Shell\AutoRun\command
\{624ecfa7-4ae5-11dd-8bd2-948bd94157b5}\Shell\AutoRun\command\\"" -> E:\LaunchU3.exe [E:\LaunchU3.exe -a] -> File not found
 
 
[Files/Folders - Created Within 30 Days]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2009/05/27 12:48:31 | 00,000,000 | ---D | C]
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/05/27 12:47:51 | 00,665,196 | ---- | C] ()
User_Feed_Synchronization-{CC261B67-F22A-41AD-AF8F-D97758EAE6AA}.job -> %SystemRoot%\tasks\User_Feed_Synchronization-{CC261B67-F22A-41AD-AF8F-D97758EAE6AA}.job -> [2009/05/25 21:17:44 | 00,000,426 | -H-- | C] ()
Move Networks -> %AppData%\Move Networks -> [2009/05/25 16:20:49 | 00,000,000 | ---D | C]
a99bbca1.sys -> %SystemRoot%\System32\drivers\a99bbca1.sys -> [2009/05/25 01:23:51 | 00,097,216 | ---- | C] ()
cc_20090525_012230.reg -> %UserProfile%\My Documents\cc_20090525_012230.reg -> [2009/05/25 01:22:32 | 00,009,362 | ---- | C] ()
Recent -> %UserProfile%\Recent -> [2009/05/25 01:21:52 | 00,000,000 | RH-D | C]
rsit -> %SystemDrive%\rsit -> [2009/05/24 11:46:54 | 00,000,000 | ---D | C]
RSIT.exe -> %UserProfile%\Desktop\RSIT.exe -> [2009/05/24 11:46:20 | 00,781,909 | ---- | C] ()
spybot.exe -> %UserProfile%\Desktop\spybot.exe -> [2009/05/24 00:16:20 | 16,409,960 | ---- | C] (Safer Networking Limited                                    )
cc_20090524_001020.reg -> %UserProfile%\My Documents\cc_20090524_001020.reg -> [2009/05/24 00:10:26 | 00,078,748 | ---- | C] ()
SUPERAntiSpyware.com -> %AllUsersProfile%\Application Data\SUPERAntiSpyware.com -> [2009/05/22 23:11:15 | 00,000,000 | ---D | C]
SUPERAntiSpyware.com -> %AppData%\SUPERAntiSpyware.com -> [2009/05/22 23:11:04 | 00,000,000 | ---D | C]
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware -> [2009/05/22 23:11:04 | 00,000,000 | ---D | C]
HostsMan Backups -> %AllUsersProfile%\Documents\HostsMan Backups -> [2009/05/22 22:51:57 | 00,000,000 | ---D | C]
abelhadigital.com -> %AppData%\abelhadigital.com -> [2009/05/22 22:51:56 | 00,000,000 | ---D | C]
abelhadigital.com -> %AllUsersProfile%\Application Data\abelhadigital.com -> [2009/05/22 22:51:56 | 00,000,000 | ---D | C]
HostsMan -> %ProgramFiles%\HostsMan -> [2009/05/22 22:51:30 | 00,000,000 | ---D | C]
ERDNT -> %SystemRoot%\ERDNT -> [2009/05/22 19:23:44 | 00,000,000 | ---D | C]
ERUNT AutoBackup.lnk -> %UserProfile%\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> [2009/05/22 19:23:21 | 00,000,767 | ---- | C] ()
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk -> [2009/05/22 19:23:02 | 00,000,611 | ---- | C] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/05/22 19:23:02 | 00,000,592 | ---- | C] ()
ERUNT -> %ProgramFiles%\ERUNT -> [2009/05/22 19:23:01 | 00,000,000 | ---D | C]
Minidump -> %SystemRoot%\Minidump -> [2009/05/22 01:28:02 | 00,000,000 | ---D | C]
4038024988.dat -> %SystemRoot%\System32\4038024988.dat -> [2009/05/21 19:31:56 | 00,000,100 | --S- | C] ()
_id.dat -> %SystemRoot%\System32\_id.dat -> [2009/05/21 19:31:56 | 00,000,000 | ---- | C] ()
alrsvcq.exe -> %SystemRoot%\System32\alrsvcq.exe -> [2009/05/21 19:31:45 | 00,050,688 | RHS- | C] ()
tmcomm.sys -> %SystemRoot%\System32\drivers\tmcomm.sys -> [2009/05/16 10:39:26 | 00,142,992 | ---- | C] (Trend Micro Inc.)
.housecall6.6 -> %UserProfile%\.housecall6.6 -> [2009/05/15 17:23:45 | 00,000,000 | ---D | C]
CSC -> %SystemRoot%\CSC -> [2009/05/11 18:56:15 | 00,000,000 | -HSD | C]
Malwarebytes -> %AppData%\Malwarebytes -> [2009/05/11 18:40:27 | 00,000,000 | ---D | C]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/05/11 18:40:22 | 00,015,504 | ---- | C] (Malwarebytes Corporation)
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/05/11 18:40:19 | 00,038,496 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> %ProgramFiles%\Malwarebytes' Anti-Malware -> [2009/05/11 18:40:17 | 00,000,000 | ---D | C]
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes -> [2009/05/11 18:40:17 | 00,000,000 | ---D | C]
malware -> %SystemDrive%\malware -> [2009/05/11 18:29:04 | 00,000,000 | ---D | C]
sasreg -> %SystemDrive%\sasreg -> [2009/05/11 18:00:20 | 00,000,000 | ---D | C]
SAS -> %AllUsersProfile%\Application Data\SAS -> [2009/05/11 17:25:43 | 00,000,000 | ---D | C]
oc30.dll -> %SystemRoot%\System32\oc30.dll -> [2009/05/11 17:09:45 | 00,638,464 | ---- | C] (Microsoft Corporation)
sasperf.dll -> %SystemRoot%\System32\sasperf.dll -> [2009/05/11 17:09:43 | 00,013,600 | ---- | C] ()
SAS Configuration Information -> %UserProfile%\My Documents\SAS Configuration Information -> [2009/05/11 17:03:19 | 00,000,000 | ---D | C]
SAS -> %ProgramFiles%\SAS -> [2009/05/11 16:58:02 | 00,000,000 | ---D | C]
Paper on CSR honors college.doc -> %UserProfile%\Desktop\Paper on CSR honors college.doc -> [2009/05/06 14:18:57 | 00,326,144 | ---- | C] ()
KB905474 -> %SystemRoot%\System32\KB905474 -> [2009/05/06 03:05:43 | 00,000,000 | ---D | C]
cfgrt_ex.ini -> %SystemRoot%\cfgrt_ex.ini -> [2009/04/08 13:35:10 | 00,008,002 | ---- | C] ()
WgaTray.dll -> %SystemRoot%\System32\WgaTray.dll -> [2009/04/04 23:54:26 | 00,000,000 | ---- | C] ()
wuw.INI -> %SystemRoot%\wuw.INI -> [2008/12/29 19:50:12 | 00,000,076 | ---- | C] ()
CSGina.dll -> %SystemRoot%\System32\CSGina.dll -> [2008/11/04 12:01:17 | 00,143,384 | ---- | C] ()
guard32.dll -> %SystemRoot%\System32\guard32.dll -> [2008/10/19 03:36:50 | 00,155,384 | ---- | C] ()
qt-dx331.dll -> %SystemRoot%\System32\qt-dx331.dll -> [2008/09/19 17:57:34 | 03,596,288 | ---- | C] ()
dtu100.dll.manifest -> %SystemRoot%\System32\dtu100.dll.manifest -> [2008/09/19 17:55:10 | 00,000,416 | ---- | C] ()
dpl100.dll.manifest -> %SystemRoot%\System32\dpl100.dll.manifest -> [2008/09/19 17:55:10 | 00,000,416 | ---- | C] ()
DivXWMPExtType.dll -> %SystemRoot%\System32\DivXWMPExtType.dll -> [2008/09/19 17:54:18 | 00,012,288 | ---- | C] ()
unrar.dll -> %SystemRoot%\System32\unrar.dll -> [2008/09/01 00:55:54 | 00,164,352 | ---- | C] ()
avisplitter.ini -> %SystemRoot%\avisplitter.ini -> [2008/09/01 00:55:54 | 00,000,038 | ---- | C] ()
xvidcore.dll -> %SystemRoot%\System32\xvidcore.dll -> [2008/09/01 00:55:51 | 00,815,104 | ---- | C] ()
xvidvfw.dll -> %SystemRoot%\System32\xvidvfw.dll -> [2008/09/01 00:55:50 | 00,180,224 | ---- | C] ()
ff_vfw.dll -> %SystemRoot%\System32\ff_vfw.dll -> [2008/09/01 00:55:49 | 00,007,680 | ---- | C] ()
ff_vfw.dll.manifest -> %SystemRoot%\System32\ff_vfw.dll.manifest -> [2008/09/01 00:55:49 | 00,000,547 | ---- | C] ()
cpwmon2k.dll -> %SystemRoot%\System32\cpwmon2k.dll -> [2008/08/12 13:03:13 | 00,087,552 | ---- | C] ()
pdf2word.INI -> %SystemRoot%\pdf2word.INI -> [2008/07/16 12:49:15 | 00,000,394 | ---- | C] ()
cfgall.ini -> %SystemRoot%\cfgall.ini -> [2008/07/07 19:17:27 | 00,014,066 | ---- | C] ()
ODBC.INI -> %SystemRoot%\ODBC.INI -> [2008/07/05 20:13:20 | 00,000,376 | ---- | C] ()
preflib.dll -> %SystemRoot%\System32\preflib.dll -> [2008/07/05 19:24:43 | 00,086,016 | ---- | C] ()
bcm1xsup.dll -> %SystemRoot%\System32\bcm1xsup.dll -> [2008/07/05 19:24:42 | 00,757,760 | ---- | C] ()
OnlineScannerDLLA.dll -> %SystemRoot%\System32\OnlineScannerDLLA.dll -> [2008/02/11 09:39:26 | 00,253,952 | ---- | C] ()
OnlineScannerDLLW.dll -> %SystemRoot%\System32\OnlineScannerDLLW.dll -> [2008/02/11 09:39:18 | 00,237,568 | ---- | C] ()
OnlineScannerLang.dll -> %SystemRoot%\System32\OnlineScannerLang.dll -> [2008/02/08 13:53:46 | 00,110,592 | ---- | C] ()
bdoscandellang.ini -> %SystemRoot%\bdoscandellang.ini -> [2008/01/09 15:01:48 | 00,000,453 | ---- | C] ()
lnod32apiW.dll -> %SystemRoot%\System32\lnod32apiW.dll -> [2007/07/27 14:49:02 | 00,225,355 | ---- | C] ()
lnod32apiA.dll -> %SystemRoot%\System32\lnod32apiA.dll -> [2007/07/27 14:49:02 | 00,196,683 | ---- | C] ()
lnod32umc.dll -> %SystemRoot%\System32\lnod32umc.dll -> [2005/12/05 19:25:22 | 00,139,264 | ---- | C] ()
lnod32upd.dll -> %SystemRoot%\System32\lnod32upd.dll -> [2005/12/05 12:37:10 | 00,106,496 | ---- | C] ()
DLXAPI32.DLL -> %SystemRoot%\System32\DLXAPI32.DLL -> [2005/01/03 11:10:44 | 00,319,488 | ---- | C] ()
win.ini -> %SystemRoot%\win.ini -> [2004/08/04 08:00:00 | 00,000,573 | ---- | C] ()
system.ini -> %SystemRoot%\system.ini -> [2004/08/04 08:00:00 | 00,000,227 | ---- | C] ()
OUTLPERF.INI -> %SystemRoot%\System32\OUTLPERF.INI -> [2003/01/07 18:05:08 | 00,002,695 | ---- | C] ()
giveio.sys -> %SystemRoot%\System32\giveio.sys -> [1996/04/03 15:33:26 | 00,005,248 | ---- | C] ()
 
[Files/Folders - Modified Within 30 Days]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
a99bbca1.sys -> %SystemRoot%\System32\drivers\a99bbca1.sys -> [2009/05/27 12:56:45 | 00,097,216 | ---- | M] ()
User_Feed_Synchronization-{CC261B67-F22A-41AD-AF8F-D97758EAE6AA}.job -> %SystemRoot%\tasks\User_Feed_Synchronization-{CC261B67-F22A-41AD-AF8F-D97758EAE6AA}.job -> [2009/05/27 12:55:00 | 00,000,426 | -H-- | M] ()
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/05/27 12:47:55 | 00,665,196 | ---- | M] ()
cfgall.ini -> %SystemRoot%\cfgall.ini -> [2009/05/27 12:47:16 | 00,014,066 | ---- | M] ()
User_Feed_Synchronization-{A08EB93D-5AC4-46BB-A03E-C1E654899581}.job -> %SystemRoot%\tasks\User_Feed_Synchronization-{A08EB93D-5AC4-46BB-A03E-C1E654899581}.job -> [2009/05/27 12:26:26 | 00,000,422 | -H-- | M] ()
Perflib_Perfdata_110.dat -> %SystemRoot%\Temp\Perflib_Perfdata_110.dat -> [2009/05/27 09:15:30 | 00,016,384 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2009/05/27 09:15:25 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2009/05/27 09:15:08 | 00,002,048 | --S- | M] ()
NTUSER.DAT -> %UserProfile%\NTUSER.DAT -> [2009/05/27 00:44:30 | 08,126,464 | -H-- | M] ()
ntuser.ini -> %UserProfile%\ntuser.ini -> [2009/05/27 00:44:01 | 00,000,278 | -HS- | M] ()
sfdb.dat -> %UserProfile%\Local Settings\Temp\jkos-Sorin\engine\bases\sfdb.dat -> [2009/05/26 12:02:18 | 00,000,084 | ---- | M] ()
kosglue-7.0.26.0.dll -> %UserProfile%\Local Settings\Temp\jkos-Sorin\binaries\kosglue-7.0.26.0.dll -> [2009/05/26 11:43:43 | 00,729,152 | ---- | M] (Kaspersky Lab)
prLoader.dll -> %UserProfile%\Local Settings\Temp\jkos-Sorin\binaries\prLoader.dll -> [2009/05/26 11:43:43 | 00,184,320 | ---- | M] (Kaspersky Lab)
prremote.dll -> %UserProfile%\Local Settings\Temp\jkos-Sorin\binaries\prremote.dll -> [2009/05/26 11:43:43 | 00,090,112 | ---- | M] (Kaspersky Lab)
msvcr80.dll -> %UserProfile%\Local Settings\Temp\jkos-Sorin\binaries\msvcr80.dll -> [2009/05/26 11:43:42 | 00,626,688 | ---- | M] (Microsoft Corporation)
msvcp80.dll -> %UserProfile%\Local Settings\Temp\jkos-Sorin\binaries\msvcp80.dll -> [2009/05/26 11:43:42 | 00,548,864 | ---- | M] (Microsoft Corporation)
kave.dll -> %UserProfile%\Local Settings\Temp\jkos-Sorin\binaries\kave.dll -> [2009/05/26 11:43:42 | 00,282,624 | ---- | M] (Kaspersky Lab.)
ikave.dll -> %UserProfile%\Local Settings\Temp\jkos-Sorin\binaries\ikave.dll -> [2009/05/26 11:43:42 | 00,065,536 | ---- | M] ()
ScanningProcess.exe -> %UserProfile%\Local Settings\Temp\jkos-Sorin\binaries\ScanningProcess.exe -> [2009/05/26 11:43:41 | 00,139,264 | ---- | M] (Kaspersky Lab.)
FSSync.dll -> %UserProfile%\Local Settings\Temp\jkos-Sorin\binaries\FSSync.dll -> [2009/05/26 11:43:41 | 00,038,400 | ---- | M] (Kaspersky Lab)
msvcm80.dll -> %UserProfile%\Local Settings\Temp\jkos-Sorin\binaries\msvcm80.dll -> [2009/05/26 11:43:40 | 00,479,232 | ---- | M] (Microsoft Corporation)
AppleSoftwareUpdate.job -> %SystemRoot%\tasks\AppleSoftwareUpdate.job -> [2009/05/25 22:48:04 | 00,000,284 | ---- | M] ()
4038024988.dat -> %SystemRoot%\System32\4038024988.dat -> [2009/05/25 01:23:53 | 00,000,100 | --S- | M] ()
cc_20090525_012230.reg -> %UserProfile%\My Documents\cc_20090525_012230.reg -> [2009/05/25 01:22:36 | 00,009,362 | ---- | M] ()
RSIT.exe -> %UserProfile%\Desktop\RSIT.exe -> [2009/05/24 11:46:21 | 00,781,909 | ---- | M] ()
qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/05/24 00:35:09 | 00,005,529 | ---- | M] ()
qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/05/24 00:35:09 | 00,004,232 | ---- | M] ()
spybot.exe -> %UserProfile%\Desktop\spybot.exe -> [2009/05/24 00:16:31 | 16,409,960 | ---- | M] (Safer Networking Limited                                    )
cc_20090524_001020.reg -> %UserProfile%\My Documents\cc_20090524_001020.reg -> [2009/05/24 00:10:41 | 00,078,748 | ---- | M] ()
CCleaner.lnk -> %UserProfile%\Desktop\CCleaner.lnk -> [2009/05/24 00:08:05 | 00,001,548 | ---- | M] ()
HOSTS -> %SystemRoot%\System32\drivers\etc\HOSTS -> [2009/05/23 21:19:03 | 00,000,687 | ---- | M] ()
IconCache.db -> %UserProfile%\Local Settings\Application Data\IconCache.db -> [2009/05/23 19:47:05 | 04,240,656 | -H-- | M] ()
win.ini -> %SystemRoot%\win.ini -> [2009/05/23 19:16:07 | 00,000,573 | ---- | M] ()
system.ini -> %SystemRoot%\system.ini -> [2009/05/23 19:16:07 | 00,000,227 | ---- | M] ()
boot.ini -> %SystemDrive%\boot.ini -> [2009/05/23 19:16:07 | 00,000,211 | -H-- | M] ()
ERUNT AutoBackup.lnk -> %UserProfile%\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> [2009/05/22 19:23:21 | 00,000,767 | ---- | M] ()
NTREGOPT.lnk -> %UserProfile%\Desktop\NTREGOPT.lnk -> [2009/05/22 19:23:02 | 00,000,611 | ---- | M] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/05/22 19:23:02 | 00,000,592 | ---- | M] ()
_id.dat -> %SystemRoot%\System32\_id.dat -> [2009/05/21 19:31:56 | 00,000,000 | ---- | M] ()
alrsvcq.exe -> %SystemRoot%\System32\alrsvcq.exe -> [2009/05/21 19:31:44 | 00,050,688 | RHS- | M] ()
tmuninst.ini -> %SystemDrive%\tmuninst.ini -> [2009/05/21 17:22:10 | 00,000,021 | ---- | M] ()
pdf2word.INI -> %SystemRoot%\pdf2word.INI -> [2009/05/20 17:07:17 | 00,000,394 | ---- | M] ()
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2009/05/19 13:04:06 | 00,002,206 | ---- | M] ()
tmcomm.sys -> %SystemRoot%\System32\drivers\tmcomm.sys -> [2009/05/15 07:23:24 | 00,142,992 | ---- | M] (Trend Micro Inc.)
WCF731.EXE -> %SystemRoot%\Temp\WCF731.EXE -> [2009/05/15 07:23:22 | 00,296,224 | ---- | M] (Trend Micro Inc.)
tmtdi.sys -> %SystemRoot%\System32\drivers\tmtdi.sys -> [2009/05/15 07:23:14 | 00,076,688 | ---- | M] (Trend Micro Inc.)
GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT -> [2009/05/11 19:23:01 | 00,047,616 | ---- | M] ()
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [2009/05/11 19:08:17 | 00,212,080 | ---- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2009/05/11 19:03:40 | 00,361,752 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2009/05/11 19:03:40 | 00,316,990 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2009/05/11 19:03:40 | 00,041,814 | ---- | M] ()
vpd.properties -> %SystemRoot%\vpd.properties -> [2009/05/11 17:02:33 | 00,000,969 | ---- | M] ()
MRT.exe -> %SystemRoot%\System32\MRT.exe -> [2009/05/07 03:16:29 | 24,699,336 | ---- | M] (Microsoft Corporation)
Paper on CSR honors college.doc -> %UserProfile%\Desktop\Paper on CSR honors college.doc -> [2009/05/06 15:35:39 | 00,326,144 | ---- | M] ()
opa11.dat -> %AllUsersProfile%\Application Data\Microsoft\OFFICE\DATA\opa11.dat -> [2008/07/05 20:28:15 | 00,011,090 | ---- | M] ()
[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\a99bbca1]
"ImagePath"="\SystemRoot\System32\drivers\a99bbca1.sys"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"F96ZK6nPB"="Z3Jpemltdm96aW0ubmFtZQ=="
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\a99bbca1]
"ImagePath"="\SystemRoot\System32\drivers\a99bbca1.sys"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"F96ZK6nPB"="Z3Jpemltdm96aW0ubmFtZQ=="
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\system32:{4B9A1497-0817-47C4-9612-D6A1C53ACF57} 12 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
< Document and Settings folder & sub folders >
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden files ...
C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 103 bytes
C:\Documents and Settings\Sorin\Favorites\1999 V6 Passat ABS-Brake Light - Car Forums and Automotive Chat.url:favicon 2238 bytes
C:\Documents and Settings\Sorin\Favorites\American Renaissance News Europe Xenophobia and Economic Recession.url:favicon 1406 bytes
C:\Documents and Settings\Sorin\Favorites\deceleration noise after ball joints replacement - VW Forum  Volkswagen Forum.url:favicon 1150 bytes
C:\Documents and Settings\Sorin\Favorites\Engine Knock & Oil Pressure - Volkswagen Auto Repair Advice.url:favicon 318 bytes
C:\Documents and Settings\Sorin\Favorites\europe Xenophobia Rising  STRATFOR.url:favicon 3638 bytes
C:\Documents and Settings\Sorin\Favorites\FT.com - In depth - Nico Colchester.url:favicon 3638 bytes
C:\Documents and Settings\Sorin\Favorites\GraphPad QuickCalcs chi square calculator.url:favicon 318 bytes
C:\Documents and Settings\Sorin\Favorites\http--www.watch-movies-links.net-movies-race_to_witch_mountain-.url:favicon 894 bytes
C:\Documents and Settings\Sorin\Favorites\Links\eBay.url:favicon 1406 bytes
C:\Documents and Settings\Sorin\Favorites\Links\Suggested Sites.url:favicon 25214 bytes
C:\Documents and Settings\Sorin\Favorites\Magazines for Cheap - Cheap Magazine Subscriptions.url:favicon 3638 bytes
C:\Documents and Settings\Sorin\Favorites\PChuck's Network Limited Or No Connectivity.url:favicon 3638 bytes
C:\Documents and Settings\Sorin\Favorites\tamos.url:favicon 2550 bytes
C:\Documents and Settings\Sorin\Favorites\usb.url:favicon 2550 bytes
C:\Documents and Settings\Sorin\Favorites\When I press hard on my brakes oil light comes on - Yahoo! Answers.url:favicon 1150 bytes
C:\Documents and Settings\Sorin\Favorites\Wireless doesn't work anymore Limited or no connectivity in General Discussion.url:favicon 3638 bytes
C:\Documents and Settings\Sorin\Favorites\Xenophobia across Europe threatens Turks, Turkey’s EU accession process.url:favicon 824 bytes
C:\Documents and Settings\Sorin\Favorites\YouTube - How to Crack WEP.url:favicon 1150 bytes
C:\Documents and Settings\Sorin\Favorites\YouTube - How to remove Windows genuine Advantage Notifications.url:favicon 318 bytes
C:\Documents and Settings\Sorin\Favorites\YouTube - Renaming EXE Files After Malware Blocks Security Programs.url:favicon 318 bytes
C:\Documents and Settings\visitor\Favorites\Links\Suggested Sites.url:favicon 25214 bytes
scan completed successfully
hidden files: 331
 
 
[Alternate Data Streams]
@Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\Thumbs.db:encryptable
@Alternate Data Stream - 103 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 12 bytes -> %SystemRoot%\system32:{4B9A1497-0817-47C4-9612-D6A1C53ACF57}
< End of report >

 

[peku006]

Hi Bruce

1 - Run OTScanIt2

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[[Win32 Services - Safe List]
YY -> (dmserverNtmsSvc) Logical Disk Manager dmserverNtmsSvc [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\alrsvcq.exe
[Files/Folders - Created Within 30 Days]
NY -> a99bbca1.sys -> %SystemRoot%\System32\drivers\a99bbca1.sys
NY -> alrsvcq.exe -> %SystemRoot%\System32\alrsvcq.exe
NY -> cfgrt_ex.ini -> %SystemRoot%\cfgrt_ex.ini
[Files/Folders - Modified Within 30 Days]
NY -> cfgall.ini -> %SystemRoot%\cfgall.ini
NY -> ikave.dll -> %UserProfile%\Local Settings\Temp\jkos-Sorin\binaries\ikave.dll
NY -> qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> alrsvcq.exe -> %SystemRoot%\System32\alrsvcq.exe
[Alternate Data Streams]
NY -> @Alternate Data Stream - 103 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2
NY -> @Alternate Data Stream - 12 bytes -> %SystemRoot%\system32:{4B9A1497-0817-47C4-9612-D6A1C53ACF57}

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Thanks peku006

 

[brucealutus]

There we go. Next step?

[Files/Folders - Created Within 30 Days]
File move failed. C:\WINDOWS\System32\drivers\a99bbca1.sys scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\alrsvcq.exe scheduled to be moved on reboot.
C:\WINDOWS\cfgrt_ex.ini moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\cfgall.ini moved successfully.
C:\Documents and Settings\Sorin\Local Settings\Temp\jkos-Sorin\binaries\ikave.dll moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
File move failed. C:\WINDOWS\System32\alrsvcq.exe scheduled to be moved on reboot.
[Alternate Data Streams]
ADS C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2 deleted successfully.
ADS C:\WINDOWS\system32:{4B9A1497-0817-47C4-9612-D6A1C53ACF57} deleted successfully.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.14.0 fix logfile created on 05272009_145837

Files moved on Reboot...
File move failed. C:\WINDOWS\System32\drivers\a99bbca1.sys scheduled to be moved on reboot.
File move failed. C:\WINDOWS\System32\alrsvcq.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...


thanks,
Bruce

 

[brucealutus]

thanks

peku, i finally decided to format and reinstall, just to be safe.
thanks for all the effort and time you put into this.

Bruce

 

[peku006]

Since this issue appears to be resolved ... this Topic has been closed