So this is a repost of a previous topic, with only the HJT log attached into it. Sorry about the previous one :cool:

---------------------------------

I run Avira antivirus and it finds some viruses, including one in a file called tapi.nfo. When I quarantine it and restart the PC I get the error "error loading tapi.nfo" and Firefox crashes after being on for a few seconds. I have returned tapi.nfo to it's original place from the quarantine and everything seems fine (but Avira will again report it as a trojan/virus).

HJT log is attached below.

Thanks for any help!

Edit

Then start a new topic copy pasting the HJT log ;)
http://forums.spybot.info/showthread.php?t=51625

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:13:29, on 7.9.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\qtplugin.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [RegistryMonitor1] C:\WINDOWS\system32\qtplugin.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Jazler Studio Auto Startup.lnk = C:\Jazler Radio II\JZRADIO-STARTUP.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD2C4D35-8BC7-4E34-9893-DADDFE4FC7C5}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: msosmhfp01.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 6201 bytes

Hello damnvirus,

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
As I am currently in training, it will take some time for me to go through your logs, please be patient with me.
Be assured that any recommendations to you will be done as soon as possible and will be approved by an expert.
Reply and keep only to this thread. If you have the same topic elsewhere, please inform me or the other forum so that either can be closed.
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
If you have any doubts or problems during the fix, please stop and ask.
If you need to be away for a while during the fix, please let me know.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
Do not use or run any tools without supervision as they may cause more harm if improperly used.
If you do not reply within 5 days, this topic will be closed.

If you are agreeable to the above, then everything should go smoothly :) . We may begin.
I am working on your log now and will be back the soonest.

At the mean time, please post an Uninstall list

Open HijackThis.
Go to Open the Misc Tools section by clicking on the box.
Under the Systems tools, look for Open Uninstall Manager and click on it.
Click Save list... and save the text file in a convenient location.
Copy and paste the Uninstall list contents in your reply.

Hi, there is another similar thread, but it was closed because I made an error in posting.. this thread is the only active one for this problem.

---- HJT Uninstall list copy/paste ------------------------------------

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Illustrator CS2
Adobe InDesign CS2
Adobe Photoshop CS2
Adobe Reader 7.0.7
Adobe SVG Viewer 3.0
ASAPI Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
Avanquest update
Avira AntiVir Personal - Free Antivirus
AVIVO Codecs
BlueVoda Website Builder 9.22
ERUNT 1.1j
GIMP 2.4.7
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Lexmark 2300 Series
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MonkeyBongo - Free SMS Now!
MonkeyBongo - Ringtone DJ
MonkeyBongo - Upload2Phone
Motorola Driver Installation
Motorola Phone Tools
Motorola SM56 Speakerphone Modem
Mozilla Firefox (2.0.0.20)
MSN
MSXML 6 Service Pack 2 (KB954459)
Nero Suite
NVIDIA Drivers
Olympus Digital Wave Player
OpenOffice.org 2.0
PowerDVD
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Skype 3.0
Skype add-on for IE
Skype Plugin Manager
Solidyne Virtual Rack DSP 4.30
Sonic Foundry Sound Forge 6.0
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Steinberg Cubase SX v2.01
Steinberg WaveLab 5.01b
Symantec KB-DocID:2003093015493306
SyncroSoft Emu (Remove only)
Syncrosoft's License Control
UltraVNC v1.0
UltraVNC v1.0.2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Virtual DJ - Atomix Productions
Virtual DJ Studio 3.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver

Hello damnvirus :),

Please download OTL© by OldTimer and save it to your desktop. Click here. (http://oldtimer.geekstogo.com/OTL.exe)

Double click on OTL.exe to run it.
Make sure all the Use SafeList options is checked (ticked). There are five of them.
Check Scan All Users.
At the lower right corner, check LOP Check and Purity Check.
Click on Run Scan at the top left hand corner. This might take a while.
When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply. One log per reply please.
Note: These files are saved as OTL.txt and Extras.txt on the desktop.

Please download GMER and save it to your desktop. Click here. (http://www.gmer.net/download.php)

Double click the .exe file. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan, click on No.
In the right panel, you will see several boxes that have been checked (ticked). Uncheck the following:
Sections
IAT/EAT
All other Drives/Partitions except Systemdrive, typically C:\, leave it checked
Show All (don't miss this one)
Then click the Scan button and wait for it to finish.
Once done, click on the Save... button and save it as "Gmer.txt" at a convenient location. Post the contents of that report.
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

Do not run any other programs while GMER is running.

Please post back:
1. OTL logs (OTL.txt and Extras.txt)
2. the GMER result

---- OTL logs copy/paste ------------------------------------
------- OTL.txt --------------------------------------------

OTL logfile created on: 14.9.2009 21:12:43 - Run 1
OTL by OldTimer - Version 3.0.11.0 Folder = C:\Documents and Settings\Owner\Desktop\Šef Tehnike\v
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 0000041A | Country: Croatia | Language: HRV | Date Format: d.M.yyyy

511,48 Mb Total Physical Memory | 129,50 Mb Available Physical Memory | 25,32% Memory free
1,22 Gb Paging File | 0,79 Gb Available in Paging File | 64,95% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149,04 Gb Total Space | 115,69 Gb Free Space | 77,62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DIREKTOR
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006.07.18 21:51:44 | 00,401,408 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2006.07.18 21:51:44 | 00,401,408 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2009.06.10 08:47:27 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2007.06.13 12:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.exe
PRC - [2005.12.14 12:06:52 | 00,577,536 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2005.07.21 02:07:22 | 00,200,704 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
PRC - [2005.08.01 08:05:04 | 00,094,208 | ---- | M] (Lexmark International Inc.) -- C:\Program Files\Lexmark 2300 Series\ezprint.exe
PRC - [2006.12.06 19:37:40 | 00,069,216 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PRC - [2006.01.02 17:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
PRC - [2009.03.02 13:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009.09.01 00:53:29 | 00,272,896 | ---- | M] () -- C:\WINDOWS\System32\qtplugin.exe
PRC - [2006.12.11 20:41:08 | 25,343,016 | ---- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
PRC - [2009.03.05 16:07:20 | 02,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2004.01.16 15:45:08 | 00,114,688 | ---- | M] (OLYMPUS Corporation.) -- C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
PRC - [2009.08.08 13:57:14 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [1996.11.17 00:00:00 | 00,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE
PRC - [2005.08.08 14:54:00 | 00,167,936 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe
PRC - [2008.03.02 11:36:32 | 01,251,720 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2006.06.18 14:56:10 | 00,712,704 | ---- | M] (UltraVNC) -- C:\Program Files\UltraVNC\WinVNC.exe
PRC - [2005.07.25 15:25:18 | 00,491,520 | ---- | M] ( ) -- C:\WINDOWS\System32\lxcgcoms.exe
PRC - [2006.01.02 17:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
PRC - [2009.06.12 16:28:19 | 07,678,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009.09.14 21:11:46 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\Šef Tehnike\v\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2007.06.14 12:06:34 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2009.06.10 08:47:27 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService [Auto | Running])
SRV - [2009.08.08 13:57:14 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService [Auto | Running])
SRV - [2008.07.25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2006.07.18 21:51:44 | 00,401,408 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2006.07.18 21:05:00 | 00,520,192 | ---- | M] () -- C:\WINDOWS\System32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2008.07.25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008.07.29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2006.02.28 14:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008.07.29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2005.07.25 15:25:18 | 00,491,520 | ---- | M] ( ) -- C:\WINDOWS\System32\lxcgcoms.exe -- (lxcg_device [On_Demand | Running])
SRV - [2008.07.29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2005.08.08 14:54:00 | 00,167,936 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo [Auto | Running])
SRV - [2008.03.02 11:36:32 | 01,251,720 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC [Auto | Running])
SRV - [2006.06.18 14:56:10 | 00,712,704 | ---- | M] (UltraVNC) -- C:\Program Files\UltraVNC\WinVNC.exe -- (winvnc [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2005.12.16 07:50:30 | 03,842,560 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2002.04.17 20:27:02 | 00,011,264 | ---- | M] (VOB Computersysteme GmbH) -- C:\WINDOWS\System32\drivers\asapi.sys -- (Asapi [System | Running])
DRV - [2006.07.18 21:58:16 | 01,621,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2009.02.13 12:35:05 | 00,011,608 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio [System | Running])
DRV - [2009.08.08 13:57:14 | 00,055,656 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\avgntflt.sys -- (avgntflt [Auto | Running])
DRV - [2009.03.30 10:33:07 | 00,096,104 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\avipbb.sys -- (avipbb [System | Running])
DRV - [2005.05.09 20:08:40 | 00,033,792 | ---- | M] (Team H2O) -- C:\WINDOWS\System32\DRIVERS\cledx.sys -- (CLEDX [On_Demand | Running])
DRV - [2006.11.30 11:00:00 | 00,387,384 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2004.08.04 01:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2005.07.28 09:18:40 | 00,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) -- C:\WINDOWS\System32\drivers\hardlock.sys -- (Hardlock [Auto | Running])
DRV - [2009.08.03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Stopped])
DRV - [2001.08.17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2001.08.17 16:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Running])
DRV - [2004.08.13 04:56:20 | 00,005,810 | R--- | M] () -- C:\WINDOWS\System32\DRIVERS\ASACPI.sys -- (MTsensor [On_Demand | Running])
DRV - [2005.08.18 11:52:06 | 00,093,568 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata [Boot | Running])
DRV - [2005.12.21 05:40:38 | 00,034,048 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\NVENETFD.sys -- (NVENETFD [On_Demand | Running])
DRV - [2005.12.21 05:40:40 | 00,013,056 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nvnetbus.sys -- (nvnetbus [On_Demand | Running])
DRV - [2004.04.01 16:30:46 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\System32\drivers\pfc.sys -- (pfc [On_Demand | Running])
DRV - [2006.02.28 14:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007.11.13 12:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004.06.29 12:43:06 | 00,923,570 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\System32\DRIVERS\smserial.sys -- (smserial [On_Demand | Running])
DRV - [2009.06.10 08:47:27 | 00,028,520 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\ssmdrv.sys -- (ssmdrv [System | Running])
DRV - [2006.09.05 01:35:12 | 00,010,344 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\symlcbrd.sys -- (symlcbrd [Auto | Running])
DRV - [2004.08.04 00:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2003.12.26 09:22:00 | 00,024,192 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\usbser.sys -- (usbser [On_Demand | Stopped])
DRV - [2008.09.11 12:15:41 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\usbsermptxp.sys -- (usbsermptxp [On_Demand | Stopped])
DRV - [2006.02.28 14:00:00 | 00,012,672 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\usb8023.sys -- (USB_RNDIS_51 [On_Demand | Stopped])
DRV - [2004.06.26 13:22:00 | 00,006,016 | ---- | M] (RDV Soft) -- C:\WINDOWS\System32\Drivers\vnccom.SYS -- (vnccom [Auto | Running])
DRV - [2004.06.26 13:22:00 | 00,004,736 | ---- | M] (RDV Soft) -- C:\WINDOWS\System32\DRIVERS\vncdrv.sys -- (vncdrv [On_Demand | Running])
DRV - [2003.12.15 19:22:00 | 00,038,448 | ---- | M] (OLYMPUS OPTICAL CO.,LTD.) -- C:\WINDOWS\System32\DRIVERS\VNUSB.sys -- (VNUSB [On_Demand | Stopped])
DRV - File not found -- Service key not found. -- (win32x [Unknown | Running])
DRV - [2006.11.02 17:51:58 | 00,013,560 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\000.fcl -- ({95808DC4-FA4A-4c74-92FE-5B863F82066B} [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\S-1-5-21-1220945662-1708537768-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009.09.02 03:00:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009.06.12 16:28:32 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009.06.12 16:28:32 | 00,000,000 | ---D | M]

[2009.09.11 17:04:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\oeos7fk4.default\extensions
[2009.09.04 18:50:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\oeos7fk4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008.03.04 01:50:51 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009.06.12 16:28:32 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009.06.12 16:28:32 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\talkback@mozilla.org
[2009.06.12 16:28:08 | 00,067,688 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2009.06.12 16:28:08 | 00,054,368 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2009.06.12 16:28:08 | 00,034,944 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\myspell.dll
[2009.06.12 16:28:11 | 00,046,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\spellchk.dll
[2009.06.12 16:28:11 | 00,172,136 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2009.06.12 16:28:23 | 00,022,656 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009.06.12 16:28:27 | 00,001,514 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009.06.12 16:28:27 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009.06.12 16:28:27 | 00,001,038 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009.06.12 16:28:27 | 00,001,046 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009.06.12 16:28:28 | 00,002,351 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009.06.12 16:28:28 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Phone\IEPlugin\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O3 - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 2300 Series\ezprint.exe (Lexmark International Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LXCGCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.DLL ()
O4 - HKLM..\Run: [lxcgmon.exe] C:\Program Files\Lexmark 2300 Series\lxcgmon.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [RegistryMonitor1] C:\WINDOWS\System32\qtplugin.exe ()
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\UltraVNC\WinVNC.exe (UltraVNC)
O4 - HKU\S-1-5-21-1220945662-1708537768-839522115-1003..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - HKU\S-1-5-21-1220945662-1708537768-839522115-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-1220945662-1708537768-839522115-1003..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe (OLYMPUS Corporation.)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Phone\IEPlugin\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 102 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 102 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 102 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 102 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1220945662-1708537768-839522115-1003\..Trusted Domains: 102 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (msosmhfp01.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (rundll32.exe) - File not found
O20 - HKLM Winlogon: Shell - (tapi.nfo) - C:\WINDOWS\System32\tapi.nfo ()
O20 - HKLM Winlogon: Shell - (beforeglav) - File not found
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\System32\userinit.exe [FILE handle not seen by OS]
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.05 00:45:31 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009.09.04 18:57:36 | 00,000,000 | ---D | M] - C:\Autoruns -- [ NTFS ]
O33 - MountPoints2\{0c1ec75f-a4ca-11dc-bff7-001731b5ff9f}\Shell\AutoRun\command - "" = E:\setupSNK.exe -- File not found
O33 - MountPoints2\{32150bce-966b-11db-bf76-001731b5ff9f}\Shell - "" = AutoRun
O33 - MountPoints2\{32150bce-966b-11db-bf76-001731b5ff9f}\Shell\Auto\command - "" = E:\auto.exe -- File not found
O33 - MountPoints2\{32150bce-966b-11db-bf76-001731b5ff9f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b0fcf07c-abdf-11dd-8067-001731b5ff9f}\Shell\AutoRun\command - "" = E:\RECYCLER\S-51-9-25-3434476501-1644491939-601013333-1214\ProMgr.exe -- File not found
O33 - MountPoints2\{b0fcf07c-abdf-11dd-8067-001731b5ff9f}\Shell\open\command - "" = E:\RECYCLER\S-51-9-25-3434476501-1644491939-601013333-1214\ProMgr.exe -- File not found
O33 - MountPoints2\{dd45db41-75d3-11dd-8053-001731b5ff9f}\Shell - "" = AutoRun
O33 - MountPoints2\{dd45db41-75d3-11dd-8053-001731b5ff9f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{dd45db41-75d3-11dd-8053-001731b5ff9f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O33 - MountPoints2\{f4eee11c-5aae-11dc-bfdd-001731b5ff9f}\Shell - "" = AutoRun
O33 - MountPoints2\{f4eee11c-5aae-11dc-bfdd-001731b5ff9f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f4eee11c-5aae-11dc-bfdd-001731b5ff9f}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{f5b74ac4-cfff-11dc-8008-001731b5ff9f}\Shell\Auto\command - "" = G:\AdobeR.exe -- File not found
O33 - MountPoints2\{f5b74ac4-cfff-11dc-8008-001731b5ff9f}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009.09.11 20:18:10 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009.09.11 17:00:06 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009.09.11 17:00:01 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009.09.10 13:51:15 | 00,037,376 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Kretanje_Brodova_CMA-CGM.doc
[2009.09.10 13:50:06 | 00,051,200 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\KRETANJE.DOC
[2009.09.07 21:56:28 | 00,000,000 | ---D | C] -- C:\rsit
[2009.09.07 21:56:28 | 00,000,000 | ---D | C] -- C:\Program Files\trend micro
[2009.09.07 20:52:10 | 00,000,506 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\bla.lnk
[2009.09.07 20:49:59 | 00,006,903 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\bla
[2009.09.05 12:15:28 | 00,000,731 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Cubase SX.lnk
[2009.09.05 12:15:16 | 00,487,936 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\Rmbe3260.dll
[2009.09.05 12:15:16 | 00,352,768 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pngu3263.dll
[2009.09.05 12:15:16 | 00,273,408 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\Pncrt.dll
[2009.09.05 12:15:16 | 00,217,088 | ---- | C] (Propellerhead Software AB) -- C:\WINDOWS\System32\ReWire.dll
[2009.09.05 12:15:16 | 00,131,072 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\Pneng50.dll
[2009.09.05 12:15:16 | 00,130,560 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\Pnc3250.dll
[2009.09.05 12:15:16 | 00,087,040 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\Ra32sipr.dll
[2009.09.05 12:15:16 | 00,085,504 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\Encdnet.dll
[2009.09.05 12:15:16 | 00,081,920 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\Ra3214_4.dll
[2009.09.05 12:15:16 | 00,072,704 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\Ra3228_8.dll
[2009.09.05 12:15:16 | 00,061,952 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\Decdnet.dll
[2009.09.05 12:15:16 | 00,021,504 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\Ra32dnet.dll
[2009.09.04 21:48:07 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009.09.04 21:44:51 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\tapi.nfo
[2009.09.04 20:30:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009.09.04 20:29:24 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009.09.04 20:29:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2009.09.04 18:57:36 | 00,000,000 | ---D | C] -- C:\Autoruns
[2009.09.03 12:42:48 | 00,033,280 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Kretanje_Brodova-Topic_Fleet.doc
[2009.09.03 12:42:28 | 00,059,392 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\TJEDNO_KRETANJE.doc
[2009.09.03 12:40:24 | 00,112,640 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\mala_brodogradnja.doc
[2009.09.03 12:40:10 | 00,113,152 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Sigurna_plovidba_2009.doc
[2009.09.03 11:01:37 | 00,345,600 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\VShipsAp.doc
[2009.08.31 09:08:15 | 00,272,896 | ---- | C] () -- C:\WINDOWS\System32\qtplugin.exe
[2009.08.26 03:06:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009.08.26 03:06:05 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009.08.26 03:05:59 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009.08.26 03:05:19 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009.08.26 03:05:18 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009.08.26 03:05:18 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009.08.26 03:05:18 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009.08.26 03:05:18 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2009.08.26 03:05:18 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009.08.26 03:05:18 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009.08.26 03:05:17 | 00,000,000 | ---D | C] -- C:\9b042881aed63cc3887ae178
[2009.08.26 03:04:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009.08.26 03:01:17 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2008.08.21 10:31:29 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007.06.30 07:26:00 | 00,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2007.02.08 23:25:49 | 00,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006.10.11 14:20:39 | 01,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcgserv.dll
[2006.10.11 14:20:39 | 01,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcgusb1.dll
[2006.10.11 14:20:39 | 00,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcgprox.dll
[2006.10.11 14:20:39 | 00,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcgpplc.dll
[2006.10.11 14:20:39 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcgvs.dll
[2006.10.11 14:20:38 | 00,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcgcomc.dll
[2006.10.11 14:20:38 | 00,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcglmpm.dll
[2006.10.11 14:20:38 | 00,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcgcomm.dll
[2006.09.05 13:53:05 | 00,001,890 | ---- | C] () -- C:\WINDOWS\ATICIM.INI
[2006.09.05 01:28:03 | 00,135,168 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006.09.05 01:27:55 | 00,000,164 | R--- | C] () -- C:\WINDOWS\avrack.ini
[2006.09.05 01:20:11 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2006.09.05 01:20:10 | 00,018,048 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2006.09.05 01:20:01 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2006.02.28 14:00:00 | 00,000,527 | ---- | C] () -- C:\WINDOWS\win.ini
[2006.02.28 14:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[1996.11.17 00:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1996.11.17 00:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996.11.17 00:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009.09.14 21:00:50 | 00,000,000 | ---- | M] () -- C:\WINDOWS\TempFile
[2009.09.14 21:00:44 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009.09.14 21:00:43 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009.09.14 21:00:41 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009.09.11 17:00:06 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009.09.10 13:51:15 | 00,037,376 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Kretanje_Brodova_CMA-CGM.doc
[2009.09.10 13:50:06 | 00,051,200 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\KRETANJE.DOC
[2009.09.10 13:49:05 | 00,059,392 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\TJEDNO_KRETANJE.doc
[2009.09.10 13:48:52 | 00,033,280 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Kretanje_Brodova-Topic_Fleet.doc
[2009.09.10 03:00:41 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009.09.08 12:30:35 | 00,111,784 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009.09.07 20:52:10 | 00,000,506 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\bla.lnk
[2009.09.07 20:51:06 | 00,006,903 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\bla
[2009.09.07 14:04:55 | 00,017,016 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009.09.05 12:15:55 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009.09.05 12:15:28 | 00,000,731 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Cubase SX.lnk
[2009.09.04 21:44:51 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\tapi.nfo
[2009.09.03 12:40:25 | 00,112,640 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\mala_brodogradnja.doc
[2009.09.03 12:40:10 | 00,113,152 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Sigurna_plovidba_2009.doc
[2009.09.03 11:01:39 | 00,345,600 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\VShipsAp.doc
[2009.09.01 00:53:29 | 00,272,896 | ---- | M] () -- C:\WINDOWS\System32\qtplugin.exe
[2009.08.28 23:38:20 | 24,689,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009.08.26 03:09:43 | 00,488,532 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009.08.26 03:09:43 | 00,432,492 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009.08.26 03:09:43 | 00,067,448 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== LOP Check ==========

[2009.09.04 20:30:11 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009.06.01 22:44:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7
[2008.09.11 12:21:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2008.08.29 14:02:34 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2007.02.07 12:48:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2009.06.04 13:17:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006.09.05 20:21:43 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Default User\Application Data
[2009.09.07 20:17:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data
[2006.09.05 00:48:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data
[2009.08.13 18:06:32 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Owner\Application Data
[2007.02.07 10:09:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Ahead
[2006.09.05 14:05:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ATI
[2007.02.07 12:48:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\CyberLink
[2008.09.19 18:50:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\gtk-2.0
[2009.09.14 17:25:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
[2009.09.05 12:16:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Steinberg
[2007.05.21 15:09:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Syntrillium
[2007.10.23 08:08:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\U3
[2006.02.28 14:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009.09.14 21:00:44 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6F6564F2
< End of report >

---- OTL logs copy/paste ------------------------------------
------- Extras.txt --------------------------------------------

OTL Extras logfile created on: 14.9.2009 21:12:43 - Run 1
OTL by OldTimer - Version 3.0.11.0 Folder = C:\Documents and Settings\Owner\Desktop\Šef Tehnike\v
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 0000041A | Country: Croatia | Language: HRV | Date Format: d.M.yyyy

511,48 Mb Total Physical Memory | 129,50 Mb Available Physical Memory | 25,32% Memory free
1,22 Gb Paging File | 0,79 Gb Available in Paging File | 64,95% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149,04 Gb Total Space | 115,69 Gb Free Space | 77,62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DIREKTOR
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\sysrest32.exe" = C:\WINDOWS\system32\sysrest32.exe:*:Enabled:enable -- File not found
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"E:\RECYCLER\S-51-9-25-3434476501-1644491939-601013333-1214\Qsaf.exe" = E:\RECYCLER\S-51-9-25-3434476501-1644491939-601013333-1214\Qsaf.exe:*:C:\WINDOWS\system32\drivers\Qsaf.exe -- File not found
"C:\DOCUME~1\Owner\LOCALS~1\Temp\eraseme_76637.exe" = C:\DOCUME~1\Owner\LOCALS~1\Temp\eraseme_76637.exe:*:C:\WINDOWS\system32\drivers\ProMgr.exe -- File not found
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{3324A5DC-C7F6-430A-ACC8-F251CD8F4FC7}" = Motorola Driver Installation
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}" = Skype Plugin Manager
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HYDRAVISION
"{49F45AB6-2911-48F5-B1C3-6B61FCC60472}" = ATI Catalyst Control Center
"{62FC357F-022B-4F90-9376-7A0DF9FBE7A1}" = Sonic Foundry Sound Forge 6.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{686BB230-DE5B-44F4-8DB0-4F9BEE7310F7}" = OpenOffice.org 2.0
"{75CDF2CA-5F89-4BC8-9556-CF70782CBD17}" = Motorola Phone Tools
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{7F4C8163-F259-49A0-A018-2857A90578BC}" = Adobe InDesign CS2
"{86EF9FC4-F209-4520-B7E1-C7FF0EEBDFFF}" = Adobe Audition 1.5
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A8AD990E-355A-4413-8647-A9B168978423}_is1" = UltraVNC v1.0.2
"{AC76BA86-7AD7-1033-7B44-A70700000002}" = Adobe Reader 7.0.7
"{B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}" = Adobe Illustrator CS2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}" = Motorola Phone Tools
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C941F1F1-25B3-4DF5-83E6-888C51A1AAB6}" = AVIVO Codecs
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F62C8188-DA37-41C5-A565-2056F33A3FFB}_is1" = UltraVNC v1.0
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FB91E774-867B-4567-ACE7-8144EF036068}" = Olympus Digital Wave Player
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Illustrator CS2" = Adobe Illustrator CS2
"Adobe InDesign CS2 - {7F4C8163-F259-49A0-A018-2857A90578BC}" = Adobe InDesign CS2
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"All ATI Software" = ATI - Software Uninstall Utility
"ASAPI Update" = ASAPI Update
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BlueVoda_Website_Builder_1.0" = BlueVoda Website Builder 9.22
"ERUNT_is1" = ERUNT 1.1j
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Lexmark 2300 Series" = Lexmark 2300 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MonkeyBongo - Free SMS Now!" = MonkeyBongo - Free SMS Now!
"MonkeyBongo - Ringtone DJ" = MonkeyBongo - Ringtone DJ
"MonkeyBongo - Upload2Phone" = MonkeyBongo - Upload2Phone
"Mozilla Firefox (2.0.0.20)" = Mozilla Firefox (2.0.0.20)
"MSNINST" = MSN
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Office8.0" = Microsoft Office 97, Professional Edition
"Skype_is1" = Skype 3.0
"SMSERIAL" = Motorola SM56 Speakerphone Modem
"Solidyne Virtual Rack DSP_is1" = Solidyne Virtual Rack DSP 4.30
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"Steinberg Cubase SX v2.01" = Steinberg Cubase SX v2.01
"Steinberg WaveLab 5.01b" = Steinberg WaveLab 5.01b
"SyncroSoft Emu" = SyncroSoft Emu (Remove only)
"Syncrosoft's License Control" = Syncrosoft's License Control
"ToolBand.SkypeIEToolbarToolbar" = Skype add-on for IE
"VDJ3" = Virtual DJ Studio 3.0
"Virtual DJ - Atomix Productions" = Virtual DJ - Atomix Productions
"WIC" = Windows Imaging Component
"WinGimp-2.0_is1" = GIMP 2.4.7
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 29.5.2009 6:39:52 | Computer Name = DIREKTOR | Source = AVG7 | ID = 100
Description =

[ System Events ]
Error - 13.9.2009 16:52:37 | Computer Name = DIREKTOR | Source = Service Control Manager | ID = 7028
Description = The win32x Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 13.9.2009 22:13:09 | Computer Name = DIREKTOR | Source = Service Control Manager | ID = 7028
Description = The win32x Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 14.9.2009 2:51:14 | Computer Name = DIREKTOR | Source = Service Control Manager | ID = 7028
Description = The win32x Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 14.9.2009 6:42:22 | Computer Name = DIREKTOR | Source = Service Control Manager | ID = 7028
Description = The win32x Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 14.9.2009 9:19:12 | Computer Name = DIREKTOR | Source = Service Control Manager | ID = 7028
Description = The win32x Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 14.9.2009 12:33:30 | Computer Name = DIREKTOR | Source = Service Control Manager | ID = 7028
Description = The win32x Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 14.9.2009 15:12:54 | Computer Name = DIREKTOR | Source = Service Control Manager | ID = 7028
Description = The win32x Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 14.9.2009 15:12:54 | Computer Name = DIREKTOR | Source = Service Control Manager | ID = 7028
Description = The win32x Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 14.9.2009 15:12:54 | Computer Name = DIREKTOR | Source = Service Control Manager | ID = 7028
Description = The win32x Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 14.9.2009 15:12:54 | Computer Name = DIREKTOR | Source = Service Control Manager | ID = 7028
Description = The win32x Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.


< End of report >


---- Gmer log copy/paste Gmer.txt ------------------------------------

GMER 1.0.15.15086 - http://www.gmer.net
Rootkit scan 2009-09-14 22:08:19
Windows 5.1.2600 Service Pack 2
Running: ztnqrb69.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\aujasnkj.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\win32x.sys ZwClose [0xF87A88A0] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\drivers\win32x.sys ZwCreateKey [0xF87A8740] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\drivers\win32x.sys ZwEnumerateKey [0xF87A8550] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\drivers\win32x.sys ZwOpenKey [0xF87A8650] <-- ROOTKIT !!!

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82342CC8
Device \FileSystem\Ntfs \Ntfs 81F0F280

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\win32x.sys (*** hidden *** ) [MANUAL] win32x <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares@`\1e\0f\0 \0T\0e\0h\0n\0i\0k\0e CSCFlags=0?MaxUses=4294967295?Path=C:\Documents and Settings\Owner\Desktop\?ef Tehnike?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\CurrentControlSet\Services\win32x
Reg HKLM\SYSTEM\CurrentControlSet\Services\win32x@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\win32x@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\win32x@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\win32x@ImagePath \??\C:\WINDOWS\system32\drivers\win32x.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\win32x@DisplayName win32x
Reg HKLM\SYSTEM\CurrentControlSet\Services\win32x\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\win32x\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares@`\1e\0f\0 \0T\0e\0h\0n\0i\0k\0e CSCFlags=0?MaxUses=4294967295?Path=C:\Documents and Settings\Owner\Desktop\?ef Tehnike?Permissions=0?Remark=?Type=0?
Reg HKLM\SYSTEM\ControlSet002\Services\win32x (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\win32x@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\win32x@Start 3
Reg HKLM\SYSTEM\ControlSet002\Services\win32x@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\win32x@ImagePath \??\C:\WINDOWS\system32\drivers\win32x.sys
Reg HKLM\SYSTEM\ControlSet002\Services\win32x@DisplayName win32x
Reg HKLM\SYSTEM\ControlSet002\Services\win32x\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\win32x\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\dllcache\userinit.exe 24576 bytes executable
File C:\WINDOWS\system32\win32x.exe 24576 bytes executable
File C:\WINDOWS\system32\drivers\win32x.sys 21408 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\userinit.exe 89600 bytes executable
File C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe 26112 bytes executable

---- EOF - GMER 1.0.15 ----

Hello damnvirus,

Your computer has some serious infections with backdoor capabilities.
Sorry for the bad news. Backdoors provide outsiders full access to your computer, enabling them to record key strokes, steal passwords, spread malwares, and even using it for other illegal activities.

If your computer has been used for important or sensitive data such as online banking, shopping or any other financial transactions, I strongly recommend you to do the following:

Disconnect from the Internet and any network immediately.
Inform your financial institutions that you may be a victim of identity theft and to put a watch on all your accounts or change them.
Change all your online passwords from a clean computer.
Take any other steps that you may think is necessary to prevent financial distress due to identity theft.

Due to the backdoor functionality, your computer is compromised and can no longer be fully trusted. Many experts in the security community believe that once tainted with this type of infections, the best course of action would be a reformat and reinstall of the OS. I too strongly recommend you to format your computer.

Here are some extra information:
How to respond to possible ID theft and Internet fraud (http://www.dslreports.com/faq/10451)
When should I reformat? (http://www.dslreports.com/faq/10063)

If you need help with the reformat, please let me know.

From your link about reformatting:

If the backdoor merely opens a port to listen and the computer was behind a working firewall or NAT router, then the risk of the backdoor being used is greatly reduced. Therefore there is probably a much lower risk if re-formatting and re-installing is not done.

This machine is behind a NAT router (how can we find out if the malware merely opens a port to listen. Is there any way we could go about cleaning this PC without reformatting? Maybe try at least?

Reformat scenario: is there any way I could back up some of the data from the PC? Maybe, burn it to a DVD or something. How would I go about doing this without burning malware as well? I see your link also mentions backing up of documents...


Be sure to back-up all data before re-formatting the computer's hard drive. This includes address books, documents, music, settings, saved games, and anything else not obsolete.

...so I guess it's ok to burn data from an infected commputer... or?

Thanks for the help!

Hello damnvirus :),


This machine is behind a NAT router (how can we find out if the malware merely opens a port to listen. Is there any way we could go about cleaning this PC without reformatting? Maybe try at least? Finding out will need some extensive research, the proper tools and the time to do it, of which most of us are lacking of. Your computer has multiple backdoor infections, it is a big risk take if you do not want to reformat. All of us in the security community will choose to reformat and reinstall when we come across such infections.

What if you forget in the future that your computer has been compromised before and you used it for financial transactions? What if another user used it for online banking or purchase something online? What if your computer is used in botnet attacks? Are you aware that malware writers can use your computer as a vector to spread their wares? In short, the risks far outweigh the convenience of not formatting.


Reformat scenario: is there any way I could back up some of the data from the PC? Maybe, burn it to a DVD or something. How would I go about doing this without burning malware as well? I see your link also mentions backing up of documents...

Quote:
Be sure to back-up all data before re-formatting the computer's hard drive. This includes address books, documents, music, settings, saved games, and anything else not obsolete.
...so I guess it's ok to burn data from an infected commputer... or? Yes, it is OK to burn only data files. Executables files such as .exe, .pif, .com, .scr, or application and program files must be avoided.

When you are done with the reformat and reinstall, reset the router and apply a new admin password. If you need some safety tips or what security programs to install, please let me know.

Good luck!

Solid advice, thanks!

Hey, can you point me to a link on reformatting? I've done it before, but I want to be sure I'm doing everything right and wipe out all the malware from the machine.

Hello damnvirus :),

Here's some information to assist you in the reformatting:
Windows XP: Clean Install (http://web.mit.edu/ist/products/winxp/advanced/reinstall-format.html)
How to Format a Hard Drive With Windows XP (http://www.ehow.com/how_6026_format-hard-drive.html)

Some tips to help you stay clean and safe after the reformat:

1. Keep your Windows up to date. Enable Automatic Updates (http://www.bleepingcomputer.com/tutorials/tutorial35.html) to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Use an alternative browser like Firefox (http://www.mozilla.com/en-US/) or Opera (http://www.opera.com/). These browsers are safer and better security-wise.

3. Install an Antivirus program, it is a must for protection against viruses and keep it updated regularly. Avast (http://www.avast.com/eng/download-avast-home.html) and Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914) are some great and free antivirus programs. If you already have one installed, make sure you update it always. Please keep only one AV installed.

5. Install Malwarebytes' Anti-Malware. It is a new and powerful anti-malware tool (http://www.malwarebytes.org/mbam.php), totally free but for real-time protection you will have to pay a small one-time fee.

6. Install WinPatrol, a great protection program (http://www.winpatrol.com/) that helps you monitor for unwanted files or applications.

7. Install SiteHound or Web of Trust (WOT). SiteHound (http://www.firetrust.com/en/products/sitehound) and WOT (http://www.mywot.com/) keeps you from dangerous websites with warnings and blockings.

8. Keep all your softwares updated. Visit Secunia Software Inspector (http://secunia.com/software_inspector/) to find out if any updates required.

9. Install a third party firewall if you do not have one for additional defense against internet dangers. Built-in Windows firewall can only keep nasties from breaking in, but unable to protect against any malwares from sending information out. Some recommended firewalls are Online Armor (http://www.tallemu.com/free-firewall-protection-software.html), Outpost (http://www.agnitum.com/products/outpostfree/index.php) and PC Tools (http://www.pctools.com/firewall/download/). More information on firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html). Please keep only one FW installed.

10. Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

11. Also look up So how did I get infected in the first place? By Tony Klein (http://malwareremoval.com/forum/viewtopic.php?f=11&t=4959).

When your computer is fully protected by an Antivirus, Antispyware or other real time protection softwares, format your USB drive too because there are signs of infection from there. You should disable the Autorun feature (http://support.microsoft.com/kb/967715) first before plugging in the USB drive. You may keep the settings permanently to minimize risk of infection through the USB drive.

Safe surfing.

Test to see page 2, please ignore.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.