Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HiddenIE

Started by HiddenIE , Jul 29 2010 01:23 PM

  • Please log in to reply

#1
HiddenIE
Posted 29 July 2010 - 01:23 PM

HiddenIE

    New Member

  • Member
  • Pip
  • 5 posts
Helpers, please move to the end of this post. I feel this has all become irrelevant ATM. But for people to see how this evolved and to get solid info I have left all the info in. I have created a dotted blue fat line, far down in the post. From that point on the case is "actual" again. Sorry for the inconvenience, but as I got more and more into this again today, the log started to read somehow like a good book. Soooo... hope I got it right. Waiting for approval. Thanks!!

-----------------------------------
I have removed a lot of malware and rootkits over the course of the last 10 years. I haven't come across a really nasty one untill last night, when I was watching a movie. All of a sudden I would here some idiotic cartoon farm music and sounds, I closed all processes via process explorer. Still sound, after a couple of minutes. In the end I decided to run GMER, as I often do, just to see if anything obvious was missed and I am infected with a nasty... This time it was a hit: 3 hidden iexplore.exe processes.

Since I tend to not think of myself as a total noob due to my history on this front, I tried all the old tricks I could think off. Scan (MBAM, SAS, ESET, GMER (crashes), Rootrepeal (crahses/hangs), OTL (crashes/hangs), HijackThis (nothing usefull)) and did some other stuff. I found some temp files that are hidden and in use. GMER can detect them, not destroy them. Whenever I try a full blown attack, the system crashes. In case of GMER the system just reboots. When I start digging too deep with process explorer, the system reboots. I have removed the drive from the system and hooked it up via a SATA2USB adapterkit. Then scanned it using MBAM, SAS, ESET, MSSE (all with full bells on). No joy, still infected.

I am truly at a loss. I have some ideas of where to look/what to do, but this is taking so much time and the payoff isn't worth the effort almost. I could have reinstalled my system today. But I just cannot stand the fact that a piece of malware would win. So, after having put aside my pride, and followed the steps in your Cleaning Guide (here: http://www.geekstogo...cleaning-guide/ ) I have some logs to post. And will keep my thoughts to myself for now. And will humbly obey the commands given here.

I expected OTL to come up with the extra's log too, but it didn't. I did make a dump of some (possibly) malicious sys file and uploaded it to jotti, but nothing was detected inside it.

Anyway, here it goes:

OTL Log:



OTL logfile created on: 29-7-2010 20:54:38 - Run 5
OTL by OldTimer - Version 3.2.9.1 Folder = D:\Admin moved items\Downloads
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000413 | Country: Netherlands | Language: NLD | Date Format: d-M-yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 45,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 68,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 102,54 Gb Total Space | 55,88 Gb Free Space | 54,50% Space Free | Partition Type: NTFS
Drive D: | 596,10 Gb Total Space | 61,13 Gb Free Space | 10,26% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 698,34 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive H: | 2,56 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
I: Drive not present or media not loaded
Drive Z: | 931,28 Gb Total Space | 331,14 Gb Free Space | 35,56% Space Free | Partition Type: FAT32

Computer Name: HEAVENLY-ONE
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010-07-29 11:55:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Admin moved items\Downloads\OTL.exe
PRC - [2010-07-23 00:02:16 | 000,945,720 | ---- | M] (Google Inc.) -- C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
PRC - [2010-06-01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010-05-27 18:59:54 | 000,376,832 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2010-05-27 18:59:30 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2010-04-29 15:39:32 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2010-03-25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2010-03-19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2008-10-29 08:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007-12-17 05:02:28 | 004,718,592 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe


========== Modules (SafeList) ==========

MOD - [2010-07-29 11:55:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Admin moved items\Downloads\OTL.exe
MOD - [2010-04-12 17:32:42 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcr80.dll
MOD - [2010-04-12 17:32:42 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcp80.dll
MOD - [2010-01-16 14:26:21 | 000,097,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1\ATL80.dll
MOD - [2008-11-27 06:35:06 | 001,748,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\GdiPlus.dll
MOD - [2008-04-05 12:04:04 | 000,090,112 | ---- | M] (Andreas Verhoeven) -- C:\Windows\System32\Branding\folderbg\VistaFolderBackground.dll
MOD - [2008-04-04 11:44:58 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2008-04-04 11:42:31 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
MOD - [2007-08-22 02:30:40 | 000,087,488 | ---- | M] (Stardock) -- C:\Program Files\Stardock\Object Desktop\DeskScapes\DesktopControlPanel.dll


========== Win32 Services (SafeList) ==========

SRV - [2010-05-29 12:11:36 | 000,242,176 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\GNU\GnuPG\dirmngr.exe -- (DirMngr)
SRV - [2010-05-27 18:59:30 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010-03-25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2010-03-19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008-11-17 17:37:04 | 000,554,264 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2008-09-09 14:49:52 | 000,906,504 | ---- | M] (Raxco Software, Inc.) [Disabled | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe -- (PD91Engine)
SRV - [2008-09-09 14:49:50 | 000,693,512 | ---- | M] (Raxco Software, Inc.) [Disabled | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe -- (PD91Agent)
SRV - [2008-08-04 20:47:12 | 000,647,680 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008-07-10 15:44:18 | 000,411,136 | ---- | M] (CSR, plc) [Auto | Running] -- C:\Windows\System32\HFGService.dll -- (HFGService)
SRV - [2008-07-07 10:42:02 | 000,809,296 | ---- | M] (Safer Networking Ltd.) [Disabled | Stopped] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008-04-23 21:41:20 | 000,057,344 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\AMD\OverDrive\AODAssist.exe -- (AODService)
SRV - [2008-04-23 18:55:56 | 000,098,488 | ---- | M] (SiSoftware) [Disabled | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe -- (SandraAgentSrv)
SRV - [2008-04-04 11:41:48 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007-11-06 22:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [Disabled | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007-06-04 23:29:24 | 000,063,296 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\UltraVNC Addons\uvnc_service.exe -- (Uvnc_service)
SRV - [2007-03-20 16:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2007-02-22 19:53:16 | 002,217,416 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe -- (AcronisOSSReinstallSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rootrepeal.sys -- (rootrepeal)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\hitmanpro3.sys -- (hitmanpro3)
DRV - [2010-06-22 12:37:09 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010-05-27 19:38:24 | 005,586,432 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2010-05-27 19:38:24 | 005,586,432 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2010-05-27 18:25:18 | 000,209,920 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010-04-29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010-04-07 20:57:02 | 000,063,032 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2010-04-07 20:57:02 | 000,025,144 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2010-03-25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2010-03-25 21:30:22 | 000,042,368 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2010-03-10 04:03:50 | 000,014,392 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)
DRV - [2010-02-20 12:44:11 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010-02-20 12:44:11 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010-01-16 14:28:14 | 000,229,208 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\VMM.sys -- (vmm)
DRV - [2009-12-21 21:56:36 | 000,030,392 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\usbfilter.sys -- (usbfilter)
DRV - [2009-06-17 22:08:41 | 000,971,584 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tdrpm147.sys -- (tdrpman147) Acronis Try&Decide and Restore Points filter (build 147)
DRV - [2009-06-17 22:08:34 | 000,540,000 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009-06-17 22:08:34 | 000,044,704 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\Windows\System32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009-06-17 22:08:32 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\snman380.sys -- (snapman380) Acronis Snapshots Manager (Build 380)
DRV - [2009-02-24 19:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2009-01-03 02:12:29 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2008-11-02 10:44:10 | 000,056,572 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2008-10-05 18:30:44 | 000,011,712 | ---- | M] (UVNC BVBA) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mv2.sys -- (mv2)
DRV - [2008-09-14 20:07:21 | 000,015,600 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\gdrv.sys -- (gdrv)
DRV - [2008-08-28 14:16:40 | 000,071,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DefragFS.sys -- (DefragFS)
DRV - [2008-07-10 15:44:12 | 000,030,208 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BthAudioHF.sys -- (BthAudioHF)
DRV - [2008-07-10 15:43:54 | 000,034,816 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bthav.sys -- (bthav)
DRV - [2008-07-10 15:43:32 | 000,015,872 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BthAvrcp.sys -- (BthAvrcp)
DRV - [2008-04-04 11:41:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008-04-04 11:41:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008-04-04 11:41:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008-04-04 11:41:24 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008-04-04 11:41:24 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008-04-04 11:41:24 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008-04-04 11:41:22 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008-04-04 11:41:21 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008-04-04 11:41:20 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008-04-04 11:41:18 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008-04-04 11:41:16 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008-04-04 11:41:16 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008-04-04 11:41:16 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008-04-04 11:41:15 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008-04-04 11:41:14 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008-04-04 11:41:14 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008-04-04 11:41:11 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008-04-04 11:41:08 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008-04-04 11:41:08 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008-04-04 11:41:06 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008-04-04 11:41:05 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008-04-04 11:39:31 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008-04-04 11:39:31 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008-04-04 11:39:31 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008-03-10 19:30:36 | 000,021,408 | ---- | M] (SiSoftware) [Kernel | Disabled | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\WNt500x86\sandra.sys -- (SANDRA)
DRV - [2008-02-01 17:24:04 | 000,041,456 | ---- | M] (Cyberlink Corp.) [Kernel | Disabled | Stopped] -- C:\Program Files\CyberLink\PowerDVD8\000.fcl -- ({FE4C91E7-22C2-4D0C-9F6B-82F1B7742054})
DRV - [2007-12-20 12:02:06 | 002,032,280 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007-11-06 22:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2007-08-14 16:49:42 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AmdTools.sys -- (AmdTools)
DRV - [2007-07-05 02:57:54 | 000,873,472 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athru6.sys -- (athrusb6)
DRV - [2007-06-29 14:47:34 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2007-06-25 05:37:24 | 000,084,480 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2007-05-22 22:46:48 | 000,013,384 | ---- | M] (RDV Soft) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vnccom.SYS -- (vnccom)
DRV - [2007-05-22 22:46:44 | 000,012,104 | ---- | M] (RDV Soft) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vncdrv.sys -- (vncdrv)
DRV - [2007-05-14 03:10:00 | 000,135,400 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RtHDMIV.sys -- (RTHDMIAzAudService)
DRV - [2007-01-29 06:20:34 | 000,059,280 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VMNetSrv.sys -- (VPCNetS2)
DRV - [2006-11-02 11:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006-11-02 11:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006-11-02 11:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006-11-02 11:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006-11-02 11:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006-11-02 11:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006-11-02 11:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006-11-02 11:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006-11-02 11:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006-11-02 11:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006-11-02 11:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006-11-02 10:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006-11-02 10:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006-11-02 10:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006-11-02 10:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006-11-02 10:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006-11-02 10:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006-11-02 09:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006-11-02 09:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2002-11-28 22:23:24 | 000,039,048 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\IcdUsb2.sys -- (ICDUSB2) Sony IC Recorder (P)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-07-28 21:47:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-07-28 21:47:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird

[2008-09-05 18:35:46 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Mozilla\Extensions
[2010-07-12 17:34:13 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0eqyg3zg.default\extensions
[2010-01-23 00:15:00 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0eqyg3zg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010-07-12 17:34:13 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010-07-29 12:33:31 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Click-to-Call BHO) - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2010-07-29 13:11:09 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: Add to &Evernote - C:\Program Files\Evernote\Evernote3.5\enbar.dll (Evernote Corporation)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll (Evernote Corporation)
O9 - Extra 'Tools' menuitem : Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll (Evernote Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O22 - SharedTaskScheduler: {73526E5A-FD53-4BE7-B5E2-D3C89D7413DC} - Ave's FolderBg - C:\Windows\System32\Branding\folderbg\VistaFolderBackground.dll (Andreas Verhoeven)
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - Deskscapes - C:\Program Files\Stardock\Object Desktop\DeskScapes\deskscapes.dll (Stardock Corporation)
O22 - SharedTaskScheduler: {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - Stardock Vista ControlPanel Extension - C:\Program Files\Stardock\Object Desktop\DeskScapes\DesktopControlPanel.dll (Stardock)
O22 - SharedTaskScheduler: {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - StardockDreamController - C:\Program Files\Stardock\Object Desktop\DeskScapes\DreamControl.dll (Stardock)
O24 - Desktop WallPaper: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006-09-18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.ac3filter - C:\Windows\System32\ac3filter.acm ()
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\Windows\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\Windows\System32\ff_vfw.dll ()
Drivers32: vidc.XVID - C:\Windows\System32\xvidvfw.dll ()
Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 90 Days ==========

[2010-07-29 20:40:44 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010-07-29 19:44:13 | 000,000,000 | ---D | C] -- C:\ubuntu
[2010-07-29 12:36:27 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2010-07-29 12:33:37 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2010-07-29 12:31:35 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\temp
[2010-07-29 12:20:11 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010-07-29 12:19:02 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010-07-29 09:48:02 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Identum
[2010-07-28 23:06:03 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010-07-28 23:06:03 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010-07-28 23:06:03 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010-07-28 23:05:54 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010-07-28 23:01:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010-07-28 22:44:38 | 000,703,352 | ---- | C] (Sysinternals - www.sysinternals.com) -- D:\Admin moved items\Desktop\autoruns.exe
[2010-07-28 22:44:31 | 003,887,480 | ---- | C] (Sysinternals - www.sysinternals.com) -- D:\Admin moved items\Desktop\procexp.exe
[2010-07-17 20:55:45 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2010-07-17 20:54:59 | 000,000,000 | ---D | C] -- C:\Program Files\ATI
[2010-07-17 20:54:39 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2010-07-14 22:00:42 | 000,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell
[2010-07-12 22:57:14 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\GNU
[2010-07-12 22:57:06 | 000,000,000 | ---D | C] -- C:\Users\Administrator\.kde
[2010-07-12 16:32:41 | 000,000,000 | ---D | C] -- C:\Users\Public\Desktop\Gpg4win Documentation
[2010-07-12 16:32:25 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\gnupg
[2010-07-12 16:32:25 | 000,000,000 | ---D | C] -- C:\ProgramData\GNU
[2010-07-11 19:06:47 | 000,000,000 | ---D | C] -- D:\Admin moved items\Desktop\sielogs
[2010-07-11 18:39:21 | 000,000,000 | ---D | C] -- C:\Users\Administrator\.splunk
[2010-07-10 00:50:28 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Database
[2010-07-09 23:49:45 | 000,000,000 | ---D | C] -- C:\Database
[2010-07-09 23:18:14 | 000,000,000 | ---D | C] -- C:\rsit
[2010-06-01 21:54:32 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Teleca
[2010-06-01 21:54:32 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\HTC
[2010-06-01 21:54:10 | 000,000,000 | ---D | C] -- C:\ProgramData\HTC
[2010-06-01 21:54:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Teleca Shared
[2010-06-01 21:54:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Teleca
[2010-06-01 21:53:23 | 000,000,000 | ---D | C] -- C:\Program Files\Spirent Communications
[2010-06-01 21:53:15 | 000,000,000 | ---D | C] -- C:\Program Files\HTC
[2010-06-01 15:25:03 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2010-06-01 15:24:59 | 000,000,000 | ---D | C] -- C:\Program Files\TweetDeck
[2010-06-01 15:24:55 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010-05-27 18:59:54 | 000,376,832 | ---- | C] (AMD) -- C:\Windows\System32\atieclxx.exe
[2010-05-27 18:59:30 | 000,176,128 | ---- | C] (AMD) -- C:\Windows\System32\atiesrxx.exe
[2010-05-27 18:58:32 | 000,159,744 | ---- | C] (AMD) -- C:\Windows\System32\atitmmxx.dll
[2010-05-27 18:58:18 | 000,356,352 | ---- | C] (ATI Technologies, Inc.) -- C:\Windows\System32\atipdlxx.dll
[2010-05-27 18:58:10 | 000,278,528 | ---- | C] (ATI Technologies, Inc.) -- C:\Windows\System32\Oemdspif.dll
[2010-05-27 18:58:04 | 000,011,776 | ---- | C] (AMD) -- C:\Windows\System32\atimuixx.dll
[2010-05-27 18:57:58 | 000,043,520 | ---- | C] (ATI Technologies, Inc.) -- C:\Windows\System32\ati2edxx.dll
[2010-05-05 22:40:34 | 000,000,000 | ---D | C] -- D:\Admin moved items\Documents\StarCraft II Beta
[2010-05-05 22:40:34 | 000,000,000 | ---D | C] -- C:\Program Files\StarCraft II Beta
[2010-05-05 22:40:34 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Blizzard Entertainment
[2010-05-05 22:40:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment
[2010-05-05 22:40:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Blizzard Entertainment
[2010-05-05 22:39:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard
[2010-05-05 22:29:34 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Evernote
[2010-05-05 22:28:55 | 000,000,000 | ---D | C] -- C:\Program Files\Evernote
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010-07-29 20:55:14 | 000,000,438 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{C95C2CEC-619C-4061-9B83-0B6FA4C8A8D2}.job
[2010-07-29 20:52:50 | 008,650,752 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT
[2010-07-29 20:43:16 | 000,695,092 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010-07-29 20:43:16 | 000,600,026 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010-07-29 20:43:16 | 000,102,704 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010-07-29 20:41:07 | 000,000,879 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010-07-29 20:40:46 | 000,000,723 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\NTREGOPT.lnk
[2010-07-29 20:40:46 | 000,000,704 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2010-07-29 20:39:41 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010-07-29 20:37:24 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010-07-29 20:37:24 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010-07-29 20:37:21 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010-07-29 20:37:17 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010-07-29 20:37:15 | 2144,854,016 | -HS- | M] () -- C:\hiberfil.sys
[2010-07-29 20:36:05 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010-07-29 20:36:04 | 000,524,288 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
[2010-07-29 20:36:04 | 000,065,536 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
[2010-07-29 20:16:59 | 268,750,592 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010-07-29 18:57:02 | 003,119,405 | -H-- | M] () -- C:\Users\Administrator\AppData\Local\IconCache.db
[2010-07-29 14:46:05 | 000,093,056 | ---- | M] () -- D:\Admin moved items\Desktop\dumped.sys
[2010-07-29 13:06:40 | 000,000,022 | ---- | M] () -- C:\Windows\S.dirmngr
[2010-07-29 12:33:40 | 000,000,259 | ---- | M] () -- C:\Windows\system.ini
[2010-07-29 12:33:31 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010-07-29 12:15:17 | 000,000,081 | ---- | M] () -- D:\Admin moved items\Desktop\Heavily infected.url
[2010-07-29 10:00:56 | 000,206,848 | ---- | M] () -- C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-07-28 23:27:41 | 000,000,067 | ---- | M] () -- D:\Admin moved items\Desktop\Sysinternals Forums.url
[2010-07-28 23:27:37 | 000,000,103 | ---- | M] () -- D:\Admin moved items\Desktop\Malware and Spyware Cleaning Guide - Geeks to Go!.url
[2010-07-28 23:00:51 | 000,001,356 | ---- | M] () -- C:\Users\Administrator\AppData\Local\d3d9caps.dat
[2010-07-27 18:37:31 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010-07-27 05:45:28 | 000,002,100 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010-07-27 05:45:28 | 000,002,030 | ---- | M] () -- D:\Admin moved items\Desktop\Google Chrome.lnk
[2010-07-22 00:35:56 | 000,703,352 | ---- | M] (Sysinternals - www.sysinternals.com) -- D:\Admin moved items\Desktop\autoruns.exe
[2010-07-12 16:32:41 | 000,001,782 | ---- | M] () -- C:\Users\Public\Desktop\Kleopatra.lnk
[2010-07-12 16:32:41 | 000,000,892 | ---- | M] () -- C:\Users\Public\Desktop\GPA.lnk
[2010-07-11 18:40:25 | 000,001,024 | ---- | M] () -- C:\.rnd
[2010-07-11 15:26:44 | 000,038,845 | ---- | M] () -- D:\Admin moved items\Documents\Babe.gif
[2010-06-30 03:00:37 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk
[2010-06-19 20:20:04 | 000,001,044 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1122999869-1285303633-2407138414-500Core1cb0fdca1a7940.job
[2010-06-11 03:53:20 | 001,667,960 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010-06-07 16:16:56 | 003,887,480 | ---- | M] (Sysinternals - www.sysinternals.com) -- D:\Admin moved items\Desktop\procexp.exe
[2010-06-07 15:02:34 | 003,788,800 | ---- | M] () -- C:\Users\Administrator\DB_Ontwerp_23-05-2008_2010-06-07.mdb
[2010-06-01 15:25:00 | 000,000,728 | ---- | M] () -- C:\Users\Public\Desktop\TweetDeck.lnk
[2010-05-27 19:03:08 | 000,057,480 | ---- | M] () -- C:\Windows\System32\atiapfxx.blb
[2010-05-27 18:59:54 | 000,376,832 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
[2010-05-27 18:59:30 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
[2010-05-27 18:58:32 | 000,159,744 | ---- | M] (AMD) -- C:\Windows\System32\atitmmxx.dll
[2010-05-27 18:58:18 | 000,356,352 | ---- | M] (ATI Technologies, Inc.) -- C:\Windows\System32\atipdlxx.dll
[2010-05-27 18:58:10 | 000,278,528 | ---- | M] (ATI Technologies, Inc.) -- C:\Windows\System32\Oemdspif.dll
[2010-05-27 18:58:04 | 000,011,776 | ---- | M] (AMD) -- C:\Windows\System32\atimuixx.dll
[2010-05-27 18:57:58 | 000,043,520 | ---- | M] (ATI Technologies, Inc.) -- C:\Windows\System32\ati2edxx.dll
[2010-05-27 18:35:16 | 000,050,176 | ---- | M] (AMD) -- C:\Windows\System32\coinst.dll
[2010-05-27 18:31:14 | 000,534,960 | ---- | M] () -- C:\Windows\System32\atiumdva.cap
[2010-05-27 18:24:24 | 000,023,040 | ---- | M] () -- C:\Windows\System32\atitmpxx.dll
[2010-05-05 23:50:56 | 000,000,674 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\myMPQ.ini
[2010-05-05 22:45:33 | 000,000,667 | ---- | M] () -- D:\Admin moved items\Desktop\SC2ALLin1.lnk
[2010-05-05 22:43:39 | 000,000,901 | ---- | M] () -- C:\Users\Public\Desktop\StarCraft II Beta.lnk
[2010-05-04 20:35:38 | 000,021,360 | ---- | M] () -- C:\Windows\atiogl.xml
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-07-29 20:41:07 | 000,000,879 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010-07-29 20:40:46 | 000,000,723 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\NTREGOPT.lnk
[2010-07-29 20:40:46 | 000,000,704 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2010-07-29 19:18:29 | 2144,854,016 | -HS- | C] () -- C:\hiberfil.sys
[2010-07-29 14:46:05 | 000,093,056 | ---- | C] () -- D:\Admin moved items\Desktop\dumped.sys
[2010-07-29 12:18:04 | 000,000,022 | ---- | C] () -- C:\Windows\S.dirmngr
[2010-07-29 12:15:17 | 000,000,081 | ---- | C] () -- D:\Admin moved items\Desktop\Heavily infected.url
[2010-07-28 23:27:41 | 000,000,067 | ---- | C] () -- D:\Admin moved items\Desktop\Sysinternals Forums.url
[2010-07-28 23:27:37 | 000,000,103 | ---- | C] () -- D:\Admin moved items\Desktop\Malware and Spyware Cleaning Guide - Geeks to Go!.url
[2010-07-28 23:06:03 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010-07-28 23:06:03 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010-07-28 23:06:03 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010-07-28 23:06:03 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010-07-28 23:06:03 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010-07-27 18:37:31 | 000,001,052 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010-07-14 21:59:48 | 000,002,426 | ---- | C] () -- C:\Windows\System32\WsmTxt.xsl
[2010-07-14 21:59:47 | 000,201,184 | ---- | C] () -- C:\Windows\System32\winrm.vbs
[2010-07-14 21:59:47 | 000,004,675 | ---- | C] () -- C:\Windows\System32\wsmanconfig_schema.xml
[2010-07-12 16:32:41 | 000,001,782 | ---- | C] () -- C:\Users\Public\Desktop\Kleopatra.lnk
[2010-07-12 16:32:41 | 000,000,892 | ---- | C] () -- C:\Users\Public\Desktop\GPA.lnk
[2010-07-11 18:39:24 | 000,001,024 | ---- | C] () -- C:\.rnd
[2010-07-11 15:26:44 | 000,038,845 | ---- | C] () -- D:\Admin moved items\Documents\Babe.gif
[2010-06-19 20:20:04 | 000,001,044 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1122999869-1285303633-2407138414-500Core1cb0fdca1a7940.job
[2010-06-07 15:02:29 | 003,788,800 | ---- | C] () -- C:\Users\Administrator\DB_Ontwerp_23-05-2008_2010-06-07.mdb
[2010-06-01 15:25:00 | 000,000,728 | ---- | C] () -- C:\Users\Public\Desktop\TweetDeck.lnk
[2010-05-27 19:03:08 | 000,057,480 | ---- | C] () -- C:\Windows\System32\atiapfxx.blb
[2010-05-27 18:31:14 | 000,534,960 | ---- | C] () -- C:\Windows\System32\atiumdva.cap
[2010-05-27 18:24:24 | 000,023,040 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2010-05-05 22:51:19 | 000,000,674 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\myMPQ.ini
[2010-05-05 22:45:33 | 000,000,667 | ---- | C] () -- D:\Admin moved items\Desktop\SC2ALLin1.lnk
[2010-05-05 22:40:34 | 000,000,901 | ---- | C] () -- C:\Users\Public\Desktop\StarCraft II Beta.lnk
[2010-05-04 20:35:38 | 000,021,360 | ---- | C] () -- C:\Windows\atiogl.xml
[2009-12-27 21:55:33 | 000,122,880 | ---- | C] () -- C:\Windows\System32\trc.dll
[2009-12-27 21:55:14 | 000,118,784 | ---- | C] () -- C:\Windows\System32\mp3dec.dll
[2009-12-27 21:55:14 | 000,081,920 | ---- | C] () -- C:\Windows\System32\dsp_trc.dll
[2009-12-27 21:55:14 | 000,005,120 | ---- | C] () -- C:\Windows\System32\IcdSptSvps.dll
[2009-08-05 13:53:32 | 000,000,066 | ---- | C] () -- C:\Windows\Ahead DVD Copy.INI
[2009-01-25 23:10:48 | 000,179,200 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009-01-09 01:01:22 | 000,629,760 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2008-11-11 21:48:37 | 000,008,192 | ---- | C] () -- C:\Windows\System32\gsimrxnp.dll
[2008-11-11 21:48:37 | 000,004,992 | ---- | C] () -- C:\Windows\System32\drivers\enport.sys
[2008-10-04 14:20:44 | 000,188,416 | ---- | C] () -- C:\Windows\System32\intelbth.dll
[2008-10-04 14:20:44 | 000,065,536 | ---- | C] () -- C:\Windows\System32\ICE_JNIRegistry.dll
[2008-08-15 22:02:32 | 000,003,972 | ---- | C] () -- C:\Windows\System32\drivers\PciBus.sys
[2008-08-06 22:18:13 | 001,777,664 | ---- | C] () -- C:\Windows\System32\zhp1600r.dll
[2008-08-06 22:18:13 | 000,749,568 | ---- | C] () -- C:\Windows\System32\agi1600.dll
[2008-08-04 18:24:43 | 002,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2008-08-03 22:25:26 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2008-08-03 20:31:09 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2008-08-03 16:57:53 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008-08-03 16:57:53 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2008-08-03 14:43:17 | 000,024,944 | ---- | C] () -- C:\Windows\System32\drivers\GVTDrv.sys
[2008-04-04 11:47:31 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2007-11-06 22:19:28 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2006-11-02 14:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006-11-02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2002-10-16 00:54:04 | 000,153,088 | ---- | C] () -- C:\Windows\System32\unrar.dll

========== LOP Check ==========

[2008-08-05 08:21:14 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\.SwarmPlayer
[2008-08-05 08:17:55 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\.Tribler
[2009-06-18 22:35:51 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Acronis
[2010-05-10 20:16:25 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\AIMP
[2008-08-03 12:31:04 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\App Launcher Gadget
[2009-10-24 01:06:01 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Artisteer
[2009-01-09 23:58:47 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Blackberry Desktop
[2010-01-20 15:25:13 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\CoreFTP
[2009-01-03 02:12:18 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\DAEMON Tools Lite
[2010-01-11 18:36:41 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Dropbox
[2008-08-03 19:04:50 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\ESET
[2010-06-02 10:43:44 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\FileZilla
[2010-07-28 22:21:03 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\gnupg
[2010-01-16 13:00:09 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\GoodSync
[2010-07-29 09:48:02 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Identum
[2008-12-24 22:38:15 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\InfraRecorder
[2009-03-22 20:38:24 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\JAM Software
[2008-08-04 18:43:47 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Jane s Realty hitzwarez net
[2008-08-03 15:53:32 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\MiniDm
[2010-01-20 15:59:16 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Notepad++
[2008-08-08 21:08:17 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Opera
[2008-10-27 00:39:57 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\PCToolsFirewallPlus
[2008-12-23 21:25:01 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\PeerNetworking
[2009-10-15 23:44:49 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\PlayrixGamemanager
[2009-01-04 16:38:47 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Research In Motion
[2008-08-12 22:34:53 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Roaming
[2008-08-04 09:43:54 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\streamripper
[2008-11-11 21:44:44 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Systenance
[2009-05-15 08:22:42 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\TAC
[2009-11-27 13:46:38 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\TeamViewer
[2010-06-11 03:56:36 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Teleca
[2010-02-24 14:40:53 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\TeraCopy
[2008-10-28 12:20:32 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Thunderbird
[2010-06-01 15:25:03 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2010-07-21 09:52:41 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\uTorrent
[2010-03-10 16:18:49 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\VSO
[2010-07-29 20:36:05 | 000,032,570 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010-07-29 20:55:14 | 000,000,438 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{C95C2CEC-619C-4061-9B83-0B6FA4C8A8D2}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010-07-11 18:40:25 | 000,001,024 | ---- | M] () -- C:\.rnd
[2006-09-18 23:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2008-04-04 11:45:14 | 000,333,203 | RHS- | M] () -- C:\bootmgr
[2008-08-03 21:00:59 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2006-09-18 23:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2008-04-07 17:41:44 | 000,820,767 | -H-- | M] () -- C:\folderbg.jpg
[2006-11-02 22:00:00 | 000,171,136 | RHS- | M] () -- C:\grldr
[2009-04-26 13:43:31 | 000,000,116 | ---- | M] () -- C:\hashes.txt
[2010-07-29 20:37:15 | 2144,854,016 | -HS- | M] () -- C:\hiberfil.sys
[2008-08-23 00:04:58 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008-08-23 00:04:58 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010-07-29 20:37:14 | 2458,656,768 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006-11-02 14:35:26 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006-11-02 14:35:26 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006-11-02 14:35:26 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2006-11-02 14:35:26 | 000,030,808 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006-09-18 23:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006-11-02 14:34:09 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2006-10-27 04:58:12 | 000,030,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\mdippr.dll
[2006-10-27 04:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll
[2007-06-27 09:00:00 | 000,057,344 | ---- | M] (Zenographics, Inc.) -- C:\Windows\System32\spool\prtprocs\w32x86\zIMFPRNT.DLL

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2008-08-03 21:25:27 | 000,203,264 | ---- | M] () -- C:\Windows\Cubes.scr
[2009-07-10 13:15:46 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2008-08-03 20:08:43 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini
[2009-01-11 13:56:34 | 000,000,020 | ---- | M] () -- C:\Program Files\FullScreensavers.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009-03-08 13:22:37 | 000,156,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\msls31.dll
[2008-04-04 11:43:43 | 000,286,720 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rasapi32.dll
[2008-04-04 11:43:44 | 000,071,168 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rasman.dll
[2008-04-04 11:45:13 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2006-11-02 11:46:12 | 000,036,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rtutils.dll
[2006-11-02 11:46:12 | 000,008,704 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SensApi.dll
[2008-04-04 11:45:00 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
[2008-04-04 11:43:54 | 000,376,832 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\sxs.dll
[2006-11-02 11:46:13 | 000,191,488 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\tapi32.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-15 01:01:31

========== Alternate Data Streams ==========

@Alternate Data Stream - 85 bytes -> D:\Admin moved items\Desktop\320excalibur20silver [].jpg:VsoSummaryInformation
< End of report >




MBAM LOG:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4367

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18928

29-7-2010 20:49:38
mbam-log-2010-07-29 (20-49-38).txt

Scan type: Quick scan
Objects scanned: 161770
Time elapsed: 5 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER still crashes as does OTL on a lot of parts (or they hang, just as rootrepeal does, or system reboots, safe mode, or normal mode does not seem to matter). I was able to use Rootrepeal to check to see what processes are running/hidden and kill them, only to reappear. So a driver is the culprit. I checked device manager, showing hidden devices, removed some old remnants of device drivers, but found nothing of interest.

My main concern is the fact that three of the better av solutions are not able to detect anything and the lesser of the group is also not able to detect anything even when the drive is "out of service" due to it being a usb device.

The system I scanned the drive with, as an external drive, is a laptop running windows 7 x64 pro with 64 bit versions of ESET and SAS. I'm fairly sure that it is clean, but since GMER etc won't run on 64 bit I cannot be 100% sure it isn't also infected, thus not showing results. However, I have no reason to believe that that system is infected. But... you never know.

I have been out of the scene for quite some time and am frustrated by this. Sorry for ranting.

Hope that you guys can help me out. I'll be waiting. Thanks in advance!

Edit: I had hoped that W7 might have skipped a lot of files due to permission settings when scanning via USB. So I am putting my trust in bitdefender ATM and am scanning using their latest Linux liveCD which downloaded todays updates. So far it does not recognize anything. Except for some infected spam in my outlook.pst folder which is in my spam folder (never touched). So whatever the permission issue might have been, if any was applicable at all since no special rights etc have been set, it seems that the livecd will be able to scan all folders for sure and also digs into archives if necessary. If an infection is found, I will report it here. But to be honest, my gut feeling is that it is an unknown for now. I will leave it infected so I can learn something from you guys. If that fails too... well, then I can always reinstall or disinfect using rescuecd from any av vendor. I mean... they've created those cd's for these nasties right? So hoping for the best atm. Feeling crippled though.

If I could only establish the location of the (driver) file and its name for today (if that has changed) then live would be so much easier. But both OTL and RootRepeal hang on driver scans, it seems to be protecting itself very well. Wish all AV products did that too :) However, I think that OTL displays part of the "registry" key or driver name in its "progress bar" when it freezes up (looks like a CLSID/GUID) which might be something to hold on to.

EDIT2: scanned the system with the livecd. No joy. I did remove some of the unremovable tmp files in c:\windows\temp These, as I recall, were referenced to by a none existing process in process explorer. Rebooted, and of course, they appeared again. Together with another file which was also there before: 100.dat. So some piece of #$%&^*( that is not picked up by scanners IS creating them again. 2 tmp files, 2 hidden iexplore.exe processes.

How do I determine which driver is responsible for this, if I cannot let OTL and/or GMER and/or Rootrepeal scan the needed locations? (appearantly)

Edit3: Kaspersky's TDSSKiller did not find anything strange, while I am looking at 2 hidden IE processes in GMER (and Sophos Anti-Rootkit)

Avenger's Rootkitscan @ boottime did not pick anything up.

However, Esagelab.com's Bootkitremover did tell me this:
--------------------------------------------------------------------------------
© 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows Vista Ultimate Edition Service Pack 1 (build 6001)
, 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000
Boot sector MD5 is: 8e72306fe5c2be48dabf4a377bbda979

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
---------------------------------------------------------------------
(I haven't read the documentation yet and am not versed enough in analyzing master boot records. Would like to learn though... ATM just scanning an trying to figure stuff out.

I am running WUBI (ubuntu "for windows") so that might cause something like this?)

AND
While OTL just seems to "hang" on a certain registry key while scanning "drivers" and GMER crashes the system during a full scan (tickboxes set as ordered), eSagelab's version 1.7.5.1 of its TDSSRemover DOES crash the system too (screen shows a short "out of sync" interlaced and blocky/blocked corruption and then reboots). Before it crashes however it does show some scan results, which I will try and take a photo of and post here so the keys concerned will be known.

Edit4:
The photo's failed. But I was able to use catchme.exe to scan and chink the armor a bit I think. I was able to use catchme.exe to stop and delete iexplore.exe so the malware/rootkit could not start it up anymore as a hidden process and do God knows what in the background. I had hoped that I could delete some .tmp files in Windows\temp but am too tired, have not tried it.

The keys which are locked and show up in catchme:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158305b34e]
"0015a8996ce9"=hex:0c,82,8e,e9,2f,63,d2,05,78,12,f3,b4,4b,16,b3,d7
"000d18a0084f"=hex:fd,18,70,9a,fa,3e,ea,e7,4e,16,43,ad,6d,28,4f,98
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158305b34e]
"0015a8996ce9"=hex:0c,82,8e,e9,2f,63,d2,05,78,12,f3,b4,4b,16,b3,d7
"000d18a0084f"=hex:fd,18,70,9a,fa,3e,ea,e7,4e,16,43,ad,6d,28,4f,98

However, I do not know how to remove those from the registry. I CAN get there by using GMER and it shows them in red, as in locked. I'm guessing Oldtimer will have a scripting tool for that. GMER does seem to work better now, I can click and take a look at all tabs. Although it still makes the system reboot when trying a full scan. The same goes for eSagelab's TDSSremover, but this one is able to scan fully now. Only when I tell it to delete the key (strangely only shows one instead of the two that catchme.exe shows) the tool crashes. Not the system.

I guess tomorrow morning I can try to run OTL again and see how that does.

(sorry for jumping ahead, but I like this stuff and at the same time am highly irritated due to the fact that I am not getting work done and am in deep sh*t because of taxes that need to be done, so I am stressed and losing sleep over this). As soon as a helper pops up I will follow his/her orders of course. In the mean time I hope to provide plenty of info while trying to solve it. Maybe, if it truly is a new beasty, it can help others gain some insights into it.

Good night!!

Small edit: I had to try and run OTL before going to sleep. Needed to know if I had made progress. And guess what? Now OTL will run without quitting "strangely" and the log does seem to be mostly the same as before. The extra's log still does not appear though. Latest log below:
Will let MBAM run again now, who knows...


OTL logfile created on: 31-7-2010 0:43:20 - Run 6
OTL by OldTimer - Version 3.2.9.1 Folder = D:\Admin moved items\Downloads
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000413 | Country: Netherlands | Language: NLD | Date Format: d-M-yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 56,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 74,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 102,54 Gb Total Space | 39,13 Gb Free Space | 38,16% Space Free | Partition Type: NTFS
Drive D: | 596,10 Gb Total Space | 60,77 Gb Free Space | 10,20% Space Free | Partition Type: NTFS
Drive E: | 315,50 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
Drive G: | 698,34 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive H: | 2,56 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
I: Drive not present or media not loaded
Drive Z: | 931,28 Gb Total Space | 330,80 Gb Free Space | 35,52% Space Free | Partition Type: FAT32

Computer Name: HEAVENLY-ONE
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010-07-31 00:42:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Admin moved items\Downloads\OTL (1).exe
PRC - [2010-07-23 00:02:16 | 000,945,720 | ---- | M] (Google Inc.) -- C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
PRC - [2010-06-01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010-05-27 18:59:54 | 000,376,832 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2010-05-27 18:59:30 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2010-03-25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2010-03-19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2008-10-29 08:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007-12-17 05:02:28 | 004,718,592 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe


========== Modules (SafeList) ==========

MOD - [2010-07-31 00:42:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Admin moved items\Downloads\OTL (1).exe
MOD - [2010-04-12 17:32:42 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcr80.dll
MOD - [2010-04-12 17:32:42 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcp80.dll
MOD - [2010-01-16 14:26:21 | 000,097,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1\ATL80.dll
MOD - [2008-11-27 06:35:06 | 001,748,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\GdiPlus.dll
MOD - [2008-04-05 12:04:04 | 000,090,112 | ---- | M] (Andreas Verhoeven) -- C:\Windows\System32\Branding\folderbg\VistaFolderBackground.dll
MOD - [2008-04-04 11:44:58 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2008-04-04 11:42:31 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
MOD - [2007-08-22 02:30:40 | 000,087,488 | ---- | M] (Stardock) -- C:\Program Files\Stardock\Object Desktop\DeskScapes\DesktopControlPanel.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\NVNJ.exe -- (NVNJ)
SRV - File not found [On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\FFAIVHOLLCTFAG.exe -- (FFAIVHOLLCTFAG)
SRV - [2010-05-29 12:11:36 | 000,242,176 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\GNU\GnuPG\dirmngr.exe -- (DirMngr)
SRV - [2010-05-27 18:59:30 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010-03-25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2010-03-19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008-11-17 17:37:04 | 000,554,264 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2008-09-09 14:49:52 | 000,906,504 | ---- | M] (Raxco Software, Inc.) [Disabled | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe -- (PD91Engine)
SRV - [2008-09-09 14:49:50 | 000,693,512 | ---- | M] (Raxco Software, Inc.) [Disabled | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe -- (PD91Agent)
SRV - [2008-08-04 20:47:12 | 000,647,680 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008-07-10 15:44:18 | 000,411,136 | ---- | M] (CSR, plc) [Auto | Running] -- C:\Windows\System32\HFGService.dll -- (HFGService)
SRV - [2008-07-07 10:42:02 | 000,809,296 | ---- | M] (Safer Networking Ltd.) [Disabled | Stopped] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008-04-23 21:41:20 | 000,057,344 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\AMD\OverDrive\AODAssist.exe -- (AODService)
SRV - [2008-04-23 18:55:56 | 000,098,488 | ---- | M] (SiSoftware) [Disabled | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe -- (SandraAgentSrv)
SRV - [2008-04-04 11:41:48 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007-11-06 22:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [Disabled | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007-06-04 23:29:24 | 000,063,296 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\UltraVNC Addons\uvnc_service.exe -- (Uvnc_service)
SRV - [2007-03-20 16:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2007-02-22 19:53:16 | 002,217,416 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe -- (AcronisOSSReinstallSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rootrepeal.sys -- (rootrepeal)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\A5CF.tmp -- (MEMSWEEP2)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\hitmanpro3.sys -- (hitmanpro3)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2010-07-30 23:44:56 | 000,052,736 | ---- | M] (eSage Lab) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rk_remover.sys -- (rk_remover-boot)
DRV - [2010-07-30 20:26:50 | 000,069,456 | ---- | M] (Kaspersky Lab, SLA) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\klmd.sys -- (klmd24)
DRV - [2010-06-22 12:37:09 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010-05-27 19:38:24 | 005,586,432 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2010-05-27 19:38:24 | 005,586,432 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2010-05-27 18:25:18 | 000,209,920 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010-04-07 20:57:02 | 000,063,032 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2010-04-07 20:57:02 | 000,025,144 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2010-03-25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2010-03-25 21:30:22 | 000,042,368 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2010-03-10 04:03:50 | 000,014,392 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)
DRV - [2010-02-20 12:44:11 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010-02-20 12:44:11 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010-01-16 14:28:14 | 000,229,208 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\VMM.sys -- (vmm)
DRV - [2009-12-21 21:56:36 | 000,030,392 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\usbfilter.sys -- (usbfilter)
DRV - [2009-06-17 22:08:41 | 000,971,584 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tdrpm147.sys -- (tdrpman147) Acronis Try&Decide and Restore Points filter (build 147)
DRV - [2009-06-17 22:08:34 | 000,540,000 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009-06-17 22:08:34 | 000,044,704 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\Windows\System32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009-06-17 22:08:32 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\snman380.sys -- (snapman380) Acronis Snapshots Manager (Build 380)
DRV - [2009-02-24 19:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2009-01-03 02:12:29 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2008-11-02 10:44:10 | 000,056,572 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2008-10-05 18:30:44 | 000,011,712 | ---- | M] (UVNC BVBA) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mv2.sys -- (mv2)
DRV - [2008-09-14 20:07:21 | 000,015,600 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\gdrv.sys -- (gdrv)
DRV - [2008-08-28 14:16:40 | 000,071,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DefragFS.sys -- (DefragFS)
DRV - [2008-07-10 15:44:12 | 000,030,208 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BthAudioHF.sys -- (BthAudioHF)
DRV - [2008-07-10 15:43:54 | 000,034,816 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bthav.sys -- (bthav)
DRV - [2008-07-10 15:43:32 | 000,015,872 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BthAvrcp.sys -- (BthAvrcp)
DRV - [2008-04-04 11:41:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008-04-04 11:41:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008-04-04 11:41:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008-04-04 11:41:24 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008-04-04 11:41:24 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008-04-04 11:41:24 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008-04-04 11:41:22 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008-04-04 11:41:21 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008-04-04 11:41:20 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008-04-04 11:41:18 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008-04-04 11:41:16 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008-04-04 11:41:16 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008-04-04 11:41:16 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008-04-04 11:41:15 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008-04-04 11:41:14 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008-04-04 11:41:14 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008-04-04 11:41:11 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008-04-04 11:41:08 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008-04-04 11:41:08 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008-04-04 11:41:06 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008-04-04 11:41:05 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008-04-04 11:39:31 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008-04-04 11:39:31 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008-04-04 11:39:31 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008-03-10 19:30:36 | 000,021,408 | ---- | M] (SiSoftware) [Kernel | Disabled | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\WNt500x86\sandra.sys -- (SANDRA)
DRV - [2008-02-01 17:24:04 | 000,041,456 | ---- | M] (Cyberlink Corp.) [Kernel | Disabled | Stopped] -- C:\Program Files\CyberLink\PowerDVD8\000.fcl -- ({FE4C91E7-22C2-4D0C-9F6B-82F1B7742054})
DRV - [2007-12-20 12:02:06 | 002,032,280 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007-11-06 22:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2007-08-14 16:49:42 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AmdTools.sys -- (AmdTools)
DRV - [2007-07-05 02:57:54 | 000,873,472 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athru6.sys -- (athrusb6)
DRV - [2007-06-29 14:47:34 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2007-06-25 05:37:24 | 000,084,480 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2007-05-22 22:46:48 | 000,013,384 | ---- | M] (RDV Soft) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vnccom.SYS -- (vnccom)
DRV - [2007-05-22 22:46:44 | 000,012,104 | ---- | M] (RDV Soft) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vncdrv.sys -- (vncdrv)
DRV - [2007-05-14 03:10:00 | 000,135,400 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RtHDMIV.sys -- (RTHDMIAzAudService)
DRV - [2007-01-29 06:20:34 | 000,059,280 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VMNetSrv.sys -- (VPCNetS2)
DRV - [2006-11-02 11:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006-11-02 11:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006-11-02 11:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006-11-02 11:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006-11-02 11:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006-11-02 11:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006-11-02 11:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006-11-02 11:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006-11-02 11:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006-11-02 11:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006-11-02 11:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006-11-02 10:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006-11-02 10:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006-11-02 10:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006-11-02 10:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006-11-02 10:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006-11-02 10:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006-11-02 09:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006-11-02 09:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2002-11-28 22:23:24 | 000,039,048 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\IcdUsb2.sys -- (ICDUSB2) Sony IC Recorder (P)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-07-28 21:47:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-07-28 21:47:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird

[2008-09-05 18:35:46 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Mozilla\Extensions
[2010-07-12 17:34:13 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0eqyg3zg.default\extensions
[2010-01-23 00:15:00 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0eqyg3zg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010-07-12 17:34:13 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010-07-29 12:33:31 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Click-to-Call BHO) - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2010-07-29 13:11:09 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: Add to &Evernote - C:\Program Files\Evernote\Evernote3.5\enbar.dll (Evernote Corporation)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll (Evernote Corporation)
O9 - Extra 'Tools' menuitem : Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll (Evernote Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O22 - SharedTaskScheduler: {73526E5A-FD53-4BE7-B5E2-D3C89D7413DC} - Ave's FolderBg - C:\Windows\System32\Branding\folderbg\VistaFolderBackground.dll (Andreas Verhoeven)
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - Deskscapes - C:\Program Files\Stardock\Object Desktop\DeskScapes\deskscapes.dll (Stardock Corporation)
O22 - SharedTaskScheduler: {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - Stardock Vista ControlPanel Extension - C:\Program Files\Stardock\Object Desktop\DeskScapes\DesktopControlPanel.dll (Stardock)
O22 - SharedTaskScheduler: {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - StardockDreamController - C:\Program Files\Stardock\Object Desktop\DeskScapes\DreamControl.dll (Stardock)
O24 - Desktop WallPaper: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006-09-18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.ac3filter - C:\Windows\System32\ac3filter.acm ()
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\Windows\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\Windows\System32\ff_vfw.dll ()
Drivers32: vidc.XVID - C:\Windows\System32\xvidvfw.dll ()
Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 30 Days ==========

[2010-07-30 21:53:10 | 000,052,736 | ---- | C] (eSage Lab) -- C:\Windows\System32\drivers\rk_remover.sys
[2010-07-30 21:35:10 | 000,000,000 | ---D | C] -- C:\Avenger
[2010-07-30 20:26:50 | 000,069,456 | ---- | C] (Kaspersky Lab, SLA) -- C:\Windows\System32\drivers\klmd.sys
[2010-07-30 19:53:42 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010-07-30 16:11:19 | 000,000,000 | ---D | C] -- C:\useradministrator
[2010-07-30 11:54:26 | 000,000,000 | ---D | C] -- C:\bd_logs
[2010-07-30 10:32:53 | 000,000,000 | ---D | C] -- C:\ubuntu
[2010-07-29 20:40:44 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010-07-29 12:36:27 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2010-07-29 12:33:37 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2010-07-29 12:31:35 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\temp
[2010-07-29 12:20:11 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010-07-29 12:19:02 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010-07-29 09:48:02 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Identum
[2010-07-28 23:06:03 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010-07-28 23:06:03 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010-07-28 23:06:03 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010-07-28 23:05:54 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010-07-28 23:01:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010-07-28 22:44:38 | 000,703,352 | ---- | C] (Sysinternals - www.sysinternals.com) -- D:\Admin moved items\Desktop\autoruns.exe
[2010-07-28 22:44:31 | 003,887,480 | ---- | C] (Sysinternals - www.sysinternals.com) -- D:\Admin moved items\Desktop\procexp.exe
[2010-07-17 21:09:00 | 000,030,392 | ---- | C] (Advanced Micro Devices) -- C:\Windows\System32\drivers\usbfilter.sys
[2010-07-17 20:55:45 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2010-07-17 20:54:59 | 000,000,000 | ---D | C] -- C:\Program Files\ATI
[2010-07-17 20:54:39 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2010-07-14 22:00:42 | 000,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell
[2010-07-14 22:00:03 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrsmgr.dll
[2010-07-14 21:59:55 | 000,040,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrs.exe
[2010-07-14 21:59:55 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrshost.exe
[2010-07-14 21:59:55 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wsmprovhost.exe
[2010-07-14 21:59:54 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wsmplpxy.dll
[2010-07-14 21:59:54 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrssrv.dll
[2010-07-14 21:59:52 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wevtfwd.dll
[2010-07-14 21:59:52 | 000,079,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wecutil.exe
[2010-07-14 21:59:52 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wecapi.dll
[2010-07-14 21:59:52 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WsmRes.dll
[2010-07-14 21:59:52 | 000,041,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pwrshplugin.dll
[2010-07-14 21:59:46 | 000,252,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSManMigrationPlugin.dll
[2010-07-14 21:59:46 | 000,246,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSManHTTPConfig.exe
[2010-07-14 21:59:46 | 000,241,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrscmd.dll
[2010-07-14 21:59:46 | 000,214,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WsmWmiPl.dll
[2010-07-14 21:59:46 | 000,145,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WsmAuto.dll
[2010-07-12 22:57:06 | 000,000,000 | ---D | C] -- C:\Users\Administrator\.kde
[2010-07-12 16:32:41 | 000,000,000 | ---D | C] -- C:\Users\Public\Desktop\Gpg4win Documentation
[2010-07-12 16:32:25 | 000,000,000 | ---D | C] -- C:\ProgramData\GNU
[2010-07-11 19:06:47 | 000,000,000 | ---D | C] -- D:\Admin moved items\Desktop\sielogs
[2010-07-11 18:39:21 | 000,000,000 | ---D | C] -- C:\Users\Administrator\.splunk
[2010-07-10 00:50:28 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Database
[2010-07-09 23:49:45 | 000,000,000 | ---D | C] -- C:\Database
[2010-07-09 23:18:14 | 000,000,000 | ---D | C] -- C:\rsit
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010-07-31 00:44:59 | 000,000,438 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{C95C2CEC-619C-4061-9B83-0B6FA4C8A8D2}.job
[2010-07-31 00:42:46 | 008,650,752 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT
[2010-07-30 23:57:10 | 000,695,092 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010-07-30 23:57:10 | 000,600,026 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010-07-30 23:57:10 | 000,102,704 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010-07-30 23:54:52 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010-07-30 23:52:20 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010-07-30 23:52:19 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010-07-30 23:52:17 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010-07-30 23:52:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010-07-30 23:52:09 | 2144,854,016 | -HS- | M] () -- C:\hiberfil.sys
[2010-07-30 23:52:05 | 258,129,664 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010-07-30 23:44:56 | 000,052,736 | ---- | M] (eSage Lab) -- C:\Windows\System32\drivers\rk_remover.sys
[2010-07-30 23:37:11 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010-07-30 23:37:05 | 000,524,288 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
[2010-07-30 23:37:05 | 000,065,536 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
[2010-07-30 23:36:59 | 003,126,157 | -H-- | M] () -- C:\Users\Administrator\AppData\Local\IconCache.db
[2010-07-30 22:50:28 | 000,433,515 | ---- | M] () -- D:\Admin moved items\Desktop\catchme.zip
[2010-07-30 20:26:50 | 000,069,456 | ---- | M] (Kaspersky Lab, SLA) -- C:\Windows\System32\drivers\klmd.sys
[2010-07-30 14:23:28 | 001,667,960 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010-07-30 11:49:45 | 000,000,074 | ---- | M] () -- D:\Admin moved items\Desktop\[ubuntu] gdm problem- username, password dialog box missing - Ubuntu Forums.url
[2010-07-30 10:39:52 | 000,088,813 | ---- | M] () -- C:\wubildr
[2010-07-30 10:39:52 | 000,008,192 | ---- | M] () -- C:\wubildr.mbr
[2010-07-30 10:32:23 | 000,000,010 | RHS- | M] () -- C:\config.sys
[2010-07-30 01:35:50 | 000,000,000 | ---- | M] () -- C:\Windows\System32\UPW
[2010-07-29 23:46:39 | 000,206,848 | ---- | M] () -- C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-07-29 20:41:07 | 000,000,879 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010-07-29 20:40:46 | 000,000,723 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\NTREGOPT.lnk
[2010-07-29 20:40:46 | 000,000,704 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2010-07-29 14:46:05 | 000,093,056 | ---- | M] () -- D:\Admin moved items\Desktop\dumped.sys
[2010-07-29 13:06:40 | 000,000,022 | ---- | M] () -- C:\Windows\S.dirmngr
[2010-07-29 12:33:40 | 000,000,259 | ---- | M] () -- C:\Windows\system.ini
[2010-07-29 12:33:31 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010-07-29 12:15:17 | 000,000,081 | ---- | M] () -- D:\Admin moved items\Desktop\Heavily infected.url
[2010-07-28 23:27:41 | 000,000,067 | ---- | M] () -- D:\Admin moved items\Desktop\Sysinternals Forums.url
[2010-07-28 23:27:37 | 000,000,103 | ---- | M] () -- D:\Admin moved items\Desktop\Malware and Spyware Cleaning Guide - Geeks to Go!.url
[2010-07-28 23:00:51 | 000,001,356 | ---- | M] () -- C:\Users\Administrator\AppData\Local\d3d9caps.dat
[2010-07-27 18:37:31 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010-07-27 05:45:28 | 000,002,100 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010-07-27 05:45:28 | 000,002,030 | ---- | M] () -- D:\Admin moved items\Desktop\Google Chrome.lnk
[2010-07-22 00:35:56 | 000,703,352 | ---- | M] (Sysinternals - www.sysinternals.com) -- D:\Admin moved items\Desktop\autoruns.exe
[2010-07-12 16:32:41 | 000,001,782 | ---- | M] () -- C:\Users\Public\Desktop\Kleopatra.lnk
[2010-07-12 16:32:41 | 000,000,892 | ---- | M] () -- C:\Users\Public\Desktop\GPA.lnk
[2010-07-11 18:40:25 | 000,001,024 | ---- | M] () -- C:\.rnd
[2010-07-11 15:26:44 | 000,038,845 | ---- | M] () -- D:\Admin moved items\Documents\Babe.gif
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-07-30 22:50:28 | 000,433,515 | ---- | C] () -- D:\Admin moved items\Desktop\catchme.zip
[2010-07-30 21:31:56 | 2144,854,016 | -HS- | C] () -- C:\hiberfil.sys
[2010-07-30 11:49:45 | 000,000,074 | ---- | C] () -- D:\Admin moved items\Desktop\[ubuntu] gdm problem- username, password dialog box missing - Ubuntu Forums.url
[2010-07-30 10:39:52 | 000,088,813 | ---- | C] () -- C:\wubildr
[2010-07-30 10:39:52 | 000,008,192 | ---- | C] () -- C:\wubildr.mbr
[2010-07-30 01:35:50 | 000,000,000 | ---- | C] () -- C:\Windows\System32\UPW
[2010-07-29 20:41:07 | 000,000,879 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010-07-29 20:40:46 | 000,000,723 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\NTREGOPT.lnk
[2010-07-29 20:40:46 | 000,000,704 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2010-07-29 14:46:05 | 000,093,056 | ---- | C] () -- D:\Admin moved items\Desktop\dumped.sys
[2010-07-29 12:18:04 | 000,000,022 | ---- | C] () -- C:\Windows\S.dirmngr
[2010-07-29 12:15:17 | 000,000,081 | ---- | C] () -- D:\Admin moved items\Desktop\Heavily infected.url
[2010-07-28 23:27:41 | 000,000,067 | ---- | C] () -- D:\Admin moved items\Desktop\Sysinternals Forums.url
[2010-07-28 23:27:37 | 000,000,103 | ---- | C] () -- D:\Admin moved items\Desktop\Malware and Spyware Cleaning Guide - Geeks to Go!.url
[2010-07-28 23:06:03 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010-07-28 23:06:03 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010-07-28 23:06:03 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010-07-28 23:06:03 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010-07-28 23:06:03 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010-07-27 18:37:31 | 000,001,052 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010-07-14 21:59:48 | 000,002,426 | ---- | C] () -- C:\Windows\System32\WsmTxt.xsl
[2010-07-14 21:59:47 | 000,201,184 | ---- | C] () -- C:\Windows\System32\winrm.vbs
[2010-07-14 21:59:47 | 000,004,675 | ---- | C] () -- C:\Windows\System32\wsmanconfig_schema.xml
[2010-07-12 16:32:41 | 000,001,782 | ---- | C] () -- C:\Users\Public\Desktop\Kleopatra.lnk
[2010-07-12 16:32:41 | 000,000,892 | ---- | C] () -- C:\Users\Public\Desktop\GPA.lnk
[2010-07-11 18:39:24 | 000,001,024 | ---- | C] () -- C:\.rnd
[2010-07-11 15:26:44 | 000,038,845 | ---- | C] () -- D:\Admin moved items\Documents\Babe.gif
[2010-05-27 18:24:24 | 000,023,040 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2009-12-27 21:55:33 | 000,122,880 | ---- | C] () -- C:\Windows\System32\trc.dll
[2009-12-27 21:55:14 | 000,118,784 | ---- | C] () -- C:\Windows\System32\mp3dec.dll
[2009-12-27 21:55:14 | 000,081,920 | ---- | C] () -- C:\Windows\System32\dsp_trc.dll
[2009-12-27 21:55:14 | 000,005,120 | ---- | C] () -- C:\Windows\System32\IcdSptSvps.dll
[2009-08-05 13:53:32 | 000,000,066 | ---- | C] () -- C:\Windows\Ahead DVD Copy.INI
[2009-01-25 23:10:48 | 000,179,200 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009-01-09 01:01:22 | 000,629,760 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2008-11-11 21:48:37 | 000,008,192 | ---- | C] () -- C:\Windows\System32\gsimrxnp.dll
[2008-11-11 21:48:37 | 000,004,992 | ---- | C] () -- C:\Windows\System32\drivers\enport.sys
[2008-10-04 14:20:44 | 000,188,416 | ---- | C] () -- C:\Windows\System32\intelbth.dll
[2008-10-04 14:20:44 | 000,065,536 | ---- | C] () -- C:\Windows\System32\ICE_JNIRegistry.dll
[2008-08-15 22:02:32 | 000,003,972 | ---- | C] () -- C:\Windows\System32\drivers\PciBus.sys
[2008-08-06 22:18:13 | 001,777,664 | ---- | C] () -- C:\Windows\System32\zhp1600r.dll
[2008-08-06 22:18:13 | 000,749,568 | ---- | C] () -- C:\Windows\System32\agi1600.dll
[2008-08-04 18:24:43 | 002,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2008-08-03 22:25:26 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2008-08-03 20:31:09 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2008-08-03 16:57:53 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008-08-03 16:57:53 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2008-08-03 14:43:17 | 000,024,944 | ---- | C] () -- C:\Windows\System32\drivers\GVTDrv.sys
[2008-04-04 11:47:31 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2007-11-06 22:19:28 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2006-11-02 14:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006-11-02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2002-10-16 00:54:04 | 000,153,088 | ---- | C] () -- C:\Windows\System32\unrar.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010-07-11 18:40:25 | 000,001,024 | ---- | M] () -- C:\.rnd
[2006-09-18 23:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2010-07-30 21:38:32 | 000,000,892 | ---- | M] () -- C:\avenger.txt
[2010-07-30 20:54:24 | 000,042,499 | ---- | M] () -- C:\bla.txt
[2008-04-04 11:45:14 | 000,333,203 | RHS- | M] () -- C:\bootmgr
[2008-08-03 21:00:59 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2010-07-30 10:32:23 | 000,000,010 | RHS- | M] () -- C:\config.sys
[2008-04-07 17:41:44 | 000,820,767 | -H-- | M] () -- C:\folderbg.jpg
[2006-11-02 22:00:00 | 000,171,136 | RHS- | M] () -- C:\grldr
[2009-04-26 13:43:31 | 000,000,116 | ---- | M] () -- C:\hashes.txt
[2010-07-30 23:52:09 | 2144,854,016 | -HS- | M] () -- C:\hiberfil.sys
[2008-08-23 00:04:58 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008-08-23 00:04:58 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010-07-30 20:37:41 | 000,884,298 | ---- | M] () -- C:\ntbtlog.txt
[2010-07-30 23:52:07 | 2458,656,768 | -HS- | M] () -- C:\pagefile.sys
[2010-07-30 01:22:45 | 000,000,016 | ---- | M] () -- C:\RootRepeal report 07-30-10 (01-22-45).txt
[2010-07-30 20:27:32 | 000,064,576 | ---- | M] () -- C:\TDSSKiller.2.4.0.0_30.07.2010_20.26.50_log.txt
[2010-07-30 10:39:52 | 000,088,813 | ---- | M] () -- C:\wubildr
[2010-07-30 10:39:52 | 000,008,192 | ---- | M] () -- C:\wubildr.mbr

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006-11-02 14:35:26 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006-11-02 14:35:26 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006-11-02 14:35:26 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2006-11-02 14:35:26 | 000,030,808 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006-09-18 23:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006-11-02 14:34:09 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2006-10-27 04:58:12 | 000,030,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\mdippr.dll
[2006-10-27 04:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll
[2007-06-27 09:00:00 | 000,057,344 | ---- | M] (Zenographics, Inc.) -- C:\Windows\System32\spool\prtprocs\w32x86\zIMFPRNT.DLL

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2008-08-03 21:25:27 | 000,203,264 | ---- | M] () -- C:\Windows\Cubes.scr
[2009-07-10 13:15:46 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2008-08-03 20:08:43 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini
[2009-01-11 13:56:34 | 000,000,020 | ---- | M] () -- C:\Program Files\FullScreensavers.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-15 01:01:31

========== Alternate Data Streams ==========

@Alternate Data Stream - 85 bytes -> D:\Admin moved items\Desktop\320excalibur20silver [].jpg:VsoSummaryInformation
< End of report >

Ah. With massive letters, on the frontpage: OTL tutorial. Yep.
Will try and make a script and post it for approval.
================================================================================================================================================================================

Scanned with MBAM, says all is clean. Have log on other system and will post it over here, but is no different than earlier posted log. GMER full scan as directed (removing tick-boxes) crashes system. OTL was possible by now, only the Extras files did not show.

OTL logfile created on: 31-7-2010 9:56:58 - Run 7
OTL by OldTimer - Version 3.2.9.1 Folder = D:\Admin moved items\Downloads
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000413 | Country: Netherlands | Language: NLD | Date Format: d-M-yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 66,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 79,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 102,54 Gb Total Space | 39,00 Gb Free Space | 38,04% Space Free | Partition Type: NTFS
Drive D: | 596,10 Gb Total Space | 60,77 Gb Free Space | 10,20% Space Free | Partition Type: NTFS
Drive E: | 315,50 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
Drive G: | 698,34 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive H: | 2,56 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
I: Drive not present or media not loaded
Drive Z: | 102,54 Gb Total Space | 39,00 Gb Free Space | 38,04% Space Free | Partition Type: CSC-CACHE

Computer Name: HEAVENLY-ONE
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010-07-31 00:42:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Admin moved items\Downloads\OTL (1).exe
PRC - [2010-06-01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010-05-27 18:59:54 | 000,376,832 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2010-05-27 18:59:30 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2010-03-25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2010-03-19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2008-10-29 08:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007-12-17 05:02:28 | 004,718,592 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe


========== Modules (SafeList) ==========

MOD - [2010-07-31 00:42:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Admin moved items\Downloads\OTL (1).exe
MOD - [2010-04-12 17:32:42 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcr80.dll
MOD - [2010-04-12 17:32:42 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcp80.dll
MOD - [2010-01-16 14:26:21 | 000,097,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1\ATL80.dll
MOD - [2008-11-27 06:35:06 | 001,748,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\GdiPlus.dll
MOD - [2008-04-05 12:04:04 | 000,090,112 | ---- | M] (Andreas Verhoeven) -- C:\Windows\System32\Branding\folderbg\VistaFolderBackground.dll
MOD - [2008-04-04 11:44:58 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2008-04-04 11:42:31 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
MOD - [2007-08-22 02:30:40 | 000,087,488 | ---- | M] (Stardock) -- C:\Program Files\Stardock\Object Desktop\DeskScapes\DesktopControlPanel.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\NVNJ.exe -- (NVNJ)
SRV - File not found [On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\FFAIVHOLLCTFAG.exe -- (FFAIVHOLLCTFAG)
SRV - [2010-05-29 12:11:36 | 000,242,176 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\GNU\GnuPG\dirmngr.exe -- (DirMngr)
SRV - [2010-05-27 18:59:30 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010-03-25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2010-03-19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008-11-17 17:37:04 | 000,554,264 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2008-09-09 14:49:52 | 000,906,504 | ---- | M] (Raxco Software, Inc.) [Disabled | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe -- (PD91Engine)
SRV - [2008-09-09 14:49:50 | 000,693,512 | ---- | M] (Raxco Software, Inc.) [Disabled | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe -- (PD91Agent)
SRV - [2008-08-04 20:47:12 | 000,647,680 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008-07-10 15:44:18 | 000,411,136 | ---- | M] (CSR, plc) [Auto | Running] -- C:\Windows\System32\HFGService.dll -- (HFGService)
SRV - [2008-07-07 10:42:02 | 000,809,296 | ---- | M] (Safer Networking Ltd.) [Disabled | Stopped] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008-04-23 21:41:20 | 000,057,344 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\AMD\OverDrive\AODAssist.exe -- (AODService)
SRV - [2008-04-23 18:55:56 | 000,098,488 | ---- | M] (SiSoftware) [Disabled | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe -- (SandraAgentSrv)
SRV - [2008-04-04 11:41:48 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007-11-06 22:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [Disabled | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007-06-04 23:29:24 | 000,063,296 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\UltraVNC Addons\uvnc_service.exe -- (Uvnc_service)
SRV - [2007-03-20 16:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2007-02-22 19:53:16 | 002,217,416 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe -- (AcronisOSSReinstallSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rootrepeal.sys -- (rootrepeal)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\A5CF.tmp -- (MEMSWEEP2)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\hitmanpro3.sys -- (hitmanpro3)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2010-07-30 23:44:56 | 000,052,736 | ---- | M] (eSage Lab) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rk_remover.sys -- (rk_remover-boot)
DRV - [2010-07-30 20:26:50 | 000,069,456 | ---- | M] (Kaspersky Lab, SLA) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\klmd.sys -- (klmd24)
DRV - [2010-06-22 12:37:09 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010-05-27 19:38:24 | 005,586,432 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2010-05-27 19:38:24 | 005,586,432 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2010-05-27 18:25:18 | 000,209,920 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010-04-07 20:57:02 | 000,063,032 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2010-04-07 20:57:02 | 000,025,144 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2010-03-25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2010-03-25 21:30:22 | 000,042,368 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2010-03-10 04:03:50 | 000,014,392 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)
DRV - [2010-02-20 12:44:11 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010-02-20 12:44:11 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010-01-16 14:28:14 | 000,229,208 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\VMM.sys -- (vmm)
DRV - [2009-12-21 21:56:36 | 000,030,392 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\usbfilter.sys -- (usbfilter)
DRV - [2009-06-17 22:08:41 | 000,971,584 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tdrpm147.sys -- (tdrpman147) Acronis Try&Decide and Restore Points filter (build 147)
DRV - [2009-06-17 22:08:34 | 000,540,000 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009-06-17 22:08:34 | 000,044,704 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\Windows\System32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009-06-17 22:08:32 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\snman380.sys -- (snapman380) Acronis Snapshots Manager (Build 380)
DRV - [2009-02-24 19:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2009-01-03 02:12:29 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2008-11-02 10:44:10 | 000,056,572 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2008-10-05 18:30:44 | 000,011,712 | ---- | M] (UVNC BVBA) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mv2.sys -- (mv2)
DRV - [2008-09-14 20:07:21 | 000,015,600 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\gdrv.sys -- (gdrv)
DRV - [2008-08-28 14:16:40 | 000,071,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DefragFS.sys -- (DefragFS)
DRV - [2008-07-10 15:44:12 | 000,030,208 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BthAudioHF.sys -- (BthAudioHF)
DRV - [2008-07-10 15:43:54 | 000,034,816 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bthav.sys -- (bthav)
DRV - [2008-07-10 15:43:32 | 000,015,872 | ---- | M] (CSR, plc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BthAvrcp.sys -- (BthAvrcp)
DRV - [2008-04-04 11:41:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008-04-04 11:41:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008-04-04 11:41:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008-04-04 11:41:24 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008-04-04 11:41:24 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008-04-04 11:41:24 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008-04-04 11:41:22 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008-04-04 11:41:21 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008-04-04 11:41:20 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008-04-04 11:41:18 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008-04-04 11:41:16 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008-04-04 11:41:16 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008-04-04 11:41:16 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008-04-04 11:41:15 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008-04-04 11:41:14 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008-04-04 11:41:14 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008-04-04 11:41:11 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008-04-04 11:41:08 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008-04-04 11:41:08 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008-04-04 11:41:06 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008-04-04 11:41:05 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008-04-04 11:39:31 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008-04-04 11:39:31 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008-04-04 11:39:31 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008-03-10 19:30:36 | 000,021,408 | ---- | M] (SiSoftware) [Kernel | Disabled | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\WNt500x86\sandra.sys -- (SANDRA)
DRV - [2008-02-01 17:24:04 | 000,041,456 | ---- | M] (Cyberlink Corp.) [Kernel | Disabled | Stopped] -- C:\Program Files\CyberLink\PowerDVD8\000.fcl -- ({FE4C91E7-22C2-4D0C-9F6B-82F1B7742054})
DRV - [2007-12-20 12:02:06 | 002,032,280 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007-11-06 22:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2007-08-14 16:49:42 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AmdTools.sys -- (AmdTools)
DRV - [2007-07-05 02:57:54 | 000,873,472 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athru6.sys -- (athrusb6)
DRV - [2007-06-29 14:47:34 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2007-06-25 05:37:24 | 000,084,480 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2007-05-22 22:46:48 | 000,013,384 | ---- | M] (RDV Soft) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vnccom.SYS -- (vnccom)
DRV - [2007-05-22 22:46:44 | 000,012,104 | ---- | M] (RDV Soft) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vncdrv.sys -- (vncdrv)
DRV - [2007-05-14 03:10:00 | 000,135,400 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RtHDMIV.sys -- (RTHDMIAzAudService)
DRV - [2007-01-29 06:20:34 | 000,059,280 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VMNetSrv.sys -- (VPCNetS2)
DRV - [2006-11-02 11:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006-11-02 11:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006-11-02 11:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006-11-02 11:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006-11-02 11:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006-11-02 11:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006-11-02 11:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006-11-02 11:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006-11-02 11:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006-11-02 11:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006-11-02 11:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006-11-02 10:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006-11-02 10:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006-11-02 10:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006-11-02 10:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006-11-02 10:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006-11-02 10:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006-11-02 09:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006-11-02 09:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2002-11-28 22:23:24 | 000,039,048 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\IcdUsb2.sys -- (ICDUSB2) Sony IC Recorder (P)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-07-28 21:47:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-07-28 21:47:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird

[2008-09-05 18:35:46 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Mozilla\Extensions
[2010-07-12 17:34:13 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0eqyg3zg.default\extensions
[2010-01-23 00:15:00 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\0eqyg3zg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010-07-12 17:34:13 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010-07-29 12:33:31 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Click-to-Call BHO) - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2010-07-29 13:11:09 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: Add to &Evernote - C:\Program Files\Evernote\Evernote3.5\enbar.dll (Evernote Corporation)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll (Evernote Corporation)
O9 - Extra 'Tools' menuitem : Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll (Evernote Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O22 - SharedTaskScheduler: {73526E5A-FD53-4BE7-B5E2-D3C89D7413DC} - Ave's FolderBg - C:\Windows\System32\Branding\folderbg\VistaFolderBackground.dll (Andreas Verhoeven)
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - Deskscapes - C:\Program Files\Stardock\Object Desktop\DeskScapes\deskscapes.dll (Stardock Corporation)
O22 - SharedTaskScheduler: {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - Stardock Vista ControlPanel Extension - C:\Program Files\Stardock\Object Desktop\DeskScapes\DesktopControlPanel.dll (Stardock)
O22 - SharedTaskScheduler: {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - StardockDreamController - C:\Program Files\Stardock\Object Desktop\DeskScapes\DreamControl.dll (Stardock)
O24 - Desktop WallPaper: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006-09-18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010-07-30 21:53:10 | 000,052,736 | ---- | C] (eSage Lab) -- C:\Windows\System32\drivers\rk_remover.sys
[2010-07-30 21:35:10 | 000,000,000 | ---D | C] -- C:\Avenger
[2010-07-30 20:26:50 | 000,069,456 | ---- | C] (Kaspersky Lab, SLA) -- C:\Windows\System32\drivers\klmd.sys
[2010-07-30 19:53:42 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010-07-30 16:11:19 | 000,000,000 | ---D | C] -- C:\useradministrator
[2010-07-30 11:54:26 | 000,000,000 | ---D | C] -- C:\bd_logs
[2010-07-30 10:32:53 | 000,000,000 | ---D | C] -- C:\ubuntu
[2010-07-29 20:40:44 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010-07-29 12:36:27 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2010-07-29 12:33:37 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2010-07-29 12:31:35 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\temp
[2010-07-29 12:20:11 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010-07-29 12:19:02 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010-07-29 09:48:02 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Identum
[2010-07-28 23:06:03 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010-07-28 23:06:03 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010-07-28 23:06:03 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010-07-28 23:05:54 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010-07-28 23:01:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010-07-28 22:44:38 | 000,703,352 | ---- | C] (Sysinternals - www.sysinternals.com) -- D:\Admin moved items\Desktop\autoruns.exe
[2010-07-28 22:44:31 | 003,887,480 | ---- | C] (Sysinternals - www.sysinternals.com) -- D:\Admin moved items\Desktop\procexp.exe
[2010-07-17 21:09:00 | 000,030,392 | ---- | C] (Advanced Micro Devices) -- C:\Windows\System32\drivers\usbfilter.sys
[2010-07-17 20:55:45 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2010-07-17 20:54:59 | 000,000,000 | ---D | C] -- C:\Program Files\ATI
[2010-07-17 20:54:39 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2010-07-14 22:00:42 | 000,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell
[2010-07-14 22:00:03 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrsmgr.dll
[2010-07-14 21:59:55 | 000,040,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrs.exe
[2010-07-14 21:59:55 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrshost.exe
[2010-07-14 21:59:55 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wsmprovhost.exe
[2010-07-14 21:59:54 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wsmplpxy.dll
[2010-07-14 21:59:54 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrssrv.dll
[2010-07-14 21:59:52 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wevtfwd.dll
[2010-07-14 21:59:52 | 000,079,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wecutil.exe
[2010-07-14 21:59:52 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wecapi.dll
[2010-07-14 21:59:52 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WsmRes.dll
[2010-07-14 21:59:52 | 000,041,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pwrshplugin.dll
[2010-07-14 21:59:46 | 000,252,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSManMigrationPlugin.dll
[2010-07-14 21:59:46 | 000,246,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSManHTTPConfig.exe
[2010-07-14 21:59:46 | 000,241,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrscmd.dll
[2010-07-14 21:59:46 | 000,214,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WsmWmiPl.dll
[2010-07-14 21:59:46 | 000,145,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WsmAuto.dll
[2010-07-12 22:57:06 | 000,000,000 | ---D | C] -- C:\Users\Administrator\.kde
[2010-07-12 16:32:41 | 000,000,000 | ---D | C] -- C:\Users\Public\Desktop\Gpg4win Documentation
[2010-07-12 16:32:25 | 000,000,000 | ---D | C] -- C:\ProgramData\GNU
[2010-07-11 19:06:47 | 000,000,000 | ---D | C] -- D:\Admin moved items\Desktop\sielogs
[2010-07-11 18:39:21 | 000,000,000 | ---D | C] -- C:\Users\Administrator\.splunk
[2010-07-10 00:50:28 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Database
[2010-07-09 23:49:45 | 000,000,000 | ---D | C] -- C:\Database
[2010-07-09 23:18:14 | 000,000,000 | ---D | C] -- C:\rsit
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010-07-31 09:56:20 | 000,695,092 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010-07-31 09:56:20 | 000,600,026 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010-07-31 09:56:20 | 000,102,704 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010-07-31 09:55:56 | 000,000,438 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{C95C2CEC-619C-4061-9B83-0B6FA4C8A8D2}.job
[2010-07-31 09:55:54 | 008,650,752 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT
[2010-07-31 09:52:59 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010-07-31 09:50:28 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010-07-31 09:50:28 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010-07-31 09:50:26 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010-07-31 09:50:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010-07-31 09:50:20 | 2144,854,016 | -HS- | M] () -- C:\hiberfil.sys
[2010-07-31 01:03:57 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010-07-31 01:03:53 | 000,524,288 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
[2010-07-31 01:03:53 | 000,065,536 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
[2010-07-31 01:03:49 | 003,428,556 | -H-- | M] () -- C:\Users\Administrator\AppData\Local\IconCache.db
[2010-07-30 23:52:05 | 258,129,664 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010-07-30 23:44:56 | 000,052,736 | ---- | M] (eSage Lab) -- C:\Windows\System32\drivers\rk_remover.sys
[2010-07-30 22:50:28 | 000,433,515 | ---- | M] () -- D:\Admin moved items\Desktop\catchme.zip
[2010-07-30 20:26:50 | 000,069,456 | ---- | M] (Kaspersky Lab, SLA) -- C:\Windows\System32\drivers\klmd.sys
[2010-07-30 14:23:28 | 001,667,960 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010-07-30 11:49:45 | 000,000,074 | ---- | M] () -- D:\Admin moved items\Desktop\[ubuntu] gdm problem- username, password dialog box missing - Ubuntu Forums.url
[2010-07-30 10:39:52 | 000,088,813 | ---- | M] () -- C:\wubildr
[2010-07-30 10:39:52 | 000,008,192 | ---- | M] () -- C:\wubildr.mbr
[2010-07-30 10:32:23 | 000,000,010 | RHS- | M] () -- C:\config.sys
[2010-07-30 01:35:50 | 000,000,000 | ---- | M] () -- C:\Windows\System32\UPW
[2010-07-29 23:46:39 | 000,206,848 | ---- | M] () -- C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-07-29 20:41:07 | 000,000,879 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010-07-29 20:40:46 | 000,000,723 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\NTREGOPT.lnk
[2010-07-29 20:40:46 | 000,000,704 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2010-07-29 14:46:05 | 000,093,056 | ---- | M] () -- D:\Admin moved items\Desktop\dumped.sys
[2010-07-29 13:06:40 | 000,000,022 | ---- | M] () -- C:\Windows\S.dirmngr
[2010-07-29 12:33:40 | 000,000,259 | ---- | M] () -- C:\Windows\system.ini
[2010-07-29 12:33:31 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010-07-29 12:15:17 | 000,000,081 | ---- | M] () -- D:\Admin moved items\Desktop\Heavily infected.url
[2010-07-28 23:27:41 | 000,000,067 | ---- | M] () -- D:\Admin moved items\Desktop\Sysinternals Forums.url
[2010-07-28 23:27:37 | 000,000,103 | ---- | M] () -- D:\Admin moved items\Desktop\Malware and Spyware Cleaning Guide - Geeks to Go!.url
[2010-07-28 23:00:51 | 000,001,356 | ---- | M] () -- C:\Users\Administrator\AppData\Local\d3d9caps.dat
[2010-07-27 18:37:31 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010-07-27 05:45:28 | 000,002,100 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010-07-27 05:45:28 | 000,002,030 | ---- | M] () -- D:\Admin moved items\Desktop\Google Chrome.lnk
[2010-07-22 00:35:56 | 000,703,352 | ---- | M] (Sysinternals - www.sysinternals.com) -- D:\Admin moved items\Desktop\autoruns.exe
[2010-07-12 16:32:41 | 000,001,782 | ---- | M] () -- C:\Users\Public\Desktop\Kleopatra.lnk
[2010-07-12 16:32:41 | 000,000,892 | ---- | M] () -- C:\Users\Public\Desktop\GPA.lnk
[2010-07-11 18:40:25 | 000,001,024 | ---- | M] () -- C:\.rnd
[2010-07-11 15:26:44 | 000,038,845 | ---- | M] () -- D:\Admin moved items\Documents\Babe.gif
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-07-30 22:50:28 | 000,433,515 | ---- | C] () -- D:\Admin moved items\Desktop\catchme.zip
[2010-07-30 21:31:56 | 2144,854,016 | -HS- | C] () -- C:\hiberfil.sys
[2010-07-30 11:49:45 | 000,000,074 | ---- | C] () -- D:\Admin moved items\Desktop\[ubuntu] gdm problem- username, password dialog box missing - Ubuntu Forums.url
[2010-07-30 10:39:52 | 000,088,813 | ---- | C] () -- C:\wubildr
[2010-07-30 10:39:52 | 000,008,192 | ---- | C] () -- C:\wubildr.mbr
[2010-07-30 01:35:50 | 000,000,000 | ---- | C] () -- C:\Windows\System32\UPW
[2010-07-29 20:41:07 | 000,000,879 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010-07-29 20:40:46 | 000,000,723 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\NTREGOPT.lnk
[2010-07-29 20:40:46 | 000,000,704 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2010-07-29 14:46:05 | 000,093,056 | ---- | C] () -- D:\Admin moved items\Desktop\dumped.sys
[2010-07-29 12:18:04 | 000,000,022 | ---- | C] () -- C:\Windows\S.dirmngr
[2010-07-29 12:15:17 | 000,000,081 | ---- | C] () -- D:\Admin moved items\Desktop\Heavily infected.url
[2010-07-28 23:27:41 | 000,000,067 | ---- | C] () -- D:\Admin moved items\Desktop\Sysinternals Forums.url
[2010-07-28 23:27:37 | 000,000,103 | ---- | C] () -- D:\Admin moved items\Desktop\Malware and Spyware Cleaning Guide - Geeks to Go!.url
[2010-07-28 23:06:03 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010-07-28 23:06:03 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010-07-28 23:06:03 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010-07-28 23:06:03 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010-07-28 23:06:03 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010-07-27 18:37:31 | 000,001,052 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010-07-14 21:59:48 | 000,002,426 | ---- | C] () -- C:\Windows\System32\WsmTxt.xsl
[2010-07-14 21:59:47 | 000,201,184 | ---- | C] () -- C:\Windows\System32\winrm.vbs
[2010-07-14 21:59:47 | 000,004,675 | ---- | C] () -- C:\Windows\System32\wsmanconfig_schema.xml
[2010-07-12 16:32:41 | 000,001,782 | ---- | C] () -- C:\Users\Public\Desktop\Kleopatra.lnk
[2010-07-12 16:32:41 | 000,000,892 | ---- | C] () -- C:\Users\Public\Desktop\GPA.lnk
[2010-07-11 18:39:24 | 000,001,024 | ---- | C] () -- C:\.rnd
[2010-07-11 15:26:44 | 000,038,845 | ---- | C] () -- D:\Admin moved items\Documents\Babe.gif
[2010-05-27 18:24:24 | 000,023,040 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2009-12-27 21:55:33 | 000,122,880 | ---- | C] () -- C:\Windows\System32\trc.dll
[2009-12-27 21:55:14 | 000,118,784 | ---- | C] () -- C:\Windows\System32\mp3dec.dll
[2009-12-27 21:55:14 | 000,081,920 | ---- | C] () -- C:\Windows\System32\dsp_trc.dll
[2009-12-27 21:55:14 | 000,005,120 | ---- | C] () -- C:\Windows\System32\IcdSptSvps.dll
[2009-08-05 13:53:32 | 000,000,066 | ---- | C] () -- C:\Windows\Ahead DVD Copy.INI
[2009-01-25 23:10:48 | 000,179,200 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009-01-09 01:01:22 | 000,629,760 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2008-11-11 21:48:37 | 000,008,192 | ---- | C] () -- C:\Windows\System32\gsimrxnp.dll
[2008-11-11 21:48:37 | 000,004,992 | ---- | C] () -- C:\Windows\System32\drivers\enport.sys
[2008-10-04 14:20:44 | 000,188,416 | ---- | C] () -- C:\Windows\System32\intelbth.dll
[2008-10-04 14:20:44 | 000,065,536 | ---- | C] () -- C:\Windows\System32\ICE_JNIRegistry.dll
[2008-08-15 22:02:32 | 000,003,972 | ---- | C] () -- C:\Windows\System32\drivers\PciBus.sys
[2008-08-06 22:18:13 | 001,777,664 | ---- | C] () -- C:\Windows\System32\zhp1600r.dll
[2008-08-06 22:18:13 | 000,749,568 | ---- | C] () -- C:\Windows\System32\agi1600.dll
[2008-08-04 18:24:43 | 002,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2008-08-03 22:25:26 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2008-08-03 20:31:09 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2008-08-03 16:57:53 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008-08-03 16:57:53 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2008-08-03 14:43:17 | 000,024,944 | ---- | C] () -- C:\Windows\System32\drivers\GVTDrv.sys
[2008-04-04 11:47:31 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2007-11-06 22:19:28 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2006-11-02 14:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006-11-02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2002-10-16 00:54:04 | 000,153,088 | ---- | C] () -- C:\Windows\System32\unrar.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 85 bytes -> D:\Admin moved items\Desktop\320excalibur20silver [].jpg:VsoSummaryInformation
< End of report >



I have gone over the log and tried to make a script, with comments as to why I chose something. Hope I got it (mostly) right. There appear to be a lot of old remnants of previous infections too. Please consider this as part of my open application to become a student. Thanks!

In the OTL tutorial it states that any lines can just be copy/pasted into the script and OTL will eat it. Does that hold true in this case? I think I have done it correctly though... In that case: hats off for the coding of the parser of the scripts! :)
Or do I need to remove the (for example) : "SRV - File not found [On_Demand | Stopped] --"

CODE

:Services
SRV - File not found [On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\NVNJ.exe -- (NVNJ) <--> since it is a SRV I thought about putting it in the :Services section but since the file cannot be found I'd thought it would be better to just remove the entry (but am not sure about this)
SRV - File not found [On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\FFAIVHOLLCTFAG.exe -- (FFAIVHOLLCTFAG) <--> since it is a SRV I thought about putting it in the :Services section but since the file cannot be found I'd thought it would be better to just remove the entry(but am not sure about this)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rootrepeal.sys -- (rootrepeal) <--> probably a leftover from rootrepeal crashing. Since it is a DRV entry I thought about putting it in the :Services section but since the file cannot be found I'd thought it would be better to just remove the entry
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) <--> Since I am not and will not be using IPX/Netware -> begone!! evil trash!, would not advice this to others
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) <--> Same as above, would not advice this to others
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\A5CF.tmp -- (MEMSWEEP2) <--> Probably a leftover from an earlier infection
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp) <--> Same story... no IPX/Netware, would not advice this to others
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\inspect.sys -- (Inspect) <--> From a previous install of Comodo
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\hitmanpro3.sys -- (hitmanpro3) <--> Have no clue what that is doing here ;-P
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys -- (catchme) <--> Ran it... so...
DRV - [2010-07-30 23:44:56 | 000,052,736 | ---- | M] (eSage Lab) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rk_remover.sys -- (rk_remover-boot) <--> same as above
DRV - [2010-07-30 20:26:50 | 000,069,456 | ---- | M] (Kaspersky Lab, SLA) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\klmd.sys -- (klmd24) <--> Kaspersky's tool to scan/remove the rootkit
:OTL
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.) <--> This probably is not needed to fix the malware infection, but since it comes up with an error I thought it might be wise to remove the key and reinstall the latest version of Flashplayer. I must still also do so for java and adobe reader. And uninstall the old versions before that. I added this entry more so I know if I am using it correctly (i.e.: does :OTL section need to be before :Services, or does that not matter at all? I can imagine some keys not being deleted, or being re-added, if a certain malware process or service associated with that key is still running)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found <--> Yep... that might the (a part of) culprit
O32 - AutoRun File - [2006-09-18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] <--> This just strikes me as odd. I do not recall autoexec being used when running Vista (or maybe am confusing with x64 now). But am not sure. I'd have to check if it is visible and what the contents is. If I needed that done remotely I'd command prompt: type c:\autoexec.bat >> c:\temp\autoexec.txt or something similar
O34 - HKLM BootExecute: (autocheck autochk *) - File not found <--> the "file not found" strikes me as a reference to a hidden file
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found <--> the "file not found" strikes me as a reference to a hidden file
***[2010-07-28 23:06:03 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe <--> Am very curious. I have not installed any registry editing software that I can remember, although stuff passes quickly, and a lot, on that system
***[2010-07-28 23:06:03 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe <--> Same as above, but then in terms of service control.
***[2010-07-28 23:06:03 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe <--> Same as above, but I'm starting to think these might be from Combofix or Erunt or related tools that haven't been cleaned up yet. I'd say I do not need to remove these in this script, but I do need to run Combofix in Uninstall mode, and run the cleanup from within this OTL script. If the OTL cleanup takes care of these, then the former is not necessary.
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] <--> These temp files are most certainly related to the malware/hidden IE process
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] <--> Same as above. Why this is mentioned 2 times in the log I would like to know/understand.
[2010-07-31 01:03:57 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat <--> this will, I'm guessing, be the so-called "bthport" registry key I cannot get into (parameters/keys) to delete.
[2010-07-30 23:44:56 | 000,052,736 | ---- | M] (eSage Lab) -- C:\Windows\System32\drivers\rk_remover.sys
[2010-07-30 22:50:28 | 000,433,515 | ---- | M] () -- D:\Admin moved items\Desktop\catchme.zip
[2010-07-30 20:26:50 | 000,069,456 | ---- | M] (Kaspersky Lab, SLA) -- C:\Windows\System32\drivers\klmd.sys
[2010-07-29 13:06:40 | 000,000,022 | ---- | M] () -- C:\Windows\S.dirmngr <--> I am tempted to leave this file since it is part of GNUpg but I fear that somehow at that around the same time I installed it, I have gotten infected. I'd rather remove and reinstall. Same goes for the .rnd file on root of c:\
[2010-07-28 23:00:51 | 000,001,356 | ---- | M] () -- C:\Users\Administrator\AppData\Local\d3d9caps.dat <--> Looking at the file, you would think that it is direct3d related. But looking at the path, I'm gonna go broke and say its part of the infection. If possible I will upload to jotti and see what it says (if anything at all on .dat and .sys files, my impression on those isn't good with a lot of antivirus software atm) 99.9% sure it is infection related, would like to know how to move this one to a temporary location using OTL, while deleting the one in this location.
[2010-07-12 16:32:41 | 000,001,782 | ---- | M] () -- C:\Users\Public\Desktop\Kleopatra.lnk <--> If I am not mistaken this and the one below this line (gpa.lnk) are bad news. I have no idea where hey came from.
[2010-07-12 16:32:41 | 000,000,892 | ---- | M] () -- C:\Users\Public\Desktop\GPA.lnk
[2010-07-30 22:50:28 | 000,433,515 | ---- | C] () -- D:\Admin moved items\Desktop\catchme.zip <--> needs to be cleaned up (then needs to be in :Files section? )
[2010-07-29 14:46:05 | 000,093,056 | ---- | C] () -- D:\Admin moved items\Desktop\dumped.sys <--> needs to be cleaned up
[2010-07-28 23:06:03 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010-07-28 23:06:03 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010-07-28 23:06:03 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010-07-28 23:06:03 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010-07-28 23:06:03 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe <--> All of the above: definately bad news and coincidentally also created at the same time as the three starred (***) items above. These are created 5 minutes after the d3d file has been "dropped" in the system (see above). From where and how I wonder... are they part of combofix? Naaaah..., right?
[2010-07-12 16:32:41 | 000,001,782 | ---- | C] () -- C:\Users\Public\Desktop\Kleopatra.lnk
[2010-07-12 16:32:41 | 000,000,892 | ---- | C] () -- C:\Users\Public\Desktop\GPA.lnk
[2010-07-11 18:39:24 | 000,001,024 | ---- | C] () -- C:\.rnd
[2009-12-27 21:55:33 | 000,122,880 | ---- | C] () -- C:\Windows\System32\trc.dll <--> leftover from a previous infection I presume.
[2009-12-27 21:55:14 | 000,118,784 | ---- | C] () -- C:\Windows\System32\mp3dec.dll <--> leftover from a previous infection I presume.
[2009-12-27 21:55:14 | 000,081,920 | ---- | C] () -- C:\Windows\System32\dsp_trc.dll <--> leftover from a previous infection I presume.
[2009-12-27 21:55:14 | 000,005,120 | ---- | C] () -- C:\Windows\System32\IcdSptSvps.dll <--> leftover from a previous infection I presume.
[2008-10-04 14:20:44 | 000,188,416 | ---- | C] () -- C:\Windows\System32\intelbth.dll <--> These two on their own... I might have stayed insecure. But since these were created simultaneously in the past and.. well, google speaks for itself I think
[2008-10-04 14:20:44 | 000,065,536 | ---- | C] () -- C:\Windows\System32\ICE_JNIRegistry.dll <--> These two on their own... I might have stayed insecure. But since these were created simultaneously in the past and.. well, google speaks for itself I think
[2008-08-03 14:43:17 | 000,024,944 | ---- | C] () -- C:\Windows\System32\drivers\GVTDrv.sys <--> unsure, only seems to pop up with malware infected stuff.
@Alternate Data Stream - 85 bytes -> D:\Admin moved items\Desktop\320excalibur20silver [].jpg:VsoSummaryInformation

:Commands
[EMPTYTEMP] <--> in this case, I feel it speaks for itself why I want to do this, even though I have deleted iexplore.exe to prevent the malware starting and hiding (within) that process, I know its hiding in those temp and tmp locations, partly. I´m putting this upfront of the rest since it would seem prudent for malicious files and processes that are running or in temp locations to be gone before running the rest of the script, which might otherwise make it fail. Or... so it would seem to me.
[EMPTYFLASH] <--> don't know what got me infected and am not aware of any sites needing flash cookies in my case, so I'd rather dump them all once, for now
[purity]
[resethosts] <--> this system has had too many infections in the past as you can see. So just for good measure, and let a fresh install of spybot s&d fill it up again.
[CreateRestorePoint] <--> Will fail. I am principially against System restore points since I have seen it do more hurt than good. But, for these purposes it should be there indeed.
[Reboot]

-----------------------------------------------------------------------------

Which would make the script I think I should use:

:Services
SRV - File not found [On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\NVNJ.exe -- (NVNJ) 
SRV - File not found [On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\FFAIVHOLLCTFAG.exe -- (FFAIVHOLLCTFAG) 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rootrepeal.sys -- (rootrepeal) 
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) 
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\A5CF.tmp -- (MEMSWEEP2) 
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp) 
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\inspect.sys -- (Inspect) 
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\hitmanpro3.sys -- (hitmanpro3) 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys -- (catchme) 
DRV - [2010-07-30 23:44:56 | 000,052,736 | ---- | M] (eSage Lab) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rk_remover.sys -- (rk_remover-boot) 
DRV - [2010-07-30 20:26:50 | 000,069,456 | ---- | M] (Kaspersky Lab, SLA) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\klmd.sys -- (klmd24) 
:OTL
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.) 
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found 
O32 - AutoRun File - [2006-09-18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] 
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found 
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found 
[2010-07-28 23:06:03 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe  
[2010-07-28 23:06:03 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe 
[2010-07-28 23:06:03 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] 
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] 
[2010-07-31 01:03:57 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat 
[2010-07-30 23:44:56 | 000,052,736 | ---- | M] (eSage Lab) -- C:\Windows\System32\drivers\rk_remover.sys
[2010-07-30 22:50:28 | 000,433,515 | ---- | M] () -- D:\Admin moved items\Desktop\catchme.zip
[2010-07-30 20:26:50 | 000,069,456 | ---- | M] (Kaspersky Lab, SLA) -- C:\Windows\System32\drivers\klmd.sys
[2010-07-29 13:06:40 | 000,000,022 | ---- | M] () -- C:\Windows\S.dirmngr 
[2010-07-28 23:00:51 | 000,001,356 | ---- | M] () -- C:\Users\Administrator\AppData\Local\d3d9caps.dat 
[2010-07-12 16:32:41 | 000,001,782 | ---- | M] () -- C:\Users\Public\Desktop\Kleopatra.lnk 
[2010-07-12 16:32:41 | 000,000,892 | ---- | M] () -- C:\Users\Public\Desktop\GPA.lnk
[2010-07-30 22:50:28 | 000,433,515 | ---- | C] () -- D:\Admin moved items\Desktop\catchme.zip 
[2010-07-29 14:46:05 | 000,093,056 | ---- | C] () -- D:\Admin moved items\Desktop\dumped.sys
[2010-07-28 23:06:03 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010-07-28 23:06:03 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010-07-28 23:06:03 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010-07-28 23:06:03 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010-07-28 23:06:03 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe 
[2010-07-12 16:32:41 | 000,001,782 | ---- | C] () -- C:\Users\Public\Desktop\Kleopatra.lnk
[2010-07-12 16:32:41 | 000,000,892 | ---- | C] () -- C:\Users\Public\Desktop\GPA.lnk
[2010-07-11 18:39:24 | 000,001,024 | ---- | C] () -- C:\.rnd
[2009-12-27 21:55:33 | 000,122,880 | ---- | C] () -- C:\Windows\System32\trc.dll 
[2009-12-27 21:55:14 | 000,118,784 | ---- | C] () -- C:\Windows\System32\mp3dec.dll 
[2009-12-27 21:55:14 | 000,081,920 | ---- | C] () -- C:\Windows\System32\dsp_trc.dll
[2009-12-27 21:55:14 | 000,005,120 | ---- | C] () -- C:\Windows\System32\IcdSptSvps.dll
[2008-10-04 14:20:44 | 000,188,416 | ---- | C] () -- C:\Windows\System32\intelbth.dll
[2008-10-04 14:20:44 | 000,065,536 | ---- | C] () -- C:\Windows\System32\ICE_JNIRegistry.dll
[2008-08-03 14:43:17 | 000,024,944 | ---- | C] () -- C:\Windows\System32\drivers\GVTDrv.sys
@Alternate Data Stream - 85 bytes -> D:\Admin moved items\Desktop\320excalibur20silver [].jpg:VsoSummaryInformation
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158305b34e]
"0015a8996ce9"=hex:0c,82,8e,e9,2f,63,d2,05,78,12,f3,b4,4b,16,b3,d7
"000d18a0084f"=hex:fd,18,70,9a,fa,3e,ea,e7,4e,16,43,ad,6d,28,4f,98
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158305b34e]
"0015a8996ce9"=hex:0c,82,8e,e9,2f,63,d2,05,78,12,f3,b4,4b,16,b3,d7
"000d18a0084f"=hex:fd,18,70,9a,fa,3e,ea,e7,4e,16,43,ad,6d,28,4f,98
:Commands
[EMPTYTEMP]
[EMPTYFLASH]
[purity]
[resethosts] 
[CreateRestorePoint]
[Reboot]

Another funny thing:
http://virusscan.jot...16ac5a035a41598
That one is an iexplore.exe file which is 624kb on disk BUT has its embedded IE icon missing.

http://virusscan.jot...25daeed8fc06a6a
And that one is ALSO 624kb on disk BUT has its IE icon like it should.

They definately differ: check md5 etc.
One is seen as having malware (albe it old malware) and one is seen as clean, which it is.

However when placed in the internet explorer directory they BOTH fullfill the function of IE8. So either one has a call to IE8 after replacing it and is 624kb full of malware and just routes traffic through it. OR it IS the original ie process but has a very small bit of code replaced by something else which is in contact with a hidden driver or service/process (of which (processes) there are A LOT running (hidden, do NOT show up in GMER). I need to verify that btw, am cleaning up system a bit so logs read cleaner. Then I'll verify. But as far as I can tell, these processes do exist but they do not show up in GMER or Catchme.

----- Some time went by, again.

Now scanning the system with DrWeb with windows in normal mode. Removed a lot of software from the system, including MSSE, want to try out MSSE 2 beta, it is supposed to have a far better detection rate on rootkits etc.
Anyway, system is cleaner now, so the logs will read easier too. I updated flash, java and reader. Am curious to see if the flash key error is gone.

I ran the script I made BTW, all went fine as I recall. Have to check if the log is still stored somewhere. Only thing that errored out were the reg-keys and the "file not found" items, I deleted those manually. The reg-keys, of course :) , came back during next boot. Will post new logs asap. Any ideas are welcome though. Am trying out several scanners, sophos in particular later on, since it appears to recognize at least some part of some infection as you can see from the jotti results.

The massive amounts of hidden processes are indeed NOT shown by GMER but are shown by even the basic scan from AVZ (kaspersky avz stand alone tool version 4.3.4 (if I am not mistaken, am not at the machine itself atm). The programmers amongst us, like OldTimer WILL be able to make sense of the logs from this infection.

Since my post in this topic: http://www.geekstogo...s/page__st__120 was removed for some reason, and I strongly do believe we have the same infection, which does NOT seem be solveable by anyone ATM I'd like to ask the more experienced troubleshooters here if it might make a difference, if it is not an MBR rootkit, to attach a debugger to the system in some way so we can catch calls during boot. If so, how? Just use DBGView on boot?

--- Ah, found something which might be of use for the ones interested among us: http://www.kernelmod...0&start=10#p248

Read this: http://blogs.technet...was-sality.aspx and know... a LOT more infections will show up soon.

EDIT 04-08-2010 @ 21:05
Suspected infection: Black Internet Bootkit

Edited by HiddenIE, 04 August 2010 - 01:06 PM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP