[maezhou]

I don't think that's happening.

[Advertisements]

Nothing's happened so far.

[maezhou]

Nothing's happened so far.

[Essexboy]

OK try the other programme now.

At this stage it may be advisable to back up all your important data and be prepared for a reinstall

[maezhou]

I don't think i'm up for that. Any other possible solution where there's no need to reinstall applications/files?

[Essexboy]

There is a repair install option - but if you are game we will try to fix it

[maezhou]

I don't have hard drive with me right now (i'm at work) where I can store my files for back-up. I'll do it once I got back home.

If ever, will it affect applications? Or files and documents only? Files and documents are fine. It's the applications i'm worried about.
I have a VPN connected for work, which I'm afraid will be the most problematic if it will be reinstalled.

[Essexboy]

Applications will need to be re-installed but files and documents will be safe

But lets see what rootkit revealer finds first

[maezhou]

OK. Thanks. I'll get back once I've stored my files to the external hard drive.

[maezhou]

Hi Essexboy, just an update, I was just able to start copying files to external hard drive this morning. I have tons of files on my machine. It says copying will be done in 4 hours! So I just leave it at home doing the file transfers.

[Essexboy]

Good it is always usefull to have a backup in case something untoward occurs

Once done we shall see what rootkit revealer finds

[maezhou]

Thing is I will be out of town from tomorrow until this weekend. I can't be able to bring my laptop with me. I will be back Monday. So do I have to PM you to reactivate this?

[Essexboy]

Only if I inadvertently close it, but I shouldn't unless I have a senior moment

[maezhou]

Hi there, i'm back. Hopefully, will be able to fix this. Keeping my fingers crossed. I'm going to run rookitrevealer in a short while.

[maezhou]

RookitReveler was not able to complete scanning. It encountered an error on CMD.EXE -- not sure if it's CMD.EXE though. I thought I was able to take a screenshot of the error message, but turned out that I was not able to. And I was not able to take note of the error message.

Should I do it again?

Anyways, here's the TXT report:

HKU\S-1-5-21-2528014064-590018410-3601204245-1000\console_combofixbackup 10/22/2011 2:29 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN 3/25/2011 11:51 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\CertMapping 3/25/2011 11:51 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client 11/2/2006 5:54 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener 11/2/2006 5:54 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin 3/25/2011 11:51 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service 11/2/2006 5:54 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WinRS 10/15/2008 1:36 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WinRS\CustomRemoteShell 10/15/2008 1:36 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009 11/2/2006 3:33 AM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C041448-C69A-4D8B-A774-4F3948997407}\DynamicInfo 11/1/2011 7:25 PM 28 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Swearware\backup\winsock2 10/23/2011 3:46 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters 10/23/2011 3:46 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5 10/23/2011 3:46 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 10/23/2011 3:46 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9 10/23/2011 3:46 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 10/23/2011 3:46 PM 0 bytes Security mismatch.

Edited by maezhou, 01 November 2011 - 10:04 PM.

[Essexboy]

This is being a bit of a cuss - OK could you run me a fresh OTL scan please ensuring all users is selected. There will be just one log this time